Guide
GDPR-safe employee data collection for merch and swag
TL;DR: Under GDPR, collecting an employee's home address for a swag shipment is lawful as long as you state the purpose, collect only what you need, give the right to withdraw, and delete the data once the order ships. Get explicit consent in the form itself.
Lawful basis: consent vs. legitimate interest
For optional perks like company merch, consent is the cleanest lawful basis. The employee freely chooses to receive the gift; the form makes that choice explicit and they can decline without consequence.
Avoid relying on legitimate interest for home addresses — regulators consistently push back on it for non-essential employer-to-home shipments.
Data minimisation in practice
Ask only for what your shipping label needs: full name, street, city, postal code, country, and a phone number for the courier. Skip date of birth, national ID and emergency contacts unless your courier specifically requires them.
Retention: when to delete
Delete addresses within 30 days of the shipment being delivered, unless you need them for warranty or returns. Aggregated size data (e.g. 'we ordered 14 mediums') is not personal data and can be retained indefinitely.
Withdrawal and editing
Every recipient must have an easy way to view, edit and delete their submission. SoRoster does this with a private per-recipient link that stays valid until the roster closes.
Frequently asked
- Do I need a Data Processing Agreement (DPA) with my merch vendor?
- Yes — your vendor processes personal data (the shipping list) on your behalf. A signed DPA is required under GDPR Article 28.
- Can employees refuse?
- Always. Refusal must carry no professional consequence. Make 'I'd rather not' a visible option in the form.