Point of Sale (POS)·4 min read·Updated 12 May 2026·✓ Reviewed May 2026Recently UpdatedWhat changed? →

GDPR and Customer Data Protection at Point of Sale

Q: Do I need a privacy notice for my POS?

Yes. If you collect any personal data (including phone numbers for receipts), you should have a privacy notice that explains what data you collect, why, and how customers can exercise their rights. A simple sign at the till or a link on your digital receipt is sufficient for most small retailers.

Q: What if a customer asks for all the data I hold on them?

This is a Subject Access Request (SAR) under UK GDPR. You must respond within 30 days. In AskBiz POS, use the export function to pull all transactions linked to that customer's phone number and provide the data in a readable format.

How to handle customer data collected through your POS system in compliance with UK GDPR — consent, retention, subject access requests, and staff responsibilities.

What customer data your POS collects#

When a customer makes a purchase through AskBiz POS, the system records the transaction details — items, amounts, time, and payment method. If the customer opts in to receive a WhatsApp receipt, their phone number is also stored.

This is personal data under UK GDPR if it can identify an individual (a phone number always can). You are the data controller for this information — meaning you decide why and how it is processed. AskBiz is the data processor, handling the data on your behalf under the terms of the Data Processing Agreement included in your AskBiz subscription.

Consent and lawful basis#

For transaction data, your lawful basis is typically legitimate interest or contractual necessity — you need to record the sale to fulfil the purchase and meet your legal obligations (tax, consumer rights). No additional consent is required for this.

For WhatsApp receipt delivery, the customer is actively providing their phone number and requesting the receipt — this constitutes consent. Make it clear to the customer that their number will be used only to send the receipt. AskBiz POS does not use customer phone numbers for marketing, and neither should you without separate, explicit consent.

Data retention and deletion#

You must not keep personal data longer than necessary. Transaction records must be retained for 6 years for HMRC compliance, but customer phone numbers collected for receipts should be reviewed regularly.

AskBiz POS retains transaction data for as long as your account is active (and for HMRC compliance after closure). WhatsApp phone numbers are stored alongside the transaction they relate to. If a customer requests deletion of their phone number under their right to erasure, you can remove it from the transaction record in POS → Transactions → [transaction] → Customer Details → Remove Phone Number. The transaction itself is retained for tax purposes, but the personal identifier is stripped.

Staff responsibilities and training#

Your POS staff handle customer data every day, so they need to understand the basics:

Never share customer phone numbers outside the POS system
Never photograph or copy transaction screens containing customer details
Report any data breach (e.g., a device left unlocked in a public area) to the account owner immediately
Do not look up customer transaction history without a legitimate business reason

AskBiz POS role-based access helps enforce this — cashiers can only see the current transaction, not historical customer data. Only account owners and inventory managers with elevated permissions can access full transaction histories.

Frequently Asked Questions

Do I need a privacy notice for my POS?

What if a customer asks for all the data I hold on them?

Was this article helpful?

Still stuck? Email our support team.

What customer data your POS collects#

Consent and lawful basis#

Data retention and deletion#

Staff responsibilities and training#

Frequently Asked Questions

Related Articles