Business development · 2 July 2018

How GDPR could affect your promotional prize draws and competitions

The ASA’s CAP Code has rules that govern how prize competitions should be run
Following the introduction of the General Data Protection Regulations (GDPR) in May 2018, Grid Law founder David Walker takes a question from a reader to consider the impact of new data laws on promotional prize draws and competitions.


If I run a prize competition on my website, am I obliged by law to hold details of the people who enter for any length of time after the prize draw?

How will this impact my GDPR statement?


Thanks for your question.

The General Data Protection Regulations (GDPR) don’t give specific time limits which you must adhere to. Instead, they say that you must keep the data for no longer than is necessary for the purpose for which it is processed.

The Advertising Standards Authority’s (ASA’s) CAP Code has rules that govern how prize competitions should be run and administered. They are currently going through a consultation process to look at how their rules and guidance fit with the GDPR to ensure consistency between them.

So, we may see changes in their rules and guidance (particularly in relation to the processing of personal data) in the near future and this is something that Im keeping my eye on.

To answer your question now, you first need to ask yourself why you are collecting the personal data.

There are likely to be several reasons for this and the time limits for keeping and processing the data will vary accordingly.

The first, and most obvious reason, is that you need to administer the competition. Personal data will be collected as people enter and you will need to use that data to communicate with entrants and choose the winner.

After the winner has been chosen, you will likely need to keep all of the entrants? data for a short period of time (may be a month, depending on your terms and conditions) in case the winner doesnt claim their prize or you have to disqualify them for any reason. You will then need to use the data again to draw a new winner.

Read more about the law behind promotional prize draws and competitions:

You are obliged, under the ASA’s CAP Code to either publish or make available on request, the name and county of the winner(s) and you will usually put a 30-day time limit on this.

So, you will need to have the right to publish this information for at least 30 days after the winner has been drawn. (I imagine this is one of the provisions that will be looked at closely as part of the ASA’s consultation.)

Next, you need to ask yourself why you are running the prize competition in the first place.

For example, is it part of a sales promotion? If it is, are you intending to send marketing messages to entrants after the competition has ended?

Is running prize competitions your business? If it is, do you wish promote future competitions to entrants of this competition?

Assuming you have permission to use the data for these purposes, then in both cases you will likely want to keep personal data for longer than a month after the competition has ended. You may decide (and it’s up to you to decide what is reasonable for your business) that you will keep the data for 12 months and then review the position again.

Depending on the capabilities of your CRM system, you may decide that after 12 months, anyone who has not opened an email from you, has not entered another competition, or has not purchased a product is removed from your mailing list. However, you may decide that you still need to keep the data for other purposes (see below).



David Walker is the founder of Grid Law, a firm which first targeted the motorsport industry, advising on sponsorship deals, new contracts and building of personal brands. He has now expanded his remit to include entrepreneurs, aiding with contract law, dispute resolution and protecting and defending intellectual property rights.