On 6 March 2024, the Finnish Office of the Data Protection Ombudsman (“ODPO“) issued a decision against Verkkokauppa.com Oyj (“Verkkokauppa“), a company that sells electronics and other goods online and in stores. ODPO found that Verkkokauppa was not compliant with the GDPR because it required online customers to create accounts, and stored the personal data associated with their accounts indefinitely.
The decision highlights the often-overlooked GDPR risks in the widespread practice of requiring customer registration on e-commerce websites.
Background
The proceedings were initiated by a complaint alleging that Verkkokauppa required customers to create an account when making a purchase from the online store. During the proceedings, ODPO established that the use of the online store always necessitated the creation of a customer account, even for one-off purchases, and regardless of whether the customer wishes to register. The creation of an account involved obtaining personal information about the customer, such as name, email address, and phone number. Additionally, when a customer made purchases, Verkkokauppa would collect data about the transactions. The company retained customer data associated with the accounts until the customer requested the deletion of their data.
The legal issues covered in the decision, as defined by ODPO, were as follows:
- Is requiring registration of a customer in order to make an individual purchase in line with the storage limitation principle and the obligations of data protection by default?
- Is the storage of personal data for an indefinite period, unless the data subject requests erasure of their data, in accordance with the storage limitation principle and the obligations of data protection by default?
ODPO responded negatively to both questions.
Failure to determine a retention period violates the storage limitation principle
Verkkokauppa’s policy of erasing personal data only upon a customer’s request meant that Verkkokauppa did not determine retention periods and limit data storage to the shortest possible period, resulting in a violation of the storage limitation principle (Article 5(1)(e) of the GDPR).
According to Verkkokauppa, the retention period for personal data associated with the customer account depends on the customer. The company argued that such practice does not mean that the company has not determined a retention period or criteria for determining the retention period. The retention period is determined – it is “as long as the customer wants”.
ODPO concluded that Verkkokauppa failed to determine a retention period.
Verkkokauppa argued that continued retention of the data benefitted the customers because it enabled them to access the purchase receipts on their accounts. That supposedly helped the customers to exercise their rights concerning purchased products (e.g. warranty and holding the seller liable for defects or lack of conformity), as well as to submit receipts to the tax authorities if needed. According to Verkkokauppa, warranty and seller’s liability periods are often lengthy; similarly, the tax authorities may require the customer to submit receipts up to six years after the purchase.
ODPO refuted these arguments, by referring to Recital 39 of the GDPR which specifies that the duration for which personal data are retained must be “limited to a strict minimum”, meaning as short as possible given the purpose of processing, rather than as long as necessary. ODPO concluded that the controller failed to limit data retention to the shortest possible period needed to complete an online purchase.
Mandatory customer registration violates the storage limitation principle
ODPO found that making an individual purchase conditional on the creation of an account was contrary to the storage limitation principle, because collecting personal data through an account resulted in longer storage of data than necessary for carrying out a one-off online purchase.
Failure to implement the storage limitation principle leads to a violation of the obligations of data protection by default
Obligations of data protection by default (Article 25(2) of the GDPR) require the controller to effectively and from the outset implement data protection principles, including the principle of storage limitation. Verkkokauppa failed to do so. Although a one-off online purchase does not require creating an account, Verkkokauppa required all customers to open accounts. Such a practice led to unnecessary data retention. Because the principle of storage limitation is built into the GDPR’s requirement to implement data protection by default, Verkkokauppa’s failure to implement the storage limitation principle meant that it also violated the obligations of data protection by default.
Comment
The decision seems to be entirely predicated upon the failure of Verkkokauppa to allow the customers to choose whether they wished to create an account or preferred to effectuate a purchase without having an account. It would be interesting to see if the Finnish supervisory authority would be equally unaccommodating if customer registration were voluntary. Many customers who freely opt for creating an account would presumably prefer to have their data, including the purchasing history, kept indefinitely (“as long as the customer wants”) rather than deleted automatically after a predetermined period. The customers’ preference would be similar to the preference of users of social media to have their memories retained, rather than lost as a result of the platform’s automated deletion.
