In a nutshell
Online retailer fined for requiring website visitors to register themselves before purchasing. Storage period of the collected personal data was not defined.
The background
At the beginning of this year, the Finnish Supervisory Authority (hereinafter “the SA”) investigated data privacy related activities of a local online retailer. This followed a complaint from a customer who highlighted having to register themselves as a customer before purchasing online. Resulting in the being unable to shop at the retailer without creating a customer account.
During the investigation, it was discovered that the online retailer (hereinafter “the Controller”) had not specified the storage period of the data which was collected for the customer account. Leaving customer accounts data being stored indefinitely. However, according to the Controller, it was up to the customers to determine the storage period of their data since they could make a request of closure of their accounts and, upon request, its deletion. This led to customer data being stored for a long period of time.
After completion of the investigation, the SA found that as customers had to create an account at the Controller in order to be able to make online purchases, was a violation of the provisions of data protection law. Demanding customers to create accounts for them to make purchases alongside not having a defined storage period of the customer data collected, was not permitted.
Due to the subject violations, the Controller was given an administrative fine of nearly 900,000 EUR. In addition, the Controller was forced to define an appropriate storage period and to rectify its practice of mandatory restrictions. Finally, the Controller was given a reprimand for the violation of the data protection law.
The takeaways
Questions?
For any questions about this case or data protection queries generally, please contact My Mattson or Frida Holmer