Finnish SA: Administrative fine of € 856,000 for failing to define storage period of customer data
Background information
- Date of final decision: 6 March 2024
- National case
- Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 25 (Data protection by design and by default)
- Decision: Administrative fine, Compliance order, Reprimand
- Key words: Administrative fine, Retention time, Data retention, E-Commerce
Summary of the Decision
Origin of the case
The Finnish Supervisory Authority (SA) investigated the activities of the online retailer Verkkokauppa.com due to a complaint filed by a customer. The controller had required the person to register themselves as a customer before making purchases online. Shopping in the online shop was not possible without creating a customer account.
Key Findings
The controller had not specified the storage period of the data collected for the customer accounts of its online shop. The Finnish SA found that customer accounts data had been stored indefinitely. According to the controller, the customers themselves determined the storage period of their data, since they could request the closure of their accounts and erasure of their data if they wish. For this reason, the details of individual purchases have been stored for very long periods.
In addition, the controller’s practice of requiring the creation of a customer account to make online purchases violated data protection law. Creating a customer account or the storage of personal data resulting from this creation may not be a requirement for making individual purchases online.
Decision
The Finnish SA imposed an administrative fine of 856,000 euros on the controller for failing to define storage period of customer account data. The controller was ordered to specify an appropriate storage period for customer account data and rectify its practice of mandatory registration. The company was also given a reprimand for practices in violation of data protection law.
For further information: