Finnish SA: Administrative fine of € 856,000 for failing to define storage period of customer data

8 May 2024

Background information

  • Date of final decision: 6 March 2024
  • National case
  • Legal Reference(s): Article 5 (Principles relating to processing of personal data), Article 25 (Data protection by design and by default)
  • Decision: Administrative fine, Compliance order, Reprimand
  • Key words: Administrative fine,  Retention time, Data retention,  E-Commerce

 

Summary of the Decision

 

Origin of the case  

The Finnish Supervisory Authority (SA) investigated the activities of the online retailer Verkkokauppa.com due to a complaint filed by a customer. The controller had required the person to register themselves as a customer before making purchases online. Shopping in the online shop was not possible without creating a customer account.  


Key Findings 

The controller had not specified the storage period of the data collected for the customer accounts of its online shop. The Finnish SA found that customer accounts data had been stored indefinitely. According to the controller, the customers themselves determined the storage period of their data, since they could request the closure of their accounts and erasure of their data if they wish. For this reason, the details of individual purchases have been stored for very long periods. 
In addition, the controller’s practice of requiring the creation of a customer account to make online purchases violated data protection law. Creating a customer account or the storage of personal data resulting from this creation may not be a requirement for making individual purchases online.


Decision 

The Finnish SA imposed an administrative fine of 856,000 euros on the controller for failing to define storage period of customer account data. The controller was ordered to specify an appropriate storage period for customer account data and rectify its practice of mandatory registration. The company was also given a reprimand for practices in violation of data protection law. 

For further information: 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.