Finnish Data Protection Ombudsman imposes penalty payment on major Finnish retailer

On 6 March 2024, the Office of the Finnish Data Protection Ombudsman (“DPA”) imposed an administrative penalty payment of EUR 856.000 on Verkkokauppa.com Plc, a major Finnish retailer with a focus on e-commerce.

The penalty comes in response to the retailer’s failure to define data retention times, i.e. the time for which it would retain customer account data. Additionally, the DPA found that the company’s practice of requiring the creation of a customer account to make online purchases was in breach of data protection rules.

Data retention times must be defined

The DPA found that Verkkokauppa.com had retained customer account data for an indefinite period of time. Because of the practice, data on a single transaction may have been kept longer than necessary for reasons of e.g. accounting. 

According to the company, this was in part because customers were sold products with significant lifespans – the company argued that there may be use for the data later, for example in cases of customer complaints. The company further argued that it had defined the retention period of data to correspond with the duration of the customer relationship, and customers could themselves end their customer relationship when they wished. In addition, the company stated that it had taken steps to delete the data of inactive customers (i.e. customers who had not logged onto their account for six years). 

Nevertheless, the DPA found the practice  in breach of data protection rules. According to the DPA, the retention of data could not be justified on the grounds that customers may later request deletion of the data. The DPA concluded that Verkkokauppa.com had deliberately decided not to define a retention period for the data collected on customer accounts and had retained the data until customers had requested for the deletion of their data. The DPO noted that a mechanism to delete data of passive users does not exempt the company from the obligation to define data retention times in accordance with data protection rules.

In the past, the DPA has imposed an administrative penalty on another company for failing to define the retention period of personal data related to the processing of parking fees. In the previous case, the decision remained final after the Helsinki Administrative Court upheld the DPO’s decision and the Supreme Administrative Court did not grant leave to appeal.

Creation of a customer account cannot be a prerequisite for shopping online

In addition to the indefinite retention times, the DPA found that Verkkokauppa.com had violated the General Data Protection Regulation by making the creation of a customer account a condition for online purchases. According to the DPA, the creation of a customer account is not necessary for making individual online purchases, nor is the storage of personal data that this practice results in.

The DPA ordered Verkkokauppa.com to define an appropriate retention period for customer account data and to correct its practice of requiring mandatory registration.

The penalty, which is the largest one imposed so far in Finland under the GDPR, was set at EUR 856.000. The amount of the fine was mainly based on the company’s turnover, which was MEUR 540 for the year 2022.

The decision is not yet final. Verkkokauppa.com has stated that it will appeal the decision to the Administrative Court.