856.000 euro GDPR fine
One of Finland’s largest online retailers, Verkkokauppa.com, was recently fined a not inconsiderable €856,000 by the national supervisory authority.
How it came about: a customer of the Finnish retailer complained to the authority that he was forced to create a user account in order to shop on the site.
The Finnish supervisory authority launched an investigation and found that the customer’s complaint was well-founded, but also found that the retailer was storing personal data for an excessive amount of time because it deliberately did not set a storage period and considered it unnecessary as long as users have the possibility to delete their account and thus the personal data associated with the account at any time.
This practice was found to be contrary to the principles of the GDPR Regulation and was sanctioned with a substantial fine (€856000), the amount of which was based, among other factors, on the operator’s turnover. Although the decision can be appealed administratively before the Finnish national courts, the communication from the authority from which we have taken the information mentions that in a similar case (the operator had been penalized for not having determined the length of time for which data processed in connection with parking fines had been stored) the supreme court did not allow an appeal against the decision, so the fine imposed remained valid.
You may wonder why this decision is relevant for operators in Romania. There are at least three reasons why we have stopped on this one.
First, because this practice is pervasive in the Romanian online retail market. In the documents available on the websites of some of the largest online retailers, we found the exact practice sanctioned by the Finnish authority explicitly reproduced: example 1: „Orders can only be launched after the Customer creates a User account and correctly provides all the requested data.” And example 2: „After finalizing your shopping cart, in order to be able to place your order, you are required to log in using your account […] or create an account here.”
Secondly, because the seriousness with which the Finnish supervisory authority has treated a practice that is extremely widespread in the online merchant environment leads us to think about the importance and especially the value of personal data collected through tools such as user accounts.
Like any other personal data, the data contained in user accounts must be processed in accordance with the principles laid down by the GDPR. Relevant in the present case is the principle of purpose limitation of the processing of personal data, as laid down in Art. 5 para. 1 lit. b – „Personal data shall be: (…) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (…)”. Therefore, if the purpose of processing the data collected when placing a single order is to purchase the products in that single order, the processing of the personal data collected must be limited to that single purpose which ceases once the order is finalized, at the latest once delivery is completed. On the other hand, data collected through the creation of a user account are also processed for purposes other than the one mentioned above, which go beyond the initial purpose of placing a one-off order – examples of purposes of processing of personal data collected following the creation of a user account: tracking order history, launching repetitive orders, tracking the behavior of the consumer over a given period, etc.
Therefore, if the purpose of the user is to place a single order, the storage of a user’s personal data for an indefinite period (except for personal data whose retention is mandatory under tax law) exceeds this purpose and violates the principle of purpose limitation of personal data processing, as provided for in Article 5(5)(b) of the Directive. 1(b) of the Regulation.
Third, because the GDPR is applicable in all Member States of the European Union, and the supervisory authorities in all these states on the basis of their national practice, develop within the European regulatory and supervisory body – EDPB (European Data Protection Board) guidelines and recommendations that will subsequently serve as applicable tools in the interpretation and application of the Regulation anywhere in the EU.
In conclusion, the decision of the Finnish authorities is a „kind reminder” for all data controllers – online shops – to review, in the light of GDPR principles, both their personal data storage policy and the steps that their customers are obliged to go through in the process of placing an order, which should not include the obligation to create a user account.