ARTICLE
16 July 2024

Failing To Define Storage Period Of Customer Data Ends Up In Large Fines

R
Rouse

Contributor

Rouse is an IP services business focused on emerging markets. We operate as a closely integrated network to provide the full range of intellectual property services, from patent and trade mark protection and management to commercialisation, global enforcement and anti-counterfeiting.
In Finland, an online retailer was fined €856,000 for violating data protection laws. They required customers to register accounts to make purchases and failed to define a storage period for collected personal data, resulting in indefinite retention. The lesson: Controllers must define clear data storage periods independently, not leaving it to customers, and cannot mandate account creation for purchases.
United Kingdom Privacy

In a nutshell

Online retailer fined for requiring website visitors to register themselves before purchasing. Storage period of the collected personal data was not defined.

The background

At the beginning of this year, the Finnish Supervisory Authority (hereinafter "the SA") investigated data privacy related activities of a local online retailer. This followed a complaint from a customer who highlighted having to register themselves as a customer before purchasing online. Resulting in the being unable to shop at the retailer without creating a customer account.

During the investigation, it was discovered that the online retailer (hereinafter "the Controller") had not specified the storage period of the data which was collected for the customer account. Leaving customer accounts data being stored indefinitely. However, according to the Controller, it was up to the customers to determine the storage period of their data since they could make a request of closure of their accounts and, upon request, its deletion. This led to customer data being stored for a long period of time.

After completion of the investigation, the SA found that as customers had to create an account at the Controller in order to be able to make online purchases, was a violation of the provisions of data protection law. Demanding customers to create accounts for them to make purchases alongside not having a defined storage period of the customer data collected, was not permitted.

Due to the subject violations, the Controller was given an administrative fine of nearly 900,000 EUR. In addition, the Controller was forced to define an appropriate storage period and to rectify its practice of mandatory restrictions. Finally, the Controller was given a reprimand for the violation of the data protection law.

The takeaways

  • As a personal data controller, one must always ensure to define clear and reasonable periods for storage of data, regardless of what the data is being used for, whether it is for online purchases or other purposes. As shown above, this is not to be decided by the data subjects. This is the responsibility of the personal data controller.
  • Furthermore, as a personal data controller one cannot require customers to, besides providing basic information about e.g. name and delivery/billing address, create a customer account in order to make purchases.

Read more:  Finnish SA: Administrative fine of € 856,000 for failing to define storage period of customer data | European Data Protection Board (europa.eu) 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More