Hyppää sisältöön

Administrative fine imposed on Verkkokauppa.com for failing to define storage period of customer data – requiring customers to register was also illegal

Publication date 18.3.2024 9.35 | Published in English on 27.3.2024 at 13.58
Press release

The Sanctions Board of the Office of the Data Protection Ombudsman has imposed an administrative fine of 856,000 euros on Verkkokauppa.com Oyj because the company had not specified the storage period of its online shop customer accounts. In addition, Verkkokauppa.com's practice of requiring the creation of a customer account for making online purchases violated data protection provisions.

The Office of the Data Protection Ombudsman investigated the activities of Verkkokauppa.com due to a complaint filed by a customer. Verkkokauppa.com had required the person to register themselves as a customer before making purchases online. Shopping in the online shop was not possible without creating a customer account.

The Data Protection Ombudsman found that Verkkokauppa.com has stored its customer account data indefinitely. According to Verkkokauppa.com, the customers themselves determine the storage period of their data, since customers can request the closure of their accounts and erasure of their data if they wish. Due to this practice, the details of individual purchases have been stored for very long times.

Customer account registration cannot be required for making purchases online

The Data Protection Ombudsman finds that Verkkokauppa.com violated the General Data Protection Regulation by making the creation of a customer account a requirement for making online purchases. Creating a customer account or the storage of personal data resulting from the practice may not be a requirement for making individual purchases online.

An administrative fine was imposed on Verkkokauppa.com, since the company had not defined any storage period for the personal data collected in its customer accounts. The storage of data cannot be justified with the fact that customers can request the erasure of their data later. Based on the investigation, Verkkokauppa.com had made a conscious decision not to specify a storage period for the data collected in customer accounts and leave the limitation of the data storage period to the customers.

The amount of the administrative fine is based on factors such as the company's turnover. The Office of the Data Protection Ombudsman has previously imposed an administrative fine on another company for failing to define a data storage period in connection with parking fines. The Supreme Administrative Court did not grant leave to appeal the matter, so the administrative fine remained in force.

The Data Protection Ombudsman ordered Verkkokauppa.com to specify an appropriate storage period for customer account information and rectify its practice of mandatory registration. The company was also given a reprimand for practices in violation of data protection provisions.

The decision is not yet final. Verkkokauppa.com has announced that it will appeal the decision in the Administrative Court.

Decisions of the Data Protection Ombudsman and the Sanctions Board (pdf, in Finnish)

Further information:

Data Protection Ombudsman Anu Talus, anu.talus(at)om.fi, tel. +358 29 566 6766

More information on the previously imposed administrative fine is available from this release issued on 9 November 2023: The Supreme Administrative Court did not grant ParkkiPate Oy leave to appeal – the Administrative Court decision concerning the Office of the Data Protection Ombudsman's decisions will remain in force​​​​​​​

Sivun alkuun