Thank You

You are now registered for our Rouse Insights Newsletter

Failing to define storage period of customer data ends up in large fines

Published on 12 Jul 2024 | 2 minute read

In a nutshell 

Online retailer fined for requiring website visitors to register themselves before purchasing. Storage period of the collected personal data was not defined. 

The background 

At the beginning of this year, the Finnish Supervisory Authority (hereinafter “the SA”) investigated data privacy related activities of a local online retailer. This followed a complaint from a customer who highlighted having to register themselves as a customer before purchasing online. Resulting in the being unable to shop at the retailer without creating a customer account.  

During the investigation, it was discovered that the online retailer (hereinafter “the Controller”) had not specified the storage period of the data which was collected for the customer account. Leaving customer accounts data being stored indefinitely. However, according to the Controller, it was up to the customers to determine the storage period of their data since they could make a request of closure of their accounts and, upon request, its deletion. This led to customer data being stored for a long period of time.  

After completion of the investigation, the SA found that as customers had to create an account at the Controller in order to be able to make online purchases, was a violation of the provisions of data protection law. Demanding customers to create accounts for them to make purchases alongside not having a defined storage period of the customer data collected, was not permitted.  

Due to the subject violations, the Controller was given an administrative fine of nearly 900,000 EUR. In addition, the Controller was forced to define an appropriate storage period and to rectify its practice of mandatory restrictions. Finally, the Controller was given a reprimand for the violation of the data protection law.  

The takeaways 

  • As a personal data controller, one must always ensure to define clear and reasonable periods for storage of data, regardless of what the data is being used for, whether it is for online purchases or other purposes. As shown above, this is not to be decided by the data subjects. This is the responsibility of the personal data controller.  
  • Furthermore, as a personal data controller one cannot require customers to, besides providing basic information about e.g. name and delivery/billing address, create a customer account in order to make purchases.  

Read more: Finnish SA: Administrative fine of € 856,000 for failing to define storage period of customer data | European Data Protection Board (europa.eu) 

Questions? 

For any questions about this case or data protection queries generally, please contact My Mattson or Frida Holmer 

30% Complete
Senior Associate
+46 (0)72 33 62 62
Associate, Legal Counsel
+46 076 0107192
Senior Associate
+46 (0)72 33 62 62
Associate, Legal Counsel
+46 076 0107192