Tietosuojavaltuutetun toimisto (Finland) - 3831/161/21: Difference between revisions

From GDPRhub
No edit summary
mNo edit summary
 
Line 71: Line 71:
|Appeal_To_Link=
|Appeal_To_Link=


|Initial_Contributor=fred
|Initial_Contributor=[https://gdprhub.eu/index.php?title=User:Fred fred]
|
|
}}
}}

Latest revision as of 13:38, 12 January 2024

Tietosuojavaltuutetun toimisto - 3831/161/21
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(e) GDPR
Article 9 GDPR
Article 13(2)(a) GDPR
Article 25(1) GDPR
Article 25(2) GDPR
Article 58(2)(b) GDPR
Article 58(2)(d) GDPR
Article 83 GDPR
Type: Investigation
Outcome: Violation Found
Started: 02.04.2019
Decided: 30.05.2023
Published: 21.12.2023
Fine: n/a
Parties: Kesko Oyj
National Case Number/Name: 3831/161/21
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The Finnish DPA found a retail chain to have breached Article 5(1)(e) GDPR, Article 25(1) GDPR and Article 25(2) GDPR for its lengthy storage of purchase behaviour data in connection with its loyalty program.

English Summary

Facts

The Finnish DPA had asked the controller (Kesko Oyj, Finland's largest retail chain) to explain how it processed and stored personal data in connection with its loyalty program.

In response to the request, the controller clarified that it processed basic customer information, such as the person's name and contact information, and purchasing behaviour data. Purchasing behaviour data indicates customers' detailed and product-specific purchase data. Depending on the situation, the information related to the customer was erased at the end of the customer relationship or anonymised no later than 25 months after the end of the customer relationship.

The controller also stated that it processes purchase data for business development, the provision of benefits and services, and the implementation and targeting of marketing. The controller emphasised that unjustifiably prohibiting or restricting the collection and processing of data that benefits the customer would undermine data-driven innovations and product development.

Holding

The DPA stated that tying the storage period of purchase data to the duration of the customer relationship had resulted in the data being stored in a form that enables identification of the data subject for potentially very long periods, even decades. A storage period based on the duration of the customer relationship could therefore lead to very long storage of the purchase data, even for the lifetime of the data subject.

Moreover, according to the DPA, some of the purchase data could be used to infer detailed information about the person's life situation, lifestyle and movements. Purchase data may also indirectly reveal personal data belonging to the special categories of personal data within the meaning of Article 9 GDPR. For example, customers had the opportunity to collect loyalty points by using certain healthcare services. The risk associated with the processing of such data increases the more extensive data is collected and the longer it is stored.

Hence, the DPA considered that the controller should have defined the storage period for purchase data on a purpose-specific basis and assessed it separately from the storage period of other personal data needed to manage the customer relationship. The controller should have determined the storage period for purchase data already before engaging in any personal data processing activities since data subjects must be informed of the storage period when collecting personal data in accordance with Article 13(2)(a) GDPR.

On the basis of the information gathered, the DPA held that the controller violated Article 5(1)(e) GDPR, Article 25(1) GDPR and Article 25(2) GDPR, as the storage period of purchase data tied to the duration of the customer relationship was not necessary for the purposes for which the controller processed the personal data. Furthermore, the DPA stressed that in compliance with data protection by default, the controller should have ensured that a data subject would have the opportunity to influence the level of collection of their personal data from the beginning, for example, by choosing in the registration form the level of data collection they want.

As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. Pursuant to Article 58(2)(d) GDPR, the DPA also ordered the controller to define a storage period for purchase data according to the purpose of use and to erase or anonymise purchase data older than the defined storage period.

In addition to the reprimand and the order, the Sanctions Board of the DPA assessed the necessity of imposing an administrative fine pursuant to Article 83 GDPR. The Board concluded that several factors would have justified the imposition of a fine. The infringement concerned 3.49 million data subjects, and the amount of data collected for each data subject had been significant. However, the Sanctions Board considered that tying the storage period of purchase data to the duration of the customer relationship had not yet led to such long storage periods to the extent that an administrative fine should be imposed.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

The public version of the decisions of the data protection commissioner and the sanctions panel

Thing

Processing of customer purchase data

Registrar

Kesko Oyj

On April 2, 2019, the initiator of the case filed a notification with the data protection commissioner's office regarding the processing of customers' personal data by Kesko Oyj (later also "Kesko" and "data controller"). In his notification, the initiator has stated that he has inquired with the data controller about the periods and grounds for storing personal data of the Plussa.com service. According to the initiator, he had been told that the data controller stores purchase data throughout the entire customer relationship.

The decision of the Data Protection Commissioner in the case of built-in and default data protection and limitation of personal data storage period

Statement received from the registrar

The Office of the Data Protection Commissioner has requested an explanation from the data controller on June 10, 2020, and an additional explanation on March 3, 2022. The registrar has issued a written statement on the matter on July 6, 2020, and an additional statement on April 1, 2022. In addition, a consultation request has been submitted to the registry keeper on 4 December 2020 and 20 July 2022. The consultation request submitted to the data controller on December 4, 2020 has included a request for additional clarification, and the data controller has given its response to the consultation request and the additional clarification request it contains on January 29, 2021. The registrar has given an answer to the consultation request submitted on 20 July 2022 on 2 September 2022. In the virtual meeting organized on April 21, 2021, the controller has also presented in more detail its services based on detailed purchase data and their functionalities as well as their data protection practices.

First clarification request 10 June 2020

In the report given to the Data Protection Commissioner's office on July 6, 2020, the data controller states that when joining the K-Plussa loyalty system, the person's name and contact information, information about the person's finances (possible parallel card applicants), prohibitions and consents given by the person (e.g. prohibition of collecting purchase data or electronic direct marketing permission) are stored. Later during the customer relationship, the Plussa system accumulates information about the customer's purchasing behavior. According to the controller, the alternative levels of collection of purchase data are as follows:

- Option 1: The basic level is that the purchase information is registered in detail. Then the customer can make full use of his Plussa benefits and use all services.

- Option 2: The customer can deny the registration of detailed purchase information, but allow the registration of their purchases at the product group level.

- Option 3: The customer can prohibit the registration of purchases also at the product group level and only allow the registration of the total amount. In this case, the customer cannot receive e.g. special offers related to previous shopping habits. He can still take advantage of general Plussa offers and get Plussa points.

- Option 4: The customer can also prohibit the registration of their purchase data completely. In this case, the customer receives the discounts granted in the store, and, for example, Plussa points or other benefits are not granted. The data controller does not collect information necessary for the calculation of Plussa points or the allocation of personal benefits.

According to the report provided by the controller, customer-related information, such as basic information, card information, general customer-related information, given consents and prohibitions, various levels of purchase information, customer classification information and information about targeted marketing information are stored in accordance with the life cycle of the customer relationship. When the customer relationship ends, the data is deleted or anonymized after 25 months at the latest, depending on how the customer relationship ended. According to the controller, the retention period of personal data is not tied to the customer's lifetime, but to the duration of the customer relationship.

In its report, the controller states that the principles of data minimization and storage limitation in the regulation are linked to the purpose of use of the data, and the controller considers that the data is necessary in relation to the purposes stated in the agreement and the data protection statement, and therefore cannot be deleted or anonymized.

The controller says that it informs customers about the methods of ending the storage period as follows:

"We store information related to your customership, such as your basic information, card information, general information related to your customership, consents and prohibitions you have given, your purchase information at various levels, customer classification information and information about marketing information targeted at you in accordance with the life cycle of the customer relationship.

When maintaining the customer relationship according to the life cycle, we take into account the termination of the customer relationship according to the terms of the contract. The company has the right to terminate the Plussa customership without any other measures, if the Plussa customer has not registered purchases made with the Plussa card for a value of at least one thousand euros during 24 consecutive months. As a customer, you always have the right to immediately request that your customership be terminated, in which case your data will be deleted from the system within two months, according to your wishes."

According to the controller, if the customer relationship ends by fading, without the customer's termination, the purchase data will be anonymized 25 months after the last purchase data was registered.

Hearing and request for additional clarification 4 December 2020

The Data Protection Commissioner's office has sent the data controller a consultation and additional clarification request on December 4, 2020. The controller has submitted his answer to the data protection commissioner's office on 29 January 2021.

In its response to the consultation and additional clarification request, the controller has brought up the following:

Since 2012, the Plussa system has collected product-specific purchase information on new Plussa customers. After the reform in 2012, Kesko has realized its goal of offering better services, more targeted marketing and benefits by developing increasingly up-to-date and detailed services for its Plus customers. Collecting and processing product-specific purchase information is necessary to provide such services to customers. Kesko also emphasizes that the development of technology and data analytics has opened the possibility of offering increasingly detailed information and service to the customer. Thus, it is not about collecting more detailed information about the customer, but about the development of the service to become more and more detailed and relevant for the customer.

Only since 2015 has product-specific purchase information been collected for the development of services for all Plussa customers (i.e. also customers who joined the Plussa system before 2012), unless the Plussa customer has limited data collection as described below. When making changes in 2015 to the collection of data within the framework of the Plussa system for those customers who had joined as regular customers before the 2012 rule reform, Kesko has tried to implement the changes transparently and taking into account the requirements of the legislation. The beginning of the collection of product-specific purchase information was communicated to the customers of the Plussa system at the time, who became aware of the change and some also limited the collection of data by choosing a more limited category.

[--]

Unreasonably prohibiting or limiting the collection and processing of data that benefits the customer would in part undermine innovation and product development built on the basis of data.

[--]

Plussa system data is also processed in an aggregated form for the development of services. (Removed confidential information.) The product-level purchase information attached to the customer of the Plussa system can be understood, for example, at the zip code level. Information is aggregated from the individual level into larger sets of observations. Aggregation always requires numerous customers from the selected area. This ensures that no individual customer can be identified from the aggregated information.

[--]

The starting point of the General Data Protection Regulation is that the purposes and means of personal data processing are determined by the controller. As the data controller of the Plussa system, Kesko defines to what extent the processing of personal data is necessary to fulfill the purposes for which it was collected. In its data protection statement, Kesko has highlighted the purposes for which it processes purchase data.

The principle of data minimization does not mean that as little data as possible is collected, but that the collected data should be limited to what is necessary from the point of view of the purpose of the processing. Thus, the fact that extensive and detailed information is collected and processed over a long period of time does not make the processing contrary to the above-mentioned principle, if the necessity of the processing can be justified from the point of view of the purposes, as is the case in the case at hand.

[--]

The customer himself has full decision-making power, independent of Kesko's guidance, regarding the extent to which his data is collected, processed and stored. Customers have also been clearly informed about this option in the privacy statement, and customers can request a restriction at any time and switch to another option mentioned above. With the 2012 reform, the Plussa system's application for joining has explicitly emphasized the conditions related to the collection of customer data by adding a reference to section 4 of the Plussa system's conditions, which contains a description of the data collected from customers, in connection with the signature. This has been added in connection with the signature point, so that the customer connected to the Plussa system is aware of these terms and the possibility to limit the collected data.

Collecting product-specific purchase data is necessary to provide the smart services at the heart of the current Plussa system. Kesko cannot set product group- or total-total-specific registration as the default choice for new customers of the Plussa system, because then the customer would not be able to use, for example, the K-Ostokset service right away if they so desired. The introduction and functionality of the service requires sufficiently accurate purchase data for the background of the service, and without the default collection of such purchase data and the preservation of historical data, the customer would have to wait a long time after the service was introduced before enough purchase data had been accumulated to draw up summaries of the customer's purchasing habits, and the K-Ostokset service would therefore not be able to provide the customer with the added value he desires. (Removed confidential information.)

[--]

In its request for additional clarification, the Data Protection Commissioner has submitted that Kesko has violated the principle of storage limitation in connection with the Plussa system. In Kesko's view, this is not true.

Kesko processes the personal data of its active Plussa customers as described in the privacy statement of the K-Plussa customer register for the duration of the customership. In no case is data storage based on the person's lifespan, but solely on the duration of the customer relationship, i.e. what is necessary for the purpose of the processing.

Kesko has actively evaluated and will continue to regularly evaluate the necessity of the data retention period in relation to the purpose of the processing. Since 2012, Kesko has collected information on product levels from new Plussa customers, so Kesko has had information on product levels for the longest period of about eight years. More extensive product-level data, i.e. also from customers who joined the Plussa system before 2012, has been collected since 2015. Kesko considers that the information accumulated so far is necessary for the production of the services described in this exchange and to be offered in the future.

Since Kesko has not accumulated information for a longer period than the mentioned approximately eight years, it has not yet been able to assess the need for longer-term information in terms of the purpose of the processing. It is only possible to look at analysis needs as information is accumulated, and so far Kesko has considered all the information accumulated so far to be necessary to fulfill the purpose of the processing. It would not be possible to offer the current services with more limited information, and the K-Ostokset service was opened to customers as soon as product-specific purchase information had been accumulated over a period of five years, i.e. in 2020. However, the services cannot yet be offered to the extent that Kesko aims for, as the data has only been accumulated for a relatively short period of time period, mainly around five years. When more data accumulates, this enables the provision of increasingly sophisticated and up-to-date services to Plussa customers.

Kesko has naturally assessed the need for storage as extensively as possible based on current information. The retention period is tied to the duration of the customership, because based on the current information, the retention period lasting the entire customership is necessary for the full implementation of the Plussa system for customers. However, Kesko constantly evaluates the necessity and reacts accordingly if necessary. This approach has also been chosen in terms of processing transparency: Customers are informed about the long storage period so that they are already aware of this during the registration phase. If it is later deemed that a shorter storage period is sufficient, this can be communicated to customers. If this were to be implemented the other way around by always extending it year by year, it is more likely that transparency towards the customer will not be realized and the information about the update will not really be understood by all customers.

[--]

Default data protection aims to protect people from the trend of collecting as much information as possible without the collected information having any connection to the purpose of the processing. This effort has also been implemented in the above-described ways within the framework of the Plussa system: Kesko does not collect or store any information from its customers that it does not consider necessary for the stated processing purposes.

The fact that Kesko collects product-specific purchase information on a basic level is not contrary to the principle of data protection by default, as the implementation of Kesko's stated purposes would not be possible in the manner presented without the collection, processing and storage of such information.

Thus, Kesko has implemented the appropriate technical and organizational measures and ensured that, by default, only personal data necessary for the specific purpose of the processing is processed.

[--]

As Kesko has stated in its response, Kesko's processing of personal data does not significantly differ from market practice. In the field of grocery trade, Kesko's biggest competitors in Finland can be considered the S group and Lidl Suomi Ky, both of which have a loyalty program comparable to the more traditional loyalty services of the Plussa system.

Additional clarification request 3/3/2022

Additional clarification has been requested from the registrar with a request for additional clarification dated March 3, 2022.

In the additional explanation given to the data protection commissioner's office on April 1, 2022, the controller has specified that it considers the need to continue data storage annually in connection with its planning processes and, for example, whenever the data protection impact assessment regarding the Plussa system is updated.

The Office of the Data Protection Commissioner has asked the data controller to present an explanation of all purposes of use of the purchase data. According to the report received, the purposes of use of the purchase data are the provision of benefits and services related to the Plussa system and managing the customer relationship of Plussa customers with purposes closely related to traditional Plussa customership (incl. calculating Plussa points, allocating Plussa benefits to the right person, implementing the sponsorship service between the customer and the K-merchant , and sending customer-related service messages and other information), business development (such as optimizing the store's product offering and thus reducing wastage), and marketing implementation and targeting (including marketing of Plussa partners' products and services). The purposes of use also include the development of services, the formation of customer categories and profiles, and ensuring the legal protection of the controller and the customer.

According to the report, the data controller currently has product-specific purchase data for about 10 years for those people who joined the Plussa system after 1 February 2012, and more generally for a maximum of about seven years, as the collection of product-level data began in 2012 for customers who joined the Plussa system after that time , and for all Plussa customers in 2015. The data controller's aim is to develop data-oriented services that serve consumers, and the data controller has deemed it justified to keep purchasing behavior data throughout the life cycle of the customer relationship.

According to the report provided by the registrar, there were 3.49 million Plussa members in February 2022. According to the data controller, the number of identified visitors to the Plussa.fi service between 1 March 2021 and 28 February 2022 who have logged into the Plussa service and examined their purchase information has been (removed confidential information). (In the order history view of the K-Ruoka application and the K-Ruoka.fi website, the controller has identified (removed confidential information) members during the same time period, and there have been unique users in the K-Ostokset service (removed confidential information).)

According to the controller, the customer can use the K-Ostokset service to examine their own purchase history over a period of five years. In its report, the controller has specified that a maximum period of five years has been considered relevant, because the period is primarily based on the period for which comprehensive purchase history information is available to the controller. According to the controller, the purchase information displayed in the K-Ostokset service does not limit the data subject's right to receive a copy of the information about himself for the entire period of customership.

Hearing on 20 July 2022

The Data Protection Commissioner's office has sent the data controller a consultation and additional clarification request on July 20, 2022. The controller has submitted his answer to the data protection commissioner's office on September 2, 2022.

In its response to the consultation and additional clarification request, the data controller has further submitted that its procedure in the matter now being evaluated has been in accordance with the principle of limiting storage as referred to in Article 5(1)(e) of the General Data Protection Regulation. In the view of the data controller, the retention period defined and applied by it is in no way likely to cause negative effects on the rights and freedoms of the data subjects compared to a more limited retention period, but on the contrary, customers receive services based on more and more comprehensive data.

According to the data controller, the violation of Article 5(1)(e) of the General Data Protection Regulation also does not directly lead to a violation of Article 25(1) of the regulation, and in the case, according to the data controller's view, it has not been shown that the data controller has put 5(1)(e) of the General Data Protection Regulation implement the principle of Article effectively. According to the data controller, the effectiveness of the measures should be evaluated on a case-by-case basis, and the data controller considers that in his actions he has removed the data from the Plussa system to the extent that the retention of personal data was no longer necessary from the perspective of the purposes defined for the processing. The data deletion processes work automatically, and according to the data controller, there are no cases in which Plussa customers' data has not been deleted after the end of the Plussa customership as a result of the customer's inactivity or termination of the Plussa customership based on the customer's notification.

Background information

Service description

The registrar is a listed company in the trade sector, whose chain operations include approximately 1,800 shops in Finland, Sweden, Norway, Estonia, Latvia, Lithuania and Poland.

Sales

According to information received from the data controller on April 1, 2022, the data controller's turnover for 2021 is EUR 11,300,236,298.50.

Number of plus members

There are 3.49 million Plussa members. (Amount in February 2022 according to the report given by the controller to the data protection commissioner's office on April 1, 2022.)

On applicable legislation

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and the Council (General Data Protection Regulation) has been applied since May 25, 2018. As a regulation, the legislation is immediately applicable law in the member states. The general data protection regulation is specified in the national data protection act (1050/2018).

According to introductory paragraph 39 of the General Data Protection Regulation: The processing of personal data should be legal and appropriate. It should be transparent for natural persons how personal data concerning them is collected and used, and how they are accessed or processed in another way, as well as clear about the extent to which personal data is processed or is to be processed. In accordance with the principle of transparency, information and communication related to the processing of personal data must be easily accessible and understandable and must use clear and simple language. This principle applies in particular to data subjects' information about the identity of the data controller and the purposes of the processing, as well as additional information that ensures the appropriateness and transparency of the processing of the natural persons in question, as well as their right to receive confirmation and notification of the processing of their personal data. Natural persons should be informed about the risks, rules, safeguards and rights related to the processing of personal data and how they can exercise their rights regarding such processing. In particular, the specific purposes of processing personal data should be determined and announced in connection with the collection of personal data unambiguously and in accordance with the law. Personal data should be sufficient and relevant and limited to what is necessary for the purposes of their processing. This requires in particular that the storage period of personal data is as short as possible. Personal data should only be processed if the purpose of the processing cannot reasonably be fulfilled by other means. The controller should set deadlines for the deletion of personal data or the periodic review of the necessity of their storage, in order to ensure that personal data is not stored longer than necessary. All reasonable steps should be taken to ensure that inaccurate personal data is corrected or deleted. Personal data should be processed in such a way as to ensure the appropriate security and confidentiality of personal data, which, among other things, prevents unauthorized access to personal data or the equipment used to process it, as well as the unauthorized use of such data or equipment.

Article 5(1)(c) of the General Data Protection Regulation provides for the principle of data minimization. According to the article, personal data must be relevant and relevant and limited to what is necessary in relation to the purposes for which they are processed.

Article 5(1)(e) of the General Data Protection Regulation provides for the principle of limiting storage. According to the article, personal data must be stored in a form from which the data subject can be identified only for as long as is necessary to fulfill the purposes of the data processing; personal data can be stored for longer periods if the personal data is processed only for archiving purposes in the public interest or for scientific or historical research purposes or statistical purposes in accordance with Article 89, paragraph 1, provided that the appropriate technical and organizational measures required by this regulation have been implemented to protect the rights and freedoms of the data subject.

Article 25 of the General Data Protection Regulation provides for built-in and default data protection. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the varying probability and seriousness of the risks to the rights and freedoms of natural persons caused by the processing, the controller must, in connection with determining the processing methods and the processing itself, effectively implement data protection principles such as data minimization appropriate technical and organizational measures, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of the General Data Protection Regulation and the rights of data subjects are protected. According to Article 25, paragraph 2 of the General Data Protection Regulation, the controller must implement appropriate technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability.

A legal issue

The Data Protection Commissioner assesses and resolves the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).

The following must be assessed:

1) whether the controller's procedure for storing customer purchase data was in accordance with Article 5(1)(e), Article 25(1) and Article 25(2) of the General Data Protection Regulation

This decision does not apply to the operation of the data controller in any other respects, such as, for example, defining the basis for processing or informing data subjects.

Decision of the Data Protection Commissioner

The data controller has not defined the retention period of purchase data for each specific purpose of use stated by the data controller in accordance with Article 5(1)(e), Article 25(1) and Article 25(2) of the General Data Protection Regulation.

Note

The Data Protection Commissioner gives the data controller a notice in accordance with Article 58, paragraph 2, subsection b of the General Data Protection Regulation regarding the aforementioned processing actions that violate the provisions of the General Data Protection Regulation.

Regulation

The Data Protection Commissioner gives the data controller an order in accordance with Article 58, paragraph 2, subparagraph d of the General Data Protection Regulation to bring the processing activities into compliance with the provisions of the General Data Protection Regulation:

1. The data controller must define a retention period for customer purchase data that meets the requirements of data protection regulation by purpose of use. This is possible, for example, by defining the storage period for each purpose of use in years starting from the collection of purchase information.

2. The controller is also ordered to delete or anonymize purchase data older than the retention period specified by it that meets the requirements of the General Data Protection Regulation without undue delay.

Pursuant to § 25 subsection 3 of the Data Protection Act (1050/2018), the Data Protection Commissioner orders the data controller to comply with the order regarding the definition of the storage period and the deletion of purchase data, despite the appeal.

The data protection commissioner leaves the appropriate measures to the discretion of the data controller, but orders it to submit a report on the measures taken to the data protection commissioner's office by August 31, 2023.

Administrative penalty fee

According to Section 24 of the Data Protection Act, the administrative sanction fee stipulated in Article 83 of the General Data Protection Regulation is determined by the sanctioning board formed by the data protection commissioner and deputy data protection commissioners.

The data protection commissioner submits the matter to the sanctioning board for decision regarding the penalty payment consideration. The Sanctions Board must therefore assess whether an administrative penalty payment in accordance with Article 58(2)(i) of the General Data Protection Regulation must be imposed on the controller in addition to the notice and orders given by the Data Protection Commissioner.

Reasons for the decision

Keeping the customer's personal data

The General Data Protection Regulation requires that personal data be stored in a form from which the data subject can be identified, only for as long as is necessary to fulfill the purposes of the data processing (Article 5(1)(e) and Article 25(2) of the General Data Protection Regulation). The storage period for personal data must always be as short as possible (see, for example, introductory paragraph 39 of the General Data Protection Regulation. In this regard, see also, for example, the statement of the European Data Protection Board: Instructions for virtual assistants controlled by voice commands 02/2021, Version 2.0, section 100. According to the instructions, for example to comply with legal obligations the amount of data to be stored should be as small as possible and they should be stored for as little time as possible) and data subjects must be informed of the storage period when collecting personal data (see Article 13(2)(a) of the General Data Protection Regulation), i.e. the controller must already define the storage period of personal data before taking steps to process personal data .

The controller has presented in his report to the data protection commissioner's office that it has not yet accumulated, for example, purchase data from a period longer than 2012, and therefore it has not yet been able to assess the need for longer-term data in terms of the purpose of the processing. However, the assessment cannot be left to the time after the collection of personal data has started, but as stated above, the data subject should be informed about the storage period already when the personal data is collected, for example.

The General Data Protection Regulation does not require the retention period to be specified with an explicit time limit in all situations. In some situations, the retention period can be limited by defining the criteria on the basis of which the retention period is determined, such as tying the retention period of personal data to the duration of the customer relationship. For example, the retention of personal data required for the management of loyal customers, such as the registered name and member number data, for the duration of active loyal customers can be considered possible in itself. However, with the reasons presented in more detail below, it does not follow from this that the said retention period could be considered in accordance with the General Data Protection Regulation for all of the customer's personal data.

Retention of purchase information

Although the provisions of the General Data Protection Regulation do not directly result in an obligation tied to a period of time to define the retention period, it is nevertheless clear that the decades-long retention period tied to the customer relationship is not, for all personal data, as required by the retention period of Articles 5(1)(e) and 25(2) of the General Data Protection Regulation necessary. (The legal interpretation must also take into account the goal of data protection regulation to ensure a high level of protection of personal data. According to the established jurisprudence of the Court of Justice of the European Union, in order to interpret a provision of Union law, in addition to its wording, its context and the goals pursued by the legislation of which it is a part must be taken into account, and especially the history of the creation of this legislation (see e.g. case C-414/16, paragraph 44 of the decision). When a provision of Union law can be interpreted in several ways, priority must be given to the interpretation that can ensure the effective effect of the provision (see e.g. case C-31/17, paragraph 41 of the decision, and case C-154/21, point 29 of the judgment).)

Article 25(2) of the General Data Protection Regulation requires that the data controller ensures that it only processes information that is necessary for each processing purpose. The provision explicitly emphasizes the retention period of information regarding the claim. Although, as stated above, the retention of customer data may in some respects be justified to bind to the duration of the customer relationship, Article 25(2) of the General Data Protection Regulation, together with Article 5(1)(e) regarding the limitation of storage, imposes a clear obligation on the controller to make sure that personal data is stored in terms of its processing purpose only the necessary time. Article 25(1) of the General Data Protection Regulation, on the other hand, requires the data controller to effectively implement measures to implement data protection principles, such as storage limitation.

For the reasons explained above, the retention period for purchase data must be evaluated separately from the retention period for other personal data needed to manage the customer relationship. In the case being evaluated now, there is no situation at hand where the data controller would not have been able to define the retention period of purchase data more precisely, for example in years, as a retention period. The controller should have defined such a storage period for each purpose of use.

The controller has bound the storage period of purchase data to the duration of the customer relationship, which has led to the fact that they are stored in a form from which the data subject can be identified for potentially very long periods, even decades. The purchase data may have been deleted when the customer terminated their loyalty or when the customer relationship waned, so that no purchases made with the Plussa card worth at least one thousand euros have been registered for the customer during 24 consecutive months. A retention period based on the duration of the customer relationship can thus lead to a very long, even long-term storage of purchase data for the registered adult's life.

When assessing the importance of the storage period for purchase data in the regulatory framework for data protection, the Data Protection Commissioner pays special attention to the amount and nature of personal data collected and the risks associated with their processing. To some extent, it is possible to infer from the purchase information, for example, detailed information about the person's life situation, lifestyle and movement. (Purchase data may also indirectly reveal personal data belonging to special personal data groups (Article 9 of the General Data Protection Regulation). In the case of the controller, it is also possible, for example, to accumulate Plussa points in certain healthcare services (the controller's press release on April 27, 2017: K-Plussa and Plusterveys dental services to cooperate). (Removed confidential information)) The risk associated with the processing of such data increases the more extensive data is collected and the longer it is stored. The extensive collection of data and their long-term storage increase the risk, for example, in the event of a data leak, where the effects on data subjects are typically more serious the larger the amount of data of the data subject and the more varied this data is. In this context, it must also be taken into account that the longer the retention period of personal data becomes, the larger the amount of data to be stored also becomes, and the more extensive conclusions about the data subject's private life it is possible to make on the basis of this data.

The controller must use technical and organizational measures adopted in advance to reduce the harm caused to data subjects in the event of a possible information security breach, for example by defining the shortest possible retention period for personal data in relation to their intended use in accordance with Article 5(1)(e) and Article 25(2) of the General Data Protection Regulation (to Article 24 of the General Data Protection Regulation the recorded risk-based approach is the general starting point for all personal data processing). Although Article 5 of the General Data Protection Regulation provides for the principles regarding the processing of personal data, Paragraph 1(e) of said Article is also a precise and clear legal rule that is easy to understand and apply. At the end of the storage period, the data is deleted or, if necessary, can also be anonymized, after which it is possible to continue using it, for example, at the level of statistical data. (See also e.g. Statement 4/2019 of the European Data Protection Board, according to which the data controller should not keep personal data longer than necessary (European Data Protection Board instruction: EDPB Instructions 4/2019 on built-in and default data protection according to Article 25, Version 2.0, point 42).)

Although the customer in this case has had the opportunity to request the deletion of his data, this does not affect the controller's obligation to define the necessary storage period for the purchase data according to the purpose of use. The above-mentioned obligations of the General Data Protection Regulation cannot be met either with the annual reassessment of the storage period alone. In practice, this would mostly mean an annual assessment of the obligation following the regulation without the measures required by the obligation.

Retention of purchase data in accordance with Articles 5(1)(e) and 25(2) for the fulfillment of the purpose of data processing

Articles 5(1)(e) and 25(2) of the General Data Protection Regulation require that the controller keeps personal data in a form from which the data subject can be identified, only as long as it is necessary for the processing of the data. Accordingly, the said obligations following from the General Data Protection Regulation include taking into account the purpose-relatedness principle according to the General Data Protection Regulation in all processing of personal data. The controller has stated that it has not yet been able to assess the need for longer-term data in terms of the purpose of the processing and that it is only possible to review the data processing needs later. The controller has also stated in its report that it has informed the registrants about the long storage period, which may later be limited as necessary. The Data Protection Commissioner states that the purpose of use of personal data must be clearly defined in advance. When collecting data, it must be clear to the data subject for which clearly defined purpose the data will be used and for how long. The legitimate expectations of the registered are a significant factor when evaluating the legality of personal data processing.

The Data Protection Commissioner considers that the operating model in which personal data is collected and stored for purposes not yet defined does not comply with Articles 5(1)(e) and 25(2) of the Data Protection Regulation. Pursuant to the Data Protection Regulation, the retention period is determined according to what was the retention period necessary for the specific purpose of the processing before personal data was collected. The purpose of use must be defined explicitly, i.e. in such detail that it can be used to objectively assess how long it is actually necessary to store personal data. If it is necessary to later specify or change the purpose of processing, the controller must assess the area of permitted processing in accordance with Article 6, Section 4 of the Data Protection Regulation.

For example, in its decision in case C-175/20, the EU Court stated that the purposes of personal data processing "must be specified at the latest in connection with the collection of personal data" (section 64 of the decision. See also introductory paragraph 39 of the General Data Protection Regulation: "In particular, the specific purposes of personal data processing should be determined and inform in connection with the collection of personal data unambiguously and in accordance with the law". , first paragraph), and "the purposes of the processing must be explicit, which means that they must be clearly stated" (Section 65 of the Decision. See also, for example, the European Data Protection Board's instruction: EDPB Instructions 4/2019 on built-in and default data protection according to Article 25, Version 2.0, paragraph 72 ("Specificity - the purposes must be identified and must be explicitly explained why the personal data is processed").)

The Office of the Data Protection Commissioner has asked the data controller to find out all the purposes of use of the purchase data in the matter that is now being evaluated. According to the explanation provided by the controller, purchase data is processed for business development purposes (such as optimizing the store's product offering and thus reducing losses), for the purposes of providing benefits and services related to the Plussa system (such as managing the customer relationship of Plussa customers, including calculating and allocating Plussa points, and between the customer and the K-merchant the implementation of the sponsoring service between) and for marketing implementation and targeting purposes (including the marketing of Plussa partners' products and services). The purposes of use also include the development of services, the formation of customer categories and profiles, and ensuring the legal protection of the controller and the customer.

Based on the report obtained in the case, the Data Protection Commissioner states that the retention of purchase data throughout the customer relationship as personal data in a form where the person can be identified cannot be considered necessary or even necessary for the implementation of the data processing purposes presented by the data controller. No purpose of use of the purchase data presented by the controller creates a right to, for example, a storage period as long as the customer's adulthood.

In this case, in order to fulfill the obligations arising from Articles 5(1)(e), 25(1) and 25(2) of the General Data Protection Regulation, a retention period that meets the requirements of the data protection regulation would have to be defined for the personal data, at the end of which the controller deletes or anonymizes the personal data. The Data Protection Commissioner considers that, for example, measures to reduce losses do not require that the data controller has information about which individual person has purchased a certain product, or that the data controller also has such information for a considerable period of time.

The controller must also always make an appropriate assessment of when the purposes of use of the collected data can be implemented without personal data, i.e. using anonymized data such as statistical data.

In his reports, the controller has emphasized the need to store purchase data also for reasons based on the interests of the data subjects. For this reason, attention must also be paid to the fact that registered users have been able to see their purchase data for a maximum of five years in the Plussa service. This can easily give the data subject the impression that the data will not be stored longer than this. In addition, the practice suggests that the goal of keeping purchase data longer than this is to meet the needs of the controller. According to the report given by the registrar, during the year preceding the report (confidential information removed), the Plussa customers had logged into the Plussa service and examined their purchase information at least once. (According to the report obtained in the matter, there were 3.49 million Plussa customers in February 2022. According to the controller, the number of identified visitors to the Plussa.fi service in the period 1 March 2021 – 28 February 2022 who have logged into the Plussa service and examined their purchase information at least once is was (removed information to be kept secret) (other than a possible login upon joining). The Data Protection Commissioner states that it cannot be considered that the only incentive for Plussa customers or their main reason for becoming a regular customer is to track and utilize their own purchase information in the online service. A relatively small position -the number of people logged into the customer account supports this conclusion.

In his report, the registrar has also highlighted the retention of personal data based on compliance with the obligations under the Accounting Act. In this respect, the controller has considered that it is about the data stored at the total amount level of the purchase data, and thus this statutory obligation does not require the storage of more detailed data.

Regarding the procedure related to the definition of the default collection level of personal data, the Data Protection Commissioner provides guidance to the controller (see the next section of this decision).

Supervision of the data protection officer

In its Plussa service, the data controller has chosen the customers' detailed purchase data as the starting level of data collection, and the data controller has started to collect detailed purchase data from the customers after they become a Plussa customer. The controller has offered the data subjects a so-called opt-out option, instead of adopting an approach implementing default data protection (Article 25(2) of the General Data Protection Regulation), where the data subject could himself influence the level of data collection from the beginning. (See also, in this regard, e.g. the statement of the European Data Protection Board: EDPB Guidelines 4/2019 on built-in and default data protection pursuant to Article 25 Version 2.0, issued on October 20, 2020, point 42. In the example presented in point 70 of the statement, it is pointed out that "The default processing options may not be invasive, and the choice regarding other types of processing must be presented in such a way that the data subject is not pressured to give consent".) Reducing the collection of data on purchase data has required the data subject to take measures, and based on the explanation obtained in the case, the data subject has also not been able to make choices that determine the level of data collection as one of the measures included in the process of becoming a loyal customer , but the controller has automatically collected detailed purchase information.

Since the data controller has stated in its report that it has informed the data subjects that it will start collecting detailed purchase data, it should be noted that the data controller cannot meet the requirements regarding default data protection and data minimization (5(1)(c) and 25(2) of the General Data Protection Regulation articles) by informing about extensive data collection. Informing registered users exclusively about the processing of purchase data also does not lead to the fulfillment of the processing requirements for default data protection. Privacy by default requires that the default settings respect an individual's privacy. The default data protection primarily protects, for example, those registrants who do not have digital skills or the patience to make changes to the settings in order to better protect their own personal data. The controller is responsible for implementing default data protection, and the controller cannot transfer this responsibility to the data subject.

The Data Protection Commissioner instructs the data controller to properly take into account the default data protection requirement when collecting purchase data and to ensure that the data subject has the opportunity to influence the level of collection of their own personal data from the beginning. In practice, this would have been easily implemented, for example, by asking the registrant to become a regular customer on the registration form to select the level of data collection he wants by filling in a check mark in the box. The beginning of data collection as broad as possible and the possibility of reducing data collection, for example, in an online service, is not in accordance with the requirements of default data protection as a procedure. In this context, the data protection officer directs the data controller to ensure timely and sufficient information to the data subject.

You cannot apply for a change to this guidance of the data protection officer by appealing.

The decision was made by the data protection commissioner Anu Talus.

According to Section 24 of the Data Protection Act, the administrative penalty fee is determined by the penalty panel formed by the data protection commissioner and deputy data protection commissioners, which has issued the following decision on imposing the penalty fee.

Decision of the Sanctions Board on the administrative penalty payment

Registrar

Kesko Oyj (Y-ID 0109862-8)

Decision of the Sanctions Board

The disciplinary panel decides with the criteria presented below that the notice in accordance with Article 58(2)(b) of the General Data Protection Regulation and the order in accordance with subsection (d) given by the Data Protection Commissioner are sufficient in the matter now being evaluated.

Reasons for not imposing an administrative penalty

In the case at hand now, the data protection commissioner has ordered, in accordance with Article 58(2)(d) of the General Data Protection Regulation, the data controller to bring its practices regarding the storage of personal data into compliance with the provisions of the General Data Protection Regulation, and has given the data controller a notice in accordance with Article 58(2)(b).

The order given by the Data Protection Commissioner to the data controller pursuant to Section 25.3 of the Data Protection Act (1050/2018) requires that the data controller must comply with the order regardless of the appeal.

The Sanctions Board states that several factors would have supported the imposition of a penalty fee in accordance with Article 83 of the General Data Protection Regulation. The violation found in the data protection commissioner's decision concerns a large number of data subjects, and the amount of data collected for each data subject has been considerable. The controller has planned the storage period of purchase data to the duration of the customer relationship, which can lead to the storage of purchase data lasting up to several decades. This has been the controller's established operating method. The controller has also not taken the necessary measures to correct its procedure, even after contacting the data protection officer.

However, the sanctions panel considers that tying the retention period of purchase data to the duration of the customer relationship in this case has not yet led to such long retention periods in terms of the legal protection of data subjects that a penalty fee should be imposed on the data controller in addition to the notice and order given by the data protection commissioner. In its assessment, the Sanctions Board has paid particular attention to the fact that, based on what was brought up in the data protection commissioner's decision, the storage period for purchase data has not yet become disproportionately long compared to the stated purposes of use. Also taking into account that the General Data Protection Regulation has been applied since May 25, 2018, the actual storage period does not differ from other players in the industry at the moment.

The Sanctions Board emphasizes the importance of the controller promptly taking measures in accordance with the data protection commissioner's order. Insofar as the matter would later be reassessed by the sanctioning board, not imposing a penalty fee could not be considered possible on the same grounds.

Taking the above into account, the sanctioning board notes in particular that the sanctions, incl. corrective measures, after assessing the proportionality, that no administrative fine is imposed in the case. In this assessment, the sanctions panel has explicitly paid attention to the order issued by the data protection commissioner, which must be followed in accordance with Section 25.3 of the Data Protection Act, regardless of the appeal. The sanctions panel emphasizes that it has paid special attention to this in its proportionality assessment. When the data controller takes immediate corrective measures in accordance with the order of the data protection officer, the legal protection of the data subject is realized effectively enough. The Sanctions Board considers that the proportionality of the sanction cannot be assessed in the same way, if measures are not taken without undue delay.

The decision regarding the administrative sanction payment has been made by the members of the sanctioning board of the Data Protection Commissioner.

Applicable legal provisions

Those mentioned in the justifications.

Service

Decisions are notified in accordance with Section 60 of the Administrative Act (434/2003) by mail against receipt.

The decision has become legally binding on 19 December 2023.