Tietosuojavaltuutetun toimisto (Finland) - TSV/26/2020

From GDPRhub
Tietosuojavaltuutetun toimisto - TSV/26/2020
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 5(1)(e) GDPR
Article 25(2) GDPR
Article 58(2)(b) GDPR
Article 58(2)(d) GDPR
Article 83 GDPR
Consumer Protection Act
Type: Investigation
Outcome: Violation Found
Started: 10.12.2020
Decided: 06.03.2024
Published: 18.03.2024
Fine: 856000 EUR
Parties: Verkkokauppa.com Oyj
National Case Number/Name: TSV/26/2020
European Case Law Identifier: n/a
Appeal: Pending appeal
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: fred

The DPA fined an IT retailer €856,000 for failing to determine the storage period of its customer data. The DPA also considered that the processing of personal data related to a single online purchase does not require the creation of a customer account.

English Summary

Facts

The Finnish DPA was notified that the controller (Verkkokauppa.com Oyj, an IT retailer) required customers to create a customer account in order to make online purchases, even for one-time purchases. The DPA then asked the controller to explain why it required the creation of a customer account, for what purposes and for how long it stored the personal data of its customers.

Regarding the purpose of the creation of a customer account, the controller clarified that the processing of customers' personal data was necessary for the provision of services and for the performance of the contract with the customer. The controller argued that it was able to reliably identify the data subject, demonstrate its accountability and facilitate the exercise of data subject rights through the customer account.

The controller explained that it sells long-lasting devices that may have very long warranty and defect liability periods. Therefore, it was in the customers' interest to have access to information and receipts regarding their online purchases through the customer account throughout the customer relationship.

The controller emphasised that if it allowed its customers to make online purchases without a customer account, it would have to process and store the personal data required for the placing and delivery of the order on an order-by-order basis, which would not be appropriate from a data security perspective and would not be in line with the principle of data minimisation.

Regarding the data retention periods, the controller stated that the contractual relationship was for an indefinite period, the duration of which was determined by the customer. Thus, the controller stored personal data until the customer account was deleted at the request of the data subject. The controller claimed that it was not in a position to assess on behalf of the customer how long the customer relationship should last.

Holding

On the basis of the information provided by the controller, the DPA considered that the processing of personal data related to a single online purchase did not require the creation of a customer account, as it resulted in personal data being stored for longer than necessary. Therefore, the processing of personal data for the creation and maintenance of a customer account could not be considered necessary for the performance of an online purchase contract.

The DPA noted that the provisions on warranty and liability for defects are defined in the Finnish Consumer Protection Act, according to which there is a defect in the product for which the seller is responsible if the product lasts for a shorter period of time than reasonably expected. Thus, the duration of liability for defects is determined on a case-by-case basis based on the expected lifespan of the product.

The DPA stated that the consumer's right to seek remedies for the lack of conformity does not depend on whether the consumer has provided their personal data to the seller. Accordingly, the seller's obligation to remedy the lack of conformity is not affected by whether the seller has access to the consumer's personal data.

The DPA found that the controller had intentionally left the storage period of the personal data it processed for customer accounts completely undetermined, leaving the limitation of the storage period to the responsibility of the customer. As a result, the erasure of the personal data had to be requested by the data subject in accordance with Article 17 GDPR. The DPA emphasised that the controller may not transfer the responsibility for the protection of personal data to the data subject. The storage of personal data cannot be justified by the fact that the data subject may later exercise their rights, such as requesting the erasure of their data.

On the basis of the information gathered, the DPA held that the controller had violated Article 5(1)(e) GDPR and Article 25(2) GDPR. As a result, the DPA issued a reprimand to the controller in accordance with Article 58(2)(b) GDPR. Pursuant to Article 58(2)(d) GDPR, the DPA also ordered the controller to define a reasonable storage period for its customer data and to stop requiring its customers to create a customer account in order to make online purchases.

In addition to the reprimand and the order, the Sanctions Board of the DPA imposed an administrative fine of €856,000 on the controller under Article 83 GDPR, for failing to determine the storage period for its customer data. The Board considered that the controller's practice was intentional, long-lasting and affected a large number of data subjects.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

6 March 2024

TSV/26/2020

Decisions of the Data Protection Commissioner and Sanctions Board

Thing

Requiring registration as a customer and storing personal data when making a single purchase from the online store

Registrar

Verkkokauppa.com Oyj

1. The matter concerns Verkkokauppa Oyj's practice, which requires the creation of a customer account when making online purchases with a bank card. The Office of the Data Protection Commissioner has accepted the case for investigation on 13 April 2021

2. A related complaint has been initiated at the data protection commissioner's office on 10 December 2020. In its notice, the initiator has stated that making online purchases required registration and the creation of passwords in order to make purchases with a bank card possible. The initiator did not want to register and create passwords.

3. The initiator of the case is not a party in the case according to § 11 of the Administrative Act (434/2003), because the decision given in the case will not affect the initiator's right, interest or obligation. However, the decision will be notified to the initiator.

DECISION OF THE DATA PROTECTION AUTHORIZED IN THE MATTER CONCERNING BUILT-IN AND DEFAULT DATA PROTECTION AND PERSONAL DATA RETENTION TIME LIMITATION

Statement received from the registrar

Request for clarification 13 April 2021

4. The Office of the Data Protection Commissioner has requested an explanation from Verkkokauppa.com Oyj in the case with an explanation request dated 13 April 2021. The registrar has issued a written statement on the matter on 26 April 2021.

5. In its report, the controller justifies its practice with the fact that it can reliably identify the registered person with the help of the customer account created through registration and maintain its obligation to provide proof. According to the controller, the customer account also enables the rights of the data subject to be exercised, as the data subject can use, for example, his inspection and correction rights directly in the account management, as well as manage direct marketing consent. The data controller states in his report that the processing of personal data in the customer account is based on an agreement between the data subject and the data controller.

6. According to the registrar's statement, information necessary for the implementation of the service, such as name, e-mail address and telephone number, will be kept until the account is closed at the request of the data subject. According to the controller, the creation of a customer account does not require providing address information, but the delivery address is only requested in connection with the first order. You can close the customer account by contacting customer service. In its report, the controller states that statutory obligations may require the retention of some data even after this.

Hearing and request for further clarification on 7 July 2022

7. The Office of the Data Protection Commissioner has sent Verkkokauppa.com Oyj a consultation and additional clarification request on July 7, 2022. The Office of the Data Protection Commissioner has reserved an opportunity for Verkkokauppa.com Oyj to be heard about the facts presented in the case and the preliminary assessment regarding the matter. In addition, the data protection commissioner's office has reserved an opportunity for Verkkokauppa.com Oyj to be heard about the sanction that may be imposed in the case, as well as the opportunity to submit other possible documentation that, in its opinion, is important in the resolution of the case. Verkkokauppa.com Oyj has submitted its response to the data protection commissioner's office on September 2, 2022.

8. The controller submits in its response that the general data protection regulation or other data protection regulations do not explicitly or implicitly oblige the trader to offer potential customers the opportunity to do business in the online store without registering, but requiring or not requiring registration is a business decision of the trader, the making of which is a right that falls within the scope of the trader's freedom of trade. The controller considers that, based on its freedom of business, it has the right to choose a concept in its online store where the customer must register as an online store customer in order to use all the functionalities of the online store platform. The controller has justified the need for a customer account and registration in connection with individual online purchases.

9. In its response, the controller also states that the processing of customers' personal data is necessary to provide the service package and fulfill the contract. The controller submits that the online store can technically enable the ordering of consumer goods without the customer himself registering and creating an account in the seller's information systems. Even in this case, however, an account is created in the backend system of the online shopping platform, where the information about the transaction is logged. Likewise, when buying consumer goods from stores, the orders are entered into each store's own account. According to the data controller, the data collected and processed to enable online shopping transactions without logging in and creating a customer account are very much the same as in a situation where the customer himself activates the user account and makes his purchases while logged into the user account. According to the registrar, the only practical difference is that, in the latter situation, the customer himself can log into the account he created and view his purchase and other customer information in aggregate.

10. In its response, the controller states that it has chosen a business model from the options described above, where making purchases in the online store requires registration and the creation of a customer account. According to the controller, the starting point of the General Data Protection Regulation is that the right to the protection of personal data is not absolute, but must be considered in relation to its function in society, and in accordance with the principle of proportionality, it must be proportionate to other fundamental rights recognized in the European Charter of Fundamental Rights, including freedom of business. The registrar submits that the entrepreneur's freedom to define his business model falls within the scope of freedom of business stipulated in Article 16 of the Charter of Fundamental Rights and Article 18 of the Constitution (731/1999). In the view of the data controller, neither the General Data Protection Regulation nor any other data protection regulation can therefore automatically be considered to limit the data controller's right to choose its business model, as long as the processing of personal data carried out in connection with the implementation of the selected business model takes place within the framework of the General Data Protection Regulation and other data protection regulations.
11. In its response, the registrar states that a general conclusion that customers would not like a customer account cannot be made. This is not changed by the fact that the initiator did not want a customer account. According to the data controller's point of view, the data protection regulation does not lead to this conclusion either, and the data protection regulation does not require that the entrepreneur should take into account the wishes or will of the individual data subjects when deciding on his business model. In the brick-and-mortar stores of Verkkokauppa.com Oyj, it is possible to do business and make purchases without registering as a customer.

12. Regarding the limitation of the storage period, the controller submits that the general data protection regulation does not require the storage period to be "as short as possible", but "as long as necessary" in terms of the purpose of the processing. According to the controller, registration establishes a customer relationship, the length of which is determined by the customer himself. According to the registrar, it would be unsustainable if it determined on behalf of its customers how long a person is a Verkkokauppa.com Oyj customer after the customer relationship has been established and the customer account has been created.

13. The registrar states that it also sells very long-lived devices, which may have very long warranty and/or error liability periods. The registrar further states that in Finland the temporal dimension of the seller's liability for errors is not limited by law. The goods sold to the consumer must last for a period of time that the consumer can generally reasonably expect for the goods in question. In the case of devices that are intended or marketed as having a long life, a claim about the insufficient normal life of the product can still be made after a considerable period of time after the device has been sold to the consumer. Verkkokauppa.com Oyj also offers a three-year warranty for televisions, computers, tablets and cameras purchased from the online store. The registrar states that Verkkokauppa.com Oyj's liability for errors does not necessarily end when the three-year warranty period expires, but regardless of the warranty given by the seller, error liability is always determined based on mandatory consumer protection regulations. According to the registrar, due to the longevity of home electronic devices, the transaction interval of Verkkokauppa.com Oyj's customers can actually be considerably long.

14. According to the controller's view, it is good customer service and in the customer's interest that the registered customer has access to information and receipts about his online purchases through his customer account throughout his customership. Registration also sets expectations for the consumer that Verkkokauppa.com Oyj will keep the receipts related to online purchases on behalf of the customer for as long as the customer may need them to exercise their rights related to warranty or error liability or for other purposes. For example, during the current remote working hours, the customer can also purchase certain home electronics for his home office, in which case the purchases can be deducted in taxes. According to the registrar, it is not necessary to submit receipts and vouchers to the Tax Administration when declaring tax deductions, but the taxpayer can ask the taxpayer to submit receipts or vouchers later. The registrar continues that the Tax Administration requires the taxpayer to keep his tax receipts for six years after the end of the tax year.

15. The registrar states in its statement that it does not store all the information in the customer's account for the entire duration of the customership, but that the basic information (name, e-mail address and phone number) and any information regarding orders are stored for the duration of the customership. Instead, information whose long-term storage Verkkokauppa.com Oyj does not consider to bring added value to the customer, such as various log and login information, the date of birth required in K-18 products, backups, analytics data and information used for credit evaluation, is deleted regularly. For this personal data, the controller says that it has defined the retention periods.
16. According to the controller, requiring the creation of a customer account in order to make online purchases also does not violate the default data protection requirement, as the procedure does not lead to the collection and processing of data unnecessary for the purpose of the processing.

17. Regarding the deletion of data from the customer account, the controller explains as follows: When the customer requests the deletion of his personal data, the customer account is closed. Upon closing the customer account, the customer data deletion procedure starts. All information about the customer will be deleted or anonymized within 30 days if the customer has not had any orders in his account. If there are orders in the customer's account, the information about the orders will be separated from the customer account for further storage, and all personal data in the orders will be anonymized after the completion of the statutory obligations. Information regarding orders Verkkokauppa.com Oyj is obliged to keep the accounting material in accordance with the obligation regarding the retention period according to Chapter 2 § 10 of the Accounting Act (1336/1997). Verkkokauppa.com Oyj cannot completely delete information about orders, because the deletion would affect the financial accounting and the obligations based on the law require the data to be stored. Consequently, Verkkokauppa.com Oyj stores information about orders (without personal data related to orders) in accordance with accounting legislation, regardless of whether the customer has deleted his account or exercised his right to have his data deleted according to the General Data Protection Regulation. If the customer later makes a purchase from the online store and registers again, a new customer account will be created for him.

Supplementary hearing and request for additional clarification 22 November 2023

18. The Office of the Data Protection Commissioner has sent Verkkokauppa.com Oyj a supplementary consultation and additional clarification request on 22 November 2023. Verkkokauppa.com Oyj has submitted its answer to the data protection commissioner's office on 21 December 2023.

19. In its hearing response, the controller states that if it allowed its customers to make purchases in its online store without registration, it would have to collect and store the personal data required to place and deliver the order on a per-order basis, which is not appropriate from the point of view of data security and does not comply with the principle of data minimization.

20. According to the controller, registration establishes a relationship between Verkkokauppa.com and the customer, which enables the use of Verkkokauppa.com's online shopping platform and all its functionalities. The contractual relationship is valid for an indefinite period, in which case its length is defined by the customer himself.

21. The registrar states in its statement that it does not keep all the information in the customer's account for the entire duration of the customership. The registrar says that it will keep the customer's basic information (name, e-mail address and phone number) necessary to maintain the customer's customership for the entire duration of the customership, as well as, if orders have been placed, information about the orders and the customer's active address information.

22. The controller submits that the fact that the retention period of personal data is defined by the customer does not mean that the retention period has not been defined at all or that criteria for determining the retention period have not been defined in the manner required in the data protection regulation. The controller states that he has defined the duration of the customer's customership as the criterion for determining the retention period. The storage period of personal data is as long as the customer himself wants.

23. The controller states in his report that the online store customer himself determines the retention period of his basic data needed to maintain the customership and personal data regarding possible orders, and an automated deletion process has been created for closed customer accounts. The controller therefore does not consider that it has failed to implement appropriate technical and organizational measures to ensure the implementation of default data protection.

24. Otherwise, the controller does not consider that its retention period practice is contrary to the requirement of default data protection (Article 25(2) of the General Data Protection Regulation). In its opinion, the controller does not process any information of its online store customers that is not necessary for the processing purposes defined by it.

25. The registrar says that it is currently implementing an automatic deletion mechanism for inactive customer accounts. After the function is completed, Verkkokauppa.com will in the future send an automatic e-mail notification to every customer who has not logged into their customer account for more than six years. Several email newsletters are sent to the same person before the account is deleted. The account will be deleted unless the customer takes steps to maintain the account.

26. Six years has been chosen as the period of inactivity that initiates the deletion process, because the majority of Verkkokauppa.com's warranty and error liability periods as well as storage periods based on Verkkokauppa.com's other statutory obligations fit within that period. According to the registrar's estimate, the function will become public in the first quarter of 2024.

27. According to the controller, as a general rule, an online store customer registers as a customer when he makes his first online store purchase in the Verkkokauppa.com online store. In the same context, the customer also accepts Verkkokauppa.com's terms and conditions and confirms that he has read the privacy policy, which describes the processing of personal data. According to the registrar, the contract regarding the online store order cannot be separated from the contract regarding registration as an online store customer. Placing an individual e-commerce order takes place within and subordinate to the contract customer, also with regard to the processing of personal data.

28. According to the data controller, all processing of personal data described in Verkkokauppa.com's data protection statement is not based on the processing basis for the execution of the contract referred to in Article 6, paragraph 1, letter b of the General Data Protection Regulation, but in certain situations also on the legitimate interest of the data controller (for example, sending information messages or product review requests related to the customer or order), the registered to consent (for example weekly newsletter subscription and electronic direct marketing) or to the controller's obligation arising from the law (for example obligations arising from the accounting act).

Statement of the Finnish Competition and Consumer Authority on 10 March 2023

29. The Office of the Data Protection Commissioner has asked the Finnish Competition and Consumer Authority to issue a statement on requiring registration in e-commerce operations. The Finnish Competition and Consumer Authority issued its statement on 10 March 2023.
30. The Finnish Competition and Consumer Agency states in its statement that the matter is primarily related to the field of the General Data Protection Regulation. The Finnish Competition and Consumer Authority further states that the consumer ombudsman does not take a position on the compliance or application of the General Data Protection Regulation.

31. The statement of the Finnish Competition and Consumer Authority has been submitted for information to the controller on 22 November 2023.

Background information

Service description

32. Verkkokauppa.com Oyj sells information technology, entertainment electronics, toys, games, sports, pet and childcare products as well as installation services in the online store maintained at www.verkkokauppa.com and in brick-and-mortar stores. Verkkokauppa.com Oyj's main business is the retail trade of computers, their peripherals and software.

Sales

33. According to information received from Verkkokauppa.com Oyj on November 2, 2023, Verkkokauppa.com Oyj's turnover for 2022 is EUR 543,100,000.

Number of customer accounts

34. There are 1,977,854 active customer accounts.

On applicable legislation

35. The general data protection regulation of the European Parliament and the Council (EU) 2016/679 (data protection regulation) and the specifying national data protection law (1050/2018) apply in this case.

36. Article 5(1)(a) of the General Data Protection Regulation provides for the principle of legality. According to the article, personal data must be processed in accordance with the law.

37. Article 5(1)(b) of the General Data Protection Regulation provides for the principle of purpose-relatedness. According to the article, personal data must be collected for a specific, specific and legal purpose, and they must not be processed later in a way that is incompatible with these purposes.

38. Article 5(1)(c) of the General Data Protection Regulation provides for the principle of data minimization. According to the article, personal data must be relevant and relevant and limited to what is necessary in relation to the purposes for which they are processed.

39. Article 5(1)(e) of the General Data Protection Regulation provides for the principle of limiting storage. According to the article, personal data must be stored in a form from which the data subject can be identified only for as long as is necessary to fulfill the purposes of the data processing; personal data can be stored for longer periods if the personal data is processed only for archiving purposes in the public interest or for scientific or historical research purposes or statistical purposes in accordance with Article 89, paragraph 1, provided that the appropriate technical and organizational measures required by the General Data Protection Regulation have been implemented to protect the rights and freedoms of the data subject.

40. Article 6 of the General Data Protection Regulation provides for the legality of processing. According to Article 6(1)(b), the processing is lawful only if and only to the extent that the processing is necessary for the implementation of an agreement to which the data subject is a party, or for the implementation of measures prior to the conclusion of the agreement at the request of the data subject.

41. Article 13 of the General Data Protection Regulation provides for information to be provided when personal data is collected from the data subject. According to Article 2, subparagraph a, when personal data is obtained, the controller must provide the data subject with information about the retention period of the personal data, or if that is not possible, the criteria for determining this period.

42. Article 25 of the General Data Protection Regulation provides for built-in and default data protection. According to paragraph 1 of the article, taking into account the latest technology and implementation costs, as well as the nature, scope, context and purposes of the processing, as well as the varying probability and seriousness of the risks to the rights and freedoms of natural persons caused by the processing, the controller must, in connection with determining the processing methods and the processing itself, effectively implement data protection principles such as data minimization appropriate technical and organizational measures, such as pseudonymization of data and the necessary protective measures, so that they can be included as part of the processing and so that the processing complies with the requirements of the General Data Protection Regulation and the rights of data subjects are protected. According to Article 25, paragraph 2 of the General Data Protection Regulation, the controller must implement appropriate technical and organizational measures to ensure that by default only personal data necessary for each specific purpose of the processing is processed. This obligation applies to the amount of personal data collected, the extent of processing, storage time and availability.

A legal question

43. The Data Protection Commissioner assesses and decides the matter on the basis of the aforementioned General Data Protection Regulation (EU) 2016/679 and the Data Protection Act (1050/2018).

The data protection officer must resolve:

1) Has the controller's method of operation, which has required registration as a customer to make a single purchase in the online store, been in accordance with Articles 5(1)(e) and 25(2) of the General Data Protection Regulation

2) Has the data controller processed personal data in accordance with Articles 5(1)(e) and 25(2) of the General Data Protection Regulation when storing data collected in the customer accounts of registered individuals who have made individual purchases for an indefinite period of time, unless the data subject has noticed a separate request to delete their data

In this decision, the Data Protection Commissioner does not evaluate the data controller's processing of personal data in other respects.

Decision of the Data Protection Commissioner

44. The controller's method of operation, which has required registration as a customer to make a single purchase in the online store, has not been in accordance with Articles 5(1)(e) and 25(2) of the General Data Protection Regulation. The procedure has led to the fact that the information of those who made individual purchases has also been stored longer than the implementation of a one-time purchase would have required.

45. The registrar has not defined storage periods for the personal data of online store customers collected in customer accounts as required by Articles 5(1)(e) and 25(2) of the General Data Protection Regulation. The controller has kept said personal data for an indefinite period of time, unless the data subject has requested the deletion of their data.

46. The controller is given an order in accordance with Article 58(2)(d) of the General Data Protection Regulation to bring the processing operations in accordance with the data protection regulations in respect of the violations found in sections 44 and 45. Pursuant to this regulation, the data controller must define a retention period for the personal data of online store customers that meets the requirements of the General Data Protection Regulation and ensure that it changes its operating method referred to in section 44. In addition, the controller must delete or anonymize personal data of online store customers older than the retention periods that meet the requirements of the General Data Protection Regulation without undue delay.

47. The controller is given a notice in accordance with Article 58(2)(b) of the General Data Protection Regulation regarding the violation of Article 5(1)(e) and Article 25(2) of the General Data Protection Regulation in relation to the procedure stated in Sections 44 and 45 above.

Administrative penalty fee

48. Pursuant to Section 24 of the Data Protection Act, the administrative sanction fee stipulated in Article 83 of the General Data Protection Regulation is determined by the sanctioning board formed by the data protection commissioner and deputy data protection commissioners. The matter regarding the penalty payment is given to the sanctioning board to decide. The Sanctions Board must therefore assess whether an administrative penalty payment in accordance with Article 58, Paragraph 2, Subsection (i) of the General Data Protection Regulation must be imposed on the data controller in addition to the notice and order issued by the Data Protection Commissioner.

49. The matter will not be evaluated by the Sanctions Board insofar as it concerns the requirement of registration in order to make a single purchase in an online store, i.e. the so-called forced registration. In the future, an administrative fine may be imposed for such a procedure.

Reasons for the decision

50. In the matter now being evaluated, the controller has required that the online store customer making a single purchase registers as a Verkkokauppa.com customer, i.e. in practice creates a customer account for himself. Doing business in the controller's online store therefore always requires the creation of a customer account, regardless of whether the customer wants to register as a customer of the controller.

51. The registrar keeps customer account information, such as information about the customer's individual purchases, in principle until the account is closed at the customer's separate request. The end of the data collection and the deletion of the data therefore requires that the data subject makes a personal data deletion request in accordance with Article 17 of the General Data Protection Regulation. The controller's method of operation also transfers the responsibility for protecting personal data to the data subject.

52. The case being evaluated now concerns the legality of the storage of personal data collected for the said customer account, i.e. whether it is in accordance with the General Data Protection Regulation to set a single purchase transaction as a prerequisite for the creation of a customer account and the processing of personal data, incl. retention to which the creation of said account results. In this case, it is also a matter of whether it is in accordance with the General Data Protection Regulation to keep personal data collected through the customer account until the data subject possibly requests the deletion of his personal data. In practice, this can mean that personal data from a single purchase transaction is stored for up to tens of years.

53. The principle of storage limitation according to Article 5(1)(e) of the General Data Protection Regulation requires that personal data be stored in a form from which the data subject can be identified, only for as long as is necessary to fulfill the purposes of the data processing. The purpose of the processing is therefore a key condition when determining how long personal data can be stored. The controller must also be able to justify why the retention period is necessary for the personal data in question and the purpose of their processing. The controller must also be able to present the reasons and legal grounds for the retention period. The retention period for personal data must also be as short as possible, and the retention period for personal data must be defined as a matter of principle, and the registrants must also be informed about it.

54. The principle of limiting storage is part of the built-in and default data protection requirement (Article 25 of the General Data Protection Regulation), which is the starting point of the General Data Protection Regulation, and in order to comply with it, the data controller must build its system and procedures in such a way that data protection is properly taken into account from the beginning. The realization of built-in and default data protection requires that the data controller effectively implements the data protection principles, such as the retention limitation principle, and that with regard to the retention period, it is ensured that this processing only targets personal data necessary for each specific purpose of the processing.

55. It should be noted that the data minimization principle according to Article 5(1)(c) of the General Data Protection Regulation also requires that the controller ensures that personal data is stored in a form that allows the identification of data subjects only for as long as is necessary for their purposes, for which personal data is processed.

Storage of personal data collected in connection with the registration required from the customer

56. In this case, the controller has required online store customers to create a customer account for themselves also in situations where it was a one-time purchase. It has not been possible to make individual purchases in the controller's online store without creating a customer account. In this case, the storage period for personal data becomes longer than would be justified according to the provisions of the General Data Protection Regulation for the processing of an individual online store order.

57. The controller has stated in his response to the data protection commissioner's consultation request that the data protection regulation does not explicitly or implicitly oblige the trader to offer potential customers the opportunity to do business in the online store without registering.

58. It is true in itself that neither the General Data Protection Regulation nor any other data protection regulations contain specific provisions on registration in connection with a purchase transaction. The General Data Protection Regulation, however, provides quite unambiguously for the collection and storage of personal data. According to the Data Protection Commissioner's opinion, it is undisputed that the business model of the trader must meet the requirements of Articles 5(1)(e) and 25(2) of the General Data Protection Regulation.

59. When evaluating the case, attention must be paid to the fact that the controller has processed personal data for the purpose of online shopping. In such a situation, personal data must therefore be processed only to the extent that is required to carry out the sale of the purchased product. It should be noted that the requirement according to Article 25(2) of the General Data Protection Regulation to limit data processing to what is necessary expressly applies to both the scope of personal data processing and the storage period. The processing of personal data related to individual online store purchases does not require the data subject to create a customer account as referred to in this matter, which leads to the retention of personal data longer than a single purchase transaction would require.

60. The Data Protection Commissioner draws attention to the fact that in the procedure reviewed in this decision, customers, i.e. registered users, have not been able to actively choose to create a customer account. In this regard, the Data Protection Commissioner draws the controller's attention to the fact that in order to meet the requirements of built-in and default data protection, the data subject should be given the widest possible opportunity to decide on the processing of their own personal data. The requirement to register as a customer and the related processing of personal data, especially the prolongation of the duration of the processing compared to what would be necessary to make an online store purchase, are not compatible with this starting point.

61. If the data subject has not submitted a personal data deletion request to the data controller in accordance with Article 17 of the General Data Protection Regulation, the data controller has continued to collect and store personal data based on the customership created for the data subject. The Data Protection Commissioner emphasizes that the processing of personal data to the extent described above does not comply with Article 5(1)(e) or Article 25(2) of the General Data Protection Regulation. Although, based on the investigation obtained in the case, the collected personal data has in itself been necessary in connection with the processing of the online purchase, their collection through the customer account created for the data subject has led to the unnecessary storage of personal data, contrary to the said articles, based on customership.

62. The Data Protection Commissioner states that the processing of personal data may in itself be necessary for the management of the registered's more permanent customership. In this case, for example, the basic data of the registered person needed to manage loyalty is basically deleted when the loyalty membership ends. However, in the case currently being evaluated, it is a matter of whether it is in accordance with the General Data Protection Regulation to make the creation of a customer account a prerequisite for a single purchase transaction, which leads to a potentially long storage period of personal data.

63. In addition, it can be stated that the retention of personal data is only possible for as long as it is necessary for the purposes for which the personal data is processed (Article 5(1)(e) of the General Data Protection Regulation). In accordance with Article 5(1)(b) of the General Data Protection Regulation, the processing purposes referred to here must be, for example, legal. The legality of the processing, on the other hand, requires that there is a valid basis for the processing of personal data (Articles 5(1)(a) and 6(1) of the General Data Protection Regulation).

64. In its statement, the controller has stated that it applies the contract as the basis for processing the personal data of the customer account (Article 6(1)(b) of the General Data Protection Regulation). Based on the investigation, the online store purchase agreement has inextricably included the customer's registration as a customer of the data controller and the related creation of a customer account. In such a situation, it would be necessary to examine whether the processing of personal data related to said customer account, incl. storage, necessary for the execution of the agreement referred to in Article 6(1)(b) of the General Data Protection Regulation. The European Data Protection Board has stated the following regarding the application of Article 6(1)(b) of the General Data Protection Regulation:

"If there are realistic, less invasive options available, treatment is not necessary. Article 6(1)(b) of the General Data Protection Regulation does not include processing that is useful but not objectively necessary for the performance of the service that is the subject of the contract or for the implementation of relevant pre-contractual activities at the request of the data subject, even if it is necessary for the controller's other business".

65. In principle, the processing of personal data carried out to create and maintain a customer account cannot be considered necessary for the implementation of the contract regarding online shopping. Instead, it is typically, for example, the processing of personal data for the benefit of the business, and it is possible to implement the main object of the contract without said processing.

66. It should also be noted that the basis for processing according to Article 6(1)(b) of the General Data Protection Regulation should be interpreted narrowly, because based on it, the processing of personal data without the data subject's consent becomes lawful. In addition, it should be noted that when the processing of personal data related to the creation of a customer account is not objectively necessary for the implementation of the contract regarding the online store purchase, a separate basis for the processing of personal data carried out for the implementation of the customership must be defined separately.

67. If the basis for processing personal data is not properly defined, the processing of personal data does not comply with Articles 5(1)(a) and 6(1) of the General Data Protection Regulation. In the absence of a basis for processing, the processing for the said purpose of use of personal data does not meet the condition of the legality of the processing, and is therefore also not in accordance with Article 5(1)(b) of the General Data Protection Regulation. In this case, the processing also does not meet the requirement of Article 5(1)(e) of the General Data Protection Regulation, according to which the storage of personal data is only possible for as long as is necessary for the purposes for which the personal data is processed.

Use of the registrant's rights to stop storing personal data

68. As stated above, when acting in accordance with the controller's procedure, the data subject has to rely on the rights of the data subject according to Chapter III of the General Data Protection Regulation in order to prevent the long-term storage of personal data based on the customer's defined by the data controller for individual online purchases, and the data subject must request the deletion of his data in accordance with 17 of the General Data Protection Regulation pursuant to Art. The retention period of personal data then depends on whether the data subject exercises his right to have his personal data deleted. Said procedure can lead to personal data being stored for a very long and indefinite period of time. Stopping the storage of personal data requires the data subject to be active, alert and capable, when he must explicitly request the deletion of his data collected in the customer account.

69. The procedure used by the data controller cannot be considered reasonable from the data subject's point of view, and by acting in this way, the data controller has not complied with its obligation to limit the storage of personal data to the shortest possible duration or defined the storage period of personal data in accordance with what kind of period is necessary for the fulfillment of the purposes of data processing. The Data Protection Commissioner states that the data subject generally does not have the described need to exercise his rights regarding the protection of personal data, if the data is not stored unnecessarily. The Data Protection Commissioner emphasizes that the retention of personal data cannot be justified by the fact that the data subject can later exercise his rights.

Appropriate definition of retention period

70. In the statement given to the data protection commissioner's office, the controller has stated that the retention period for personal data is defined by the customer - not by Verkkokauppa.com on behalf of the customer. The registrar submits that it cannot assess on behalf of the customer how long the customer wants their customership to last. The deletion of personal data connected to the customer account requires that the data subject submits a request to the controller.

71. The Data Protection Commissioner notes that the data controller in this case has therefore not properly defined a retention period for the personal data stored on the basis of the customer relationship, but rather the retention period is formed according to the period after which the data subject requests the deletion of his data. Limiting the storage period of personal data in the case of a single online store purchase will then depend on the registrant's own activity.

72. For example, in order to fulfill its obligation to inform, the data controller must, according to Article 13(2)(a) of the General Data Protection Regulation, provide the data subject with "the retention period of personal data, or if that is not possible, the criteria for determining this period" when personal data is collected from the data subject himself. The storage period can be left undefined in a situation where it is not possible to define the storage period precisely, but other types of storage period determination criteria have to be used. In the case being evaluated, such a situation is not at hand, but the controller has been able to define the retention period for personal data for individual purchase transactions.

73. Instead of defining the retention period, the data controller has now, in the case being evaluated, kept personal data on the basis of the customer until the data subject requests the deletion of his data. The controller has therefore not defined a retention period for the said personal data, which it would have been possible to define in this case, and on the other hand, it has not defined appropriate criteria for determining the retention period either, which cannot be considered to be the retention of personal data until the data subject notices that he is using his right to receive personal data according to the General Data Protection Regulation deleted.

74. Regarding the above, it should be noted that the European Data Protection Board has similarly stated in its opinion practice that the storage of personal data for the time being is contrary to the principle of limitation of storage, and the fact that the data subject is given the opportunity to delete his personal data does not exclude the controller's responsibility to define and implement legal data storage practices.

75. In the case under review, the controller has not fulfilled its obligation to define a storage period for personal data, but has kept the data until the data subject requests the deletion of his data. As stated above, the responsibility for deleting personal data cannot be transferred to the data subject, but the data controller must take care of the proper fulfillment of their storage limitation obligations themselves. It has resulted from the procedure of the controller that, in the case at hand, in addition to the appropriate definition of the retention period, the controller has also not taken care of the timely deletion of personal data at the end of the legally defined retention period.

76. In the matter, it must also be stated that, based on the report received, the controller has deliberately and consciously implemented the reviewed procedure. In connection with the implementation of the procedure, the controller has decided that it is not necessary to define a retention period for the personal data collected for the customer account. The registrar has otherwise not restricted the retention of personal data examined in the case in an appropriate manner. The controller has also deliberately left the limitation of the retention period of personal data up to the data subject's measures.

77. In its hearing response issued on 21 December 2023, the registrar stated that it intends to implement a mechanism for deleting inactive customer accounts. The Data Protection Commissioner states that the removal of inactive customer accounts does not mean that the data controller should define retention periods for the personal data of online store customers in accordance with data protection regulations.

About business freedom and error liability

78. In the statement given to the data protection commissioner's office, the controller has stated that the right to the protection of personal data is not absolute and that requiring registration is a business decision, the making of which is a right that falls within the scope of the entrepreneur's freedom of business. The controller has deemed it sufficient that the processing of personal data takes place in this context within the framework of data protection regulations.

79. The Data Protection Commissioner states that it is central in the evaluation of the matter, as the data controller himself suggests, that the decisions concerning the business of the data controller and in this context the handling of the storage period of personal data is in accordance with the General Data Protection Regulation. According to Article 18 of the Constitution on Freedom of Business, everyone has the right to earn a living through the work, profession or business of their choice. However, in the case being evaluated now, it is not a matter of denying the right to earn a living from the chosen business or interfering with the essential content of the freedom of business. Nor do the currently applicable regulations prevent the business activities of the data controller. The matter is solely about whether the controller's procedure was in accordance with the General Data Protection Regulation.

80. The registrar has also relied on issues related to the seller's fault liability as justification for its procedure. According to the registrar, in Finland, the temporal scope of the seller's fault liability is not limited by law, and the consumer can claim a fault in the goods after a considerable period of time after the device has been sold to the consumer. The registrar also says that it offers a three-year warranty for certain devices. The controller considers that keeping receipts related to online purchases on behalf of the customer is justified in this regard, and the registered customer has access to information and receipts regarding his online purchases through the customer account throughout his customership. According to the registrar, the taxpayer can also ask the taxpayer to provide receipts and vouchers, and the taxpayer requires the taxpayer to keep his taxation vouchers for six years after the end of the tax year. The registrar has also relied on the obligations under the Accounting Act when storing personal data.

81. The regulations regarding fault liability and warranty are defined in Chapter 5 of the Consumer Protection Act (38/1978). According to the Consumer Protection Act, there is a defect in the goods for which the seller is responsible if the goods last for a shorter period of time than can be reasonably expected, and the duration of the liability for defects is thus determined on a case-by-case basis based on the expected life of the goods. However, the consumer's right to demand compensation due to a mistake does not depend on whether the consumer has given the seller his personal information. Correspondingly, the seller's obligation to compensate for the error is not affected by whether the seller has access to the consumer's personal data, and the need to process personal data cannot be derived from the error liability provisions of the Consumer Protection Act as presented by the data controller.

82. The registrar cannot also make a decision on behalf of the registered person that it will keep documents on behalf of the registered person, which the registered person can, in certain situations, deliver to the tax authority. The registrant takes care of fulfilling his obligations regarding taxation based on his own decision-making and on his own initiative, and e.g. an online store does not make these decisions for him. The data protection commissioner states that such a service can certainly bring added value to customers. However, it would require that the data processing has, for example, the data subject's consent as referred to in the General Data Protection Regulation.

83. Compliance with the controller's obligations arising from the accounting regulation does not, on the other hand, require the creation of a customer account for the data subject referred to in this matter, and the accounting material must generally be kept separate from the customer account. The Accounting Act also does not, for example, entitle the data controller to store data more extensively than is necessary to fulfill the requirements of the Accounting Act or to process data stored under the Accounting Act for other purposes during their retention period.

84. In its response to the consultation request, the controller has stated that requiring registration does not in itself increase the amount of personal data it processes about its customers. For the sake of clarity, let it be stated that the case under review is not about the fact that the controller would be considered, on the basis of the statement provided by it, to collect more personal data for the customer account than it needs to collect solely to process the online store purchase.

Decision of the Sanctions Board on the administrative penalty payment

Registrar

Verkkokauppa.com Oyj

According to Section 24 of the Data Protection Act, the administrative penalty fee is determined by the penalty panel formed by the data protection commissioner and deputy data protection commissioners, which has issued the following decision on the imposition of the administrative penalty fee.

1. According to the decision of the Data Protection Commissioner, the data controller has not complied with the provisions of Articles 5(1)(e) and 25(2) of the General Data Protection Regulation. In its decision, the Data Protection Commissioner has given the data controller an order in accordance with Article 58(2)(d) of the General Data Protection Regulation and Article 58(2)(b) of the General Data Protection Regulation for the violation of Articles 5(1)(e) and 25(2) of the General Data Protection Regulation according to the notice.

2. Taking into account the seriousness of the violation, the matter is not a minor violation referred to in the preamble 148 of the General Data Protection Regulation. In terms of effectiveness, proportionality and deterrence, it must be stated that in the present case, the order issued by the data protection commissioner pursuant to Article 58(2)(d) of the General Data Protection Regulation and the notice issued pursuant to Article 58(2)(b) are not a sufficient sanction in the case, when taking into account provided for in Article 83(2) of the General Data Protection Regulation.

3. In the case, an administrative penalty fee must be imposed for the failure to properly define the retention period of online store customers' personal data, stated in the data protection commissioner's decision. The registrar has left the retention period of the personal data collected for the customer account undefined. The imposition of a penalty fee is particularly supported by the fact that the controller has left the limitation of the retention period of personal data for individual online shopping purchases up to the registrants' own activity. As stated in section 49 of the Data Protection Commissioner's decision, the matter has not been brought to the sanctioning board for evaluation, as far as requiring registration in order to make a single purchase in the online store.

4. The matter concerns online shopping activities. The registrants have not been able to actively choose in the controller's online store whether to create a customer account for them and how detailed information about them is collected and stored for this purpose. For example, it has not been a matter of keeping the individual registered data of those who have explicitly applied for a loyal customer relationship, and in that case the data cannot, in principle, be kept longer than what is required to carry out an online purchase. The procedure thus differs in key aspects from the decision of the data protection commissioner and the sanctioning board in case no. 3831/161/21, where the sanctioning board of the data protection commissioner's office did not impose a penalty fee on the data controller.

5. The matter under consideration belongs to the higher penalty payment category according to Article 83(5)(a) of the General Data Protection Regulation. In the case of a violation, the amount of the imposed fine can be a maximum of either 20,000,000 euros, or four percent of the annual global total turnover of the previous financial year, depending on which of these amounts is greater.

6. The registrar has announced that its total turnover for 2022 is EUR 543,100,000. In addition to the above-mentioned order and notice issued by the Data Protection Commissioner, the Sanctions Board formed by the Data Protection Commissioner and Deputy Data Protection Commissioners (later the "Sanctions Board") imposes an administrative penalty fee of EUR 856,000 (eight hundred and fifty-six thousand) to be paid by the data controller to the state pursuant to Article 58(2)(i) and Article 83 of the General Data Protection Regulation . Taking into account the seriousness of the violation and the other circumstances of the case, as shown in more detail below in the reasoning of the sanctioning board, the sanctioning board considers the administrative penalty payment of EUR 856,000 to be effective, proportionate and a warning.

Reasons for imposing an administrative penalty

7. Article 83 of the General Data Protection Regulation lays down the general conditions for imposing an administrative fine. First of all, imposing an administrative fine must be effective, proportionate and warning in each individual case. Secondly, an administrative penalty fee is imposed according to the circumstances of each individual case in addition to or instead of the remedial powers provided for in Article 58. In the case at hand, the data protection commissioner has issued an order and a notice to the data controller. The administrative penalty fee is therefore imposed in addition to the order pursuant to Article 58(2)(d) of the General Data Protection Regulation and the notice pursuant to Article 58(2)(b).

8. When deciding on the imposition of an administrative penalty fee and the amount of the administrative penalty fee, the factors listed in Article 83(2) of the General Data Protection Regulation must be taken into account in each individual case.

9. As deemed in the data protection commissioner's decision, the data controller has not complied with the provisions of Articles 5(1)(e) and 25(2) of the General Data Protection Regulation.

10. According to Article 83(3) of the General Data Protection Regulation, if the data controller intentionally or negligently violates several provisions of the Data Protection Regulation in the same or related processing operations, the total amount of the administrative fine may not exceed the fine imposed for the most serious violation.

11. The seriousness of the breach must be assessed based on the factors listed in Article 83(2) of the General Data Protection Regulation. In the evaluation, the procedure or omission that can be considered the most reprehensible, taking into account the details of the matter being evaluated at any given time, must be chosen.

12. The matter under consideration concerns the obligation laid down in Article 5(1)(e) of the General Data Protection Regulation to limit the retention of personal data. As stated above in section 5, the matter belongs to the higher penalty payment category according to Article 83(5)(a) of the General Data Protection Regulation.

Office of the Data Protection Commissioner
PO Box 800, 00531 Helsinki – tel. 029 566 6700 (switchboard) – tietosuoja@om.fi – www.tietosuoja.fi
13. When evaluating the matter, the guidelines on the imposition of administrative fines given by the data protection working group and the European Data Protection Board have been taken into account.

Assessment of the severity of the breach

14. Taking into account the criteria stated in more detail below as a whole, the sanctions panel considers that the conditions for imposing a penalty payment are met.

15. In the evaluation of the seriousness of the violation of the General Data Protection Regulation, Article 83, paragraph 2, subsections a, b and g of the General Data Protection Regulation have been taken into account.

The nature and duration of the breach

16. The Sanctions Board notes with regard to the duration of the violation that, based on the report received, the controller has required registration in its online store since 2018. The personal data collected for the customer account has therefore already been stored until now, during the application period of the General Data Protection Regulation, for many registered users longer than is necessary to complete an online store purchase.

17. The Sanctions Board notes with regard to the nature of the violation that the controller has neglected its obligation to limit the storage of online store customers' personal data in the aspects considered in this case and left the fulfillment of this obligation to the data subjects' own activity, vigilance and ability. The violation has been a matter of the controller's usual and planned way of operating. The controller has not made it possible to make an online store purchase without creating a customer account, and the retention of personal data has thus basically affected all customers who have made an online store purchase.

18. With regard to the nature of the violation, it should also be noted that the matter is not that the customers actively wanted to create a customer account for themselves. The controller has not offered its customers the option to choose, and it has not tried to give the registered users the opportunity to decide for which other than a single purchase transaction their personal data will be processed.

19. The Sanctions Board further notes that the controller's procedure, in which it stores personal data collected in the customer account until the data subject notices that he/she requests the deletion of his data, can lead to a significantly long period of storage of personal data. The long storage period of personal data and the storage of personal data in a customer account accessible via a public network can increase the risk of misuse of personal data.

20. Let it be stated that, based on the reasons presented above, the nature and duration of the violation must be considered as a factor in favor of imposing an administrative penalty.

The nature, scope or purpose of data processing and the groups of personal data affected by the breach

21. According to the report received from the registrar in September 2022, the number of active customer accounts is almost two million. The number of data subjects affected by the infringement must be considered large. The number of those registered supports the imposition of a penalty fee in the case. Due to the large number of registrants, the amount of personal data processed by the controller and collected for customer accounts must also be considered large. This fact also supports the imposition of a penalty fee in the case.

22. The fact that the case does not involve the processing of data belonging to special personal data groups does not alone lead to the fact that no administrative fine should be imposed for the procedure.

Intentional or negligent breach

23. In the previously mentioned guidelines issued by the European Data Protection Council and the Data Protection Working Group, it has been stated that intentionality usually requires a conscious and intentional violation. Intentional violations that manifest disregard for the law are generally considered more serious than negligent violations.

24. Let it be stated that a sanction may be imposed on the data controller for a procedure within the scope of the General Data Protection Regulation, if the data controller could not have been unaware that its procedure is irregular in nature, regardless of whether it was aware that it violated the provisions of the General Data Protection Regulation. The Court of Justice of the European Union refers specifically to the assessment of intent and negligence in competition law, which must be separated from the assessment of intent and negligence in criminal law.

25. The Sanction Board states with the reasons presented below that the case cannot be considered to be a violation that is not the result of the controller's actions being intentional or negligent.

26. The Sanctions Board draws particular attention to the fact that, as stated in section 76 of the Data Protection Commissioner's decision, based on the report received, the controller has deliberately and knowingly implemented the procedure in question. In connection with the implementation of the procedure, the controller has decided that it is not necessary to define a retention period for the personal data collected for the customer account. The registrar has otherwise not restricted the retention of personal data examined in the case in an appropriate manner. The controller has also deliberately left the limitation of the retention period of personal data up to the actions of the data subject.

27. The obligation to limit the retention of personal data is expressly provided for in Article 5(1)(e) of the General Data Protection Regulation. The obligation is also explicitly included in Article 25(2) of the General Data Protection Regulation. The controller has stated in his report that the retention period of personal data is defined by the customer, not Verkkokauppa.com. However, the said obligations apply to the controller, not to the registrant. The General Data Protection Regulation states that the controller is obliged to limit storage so that the storage period defined for personal data should be as short as possible. The registry keeper has also had access to, for example, official instructions regarding the regulations in question.

28. In the matter, it must also be taken into account that the General Data Protection Regulation provides for the controller's obligation to provide proof. The controller is responsible for it and must be able to demonstrate that it has complied with its obligation to limit the retention of personal data according to Article 5(1)(e) of the General Data Protection Regulation. The Court of Justice of the European Union has held in its case law that the data controller must be able to demonstrate that it complies with the principles regarding the processing of personal data established in Article 5, Paragraph 1 of the General Data Protection Regulation, and that the data controller has the burden of proof that Article 5, Paragraph 1 has been complied with. The controller is also obliged to implement the necessary technical and organizational measures to ensure and demonstrate that the processing complies with the general data protection regulation.

29. The data controller could not have been unaware that the procedure it adopted means that the data controller itself does not limit the storage of personal data. In other words, the data controller has not specified a retention period for personal data, as stated in the data protection commissioner's decision.

30. In addition, the sanctions panel notes that the case is not about the fact that the identified violation has occurred, even though the data controller has acted carefully.

31. The Sanctions Board states that it is not justified in the case to consider that the controller's actions do not meet the requirement of Article 83(2)(b) of the General Data Protection Regulation, according to which the procedure must be intentional or negligent.

Assessment of aggravating and mitigating factors

Actions taken by the controller to mitigate the damage caused to the data subject

32. In the guidelines of the European Data Protection Council and the Data Protection Working Group on the imposition of administrative fines, it has been stated that the party responsible for the damage should do everything possible to mitigate the consequences of the violation for the person concerned. The supervisory authority may take into account such responsible activity or the absence of such responsible activity.

33. In the evaluation of the damages caused to the registered persons, the decision of the Supreme Court KKO:1998:85 must be taken into account, which emphasized conscious self-determination and stated that the wording of the personal registration crime referred to in Section 43 of the Personal Registration Act (471/1987), which was later repealed, showed that violating the protection of privacy knowingly as a procedure contrary to self-determination meant causing damage or inconvenience as required by law. This is still true. A mere breach of privacy means causing harm or inconvenience.

34. The condition is not the actual economic or other material damage, although the occurrence of such damage is taken into account in accordance with Article 83(2)(a) of the General Data Protection Regulation when imposing an administrative penalty fee and deciding on its amount.

35. The sanctions panel considers that the data controller has not taken appropriate measures to mitigate, repair or prevent future damage to the data subject. The intention of the registrar to introduce a procedure for deleting inactive customer accounts, in which data is deleted when more than six years have passed since the last login to the customer account, cannot be regarded as a sufficient and appropriate measure as intended here. For example, the presented measure is not of such a nature that it would limit the storage of personal data in an appropriate way or interfere in an appropriate way with the fact that the determination of the retention period is largely up to the measures of the individual data subject. By leaving the retention period undefined, the controller also makes it difficult for the data subject to assess the actual risk caused by the processing of personal data. The sanctions panel considers that there are no mitigating factors in this regard.

Degree of responsibility, taking into account the technical and organizational measures taken by the data controller pursuant to Articles 25 and 32

36. In the case under question, the controller has systematically violated Articles 5(1)(c) and 25(2) of the General Data Protection Regulation. The technical and organizational measures implemented by the controller cannot be considered sufficient in these respects. The case reflects the general inadequacy of the practices laid down in the General Data Protection Regulation, and there are no extenuating circumstances in this respect.

Previous similar violations and measures previously imposed on the same issue

37. The Office of the Data Protection Commissioner is not aware of any previous violations of data protection regulations concerning the data controller. The controller has not previously been assigned the powers referred to in Article 58(2) of the General Data Protection Regulation. The penalty panel does not consider the aforementioned as a mitigating or aggravating factor in the penalty payment estimate.

The degree of cooperation with the supervisory authority and the manner in which the breach came to the supervisory authority's attention

38. In the aforementioned guidelines of the European Data Protection Council and the Data Protection Working Group on the imposition of administrative fines, it has been stated that the degree of cooperation can be properly taken into account when deciding on the imposition of an administrative fine and its amount. When evaluating the cooperation with the supervisory authority, importance could be given to whether the data controller has reacted to the requests of the supervisory authority during the investigation of the case in such a way that it has significantly limited the risk to the rights of individuals. However, according to the instructions, it would not be appropriate to emphasize the cooperation already required in the legislation.

39. It must be stated that, as stipulated in Article 31 of the General Data Protection Regulation, the data controller must, upon request, cooperate with the supervisory authority in order to perform its tasks. Pursuant to Article 58(1) of the General Data Protection Regulation and Section 18 of the Data Protection Act, the controller is also obliged to submit the requested information to the supervisory authority.

40. In evaluating the case, as stated above, it is not appropriate to emphasize the cooperation already required by legislation. It is not appropriate to consider fulfilling the obligation stipulated in the law as a mitigating factor in the case.

41. Information about the violation has come to the supervisory authority through a complaint. There are no extenuating circumstances in this regard.

Any other aggravating or mitigating factors applicable to the case

42. In the above-mentioned guidelines of the European Data Protection Council and the Data Protection Working Group on the imposition of administrative penalty fees, it has been stated that possible other aggravating or mitigating factors applicable to the case can be, for example, the benefit or financial advantage obtained from the violation.

43. In the hearing response given on 21 December 2023, the controller states that the retention periods and the criteria for determining them have been considered carefully, taking into account the business model.

44. In itself, it is clear that the collection and storage of personal data can benefit the business of the data controller. In the case, however, no circumstances have come to light, on the basis of which the sanctioning board should give importance as an aggravating circumstance to the financial advantage received by the data controller in its business.

45. The Sanctions Board considers that no other aggravating or mitigating factors applicable to the case can be demonstrated either.