We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.


Search
Online purchase ‘guest’ check-out a legal right
27 Jun 2024 / data law Print

Online purchase ‘guest’ check-out is a legal right

The data-protection authority in Finland recently imposed a fine of €856,000 on online retailer Verkkokauppa.com for storing customer data for an unlimited time period and forcing customers to create an account for purchasing items online.

A Pinsent Masons briefing note on the case points out that Verkkokauppa.com had not specified the storage period of the data collected for the customer accounts of its online shop.

Anu Talus, the Finnish data-protection ombudsman, found that customer accounts data had been stored indefinitely, unless the customers requested their data to be deleted

The case had come to the authority’s attention after a customer complaint.

The amount of the fine relates to the turnover of the business.

Create account

Verkkokauppa's practice of requiring customers to create an account to make online purchases violated data-protection law, especially the EU's General Data Protection Regulation (GDPR), the regulator found.

According to Talus, customers must have the option to check out from online shops as ‘guests’, leaving only the minimum of personal data that is necessary for payment and delivery.

"Large GDPR fines have tended to flow from security incidents and cyber-attacks that have led to personal data being compromised and made available on the dark web," Malcolm Dowden, a data-protection expert at Pinsent Masons, said.

"Examples include the £20 million imposed by the ICO on British Airways in 2020 and the £4.4 million imposed on Interserve in 2022. However, data-protection authorities also have power to impose substantial fines when the routine practices of a business involve violation of data-protection laws."

The Data Protection Ombudsman also ordered Verkkokauppa.com to specify an appropriate storage period for customer-account information and rectify its practice of mandatory registration.

Indefinite storage

Nicola Barden of Pinsent Masons said: "The fine demonstrates why it is important for controllers to consider data-protection laws throughout their customer journey and beyond.

“Indefinite storage of personal data will comply with data-protection laws in very limited circumstances. It also creates additional risk for controllers if a data breach was to occur, and makes responding to data-subject rights requests more challenging."

Verkkokauppa.com is a Finnish online retailer founded in 1992. It sells information technology, consumer electronics and household appliances, and gets over 80 million visits annually.

The company is planning to appeal the decision.

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland

Content related to data law

data law
Online-safety watchdogs aim for ‘coherence’

Sharing of data and co-ordination on questions

data law
data law
DPC prosecutes two for unsolicited marketing

Watchdog warns firms on campaigns and consent
data law
data law
Handling ‘Willie Wonka’ serial data requesters

Data law has become pro-plaintiff, UCD seminar hears
data law
data law
Online purchase ‘guest’ check-out is a legal right

Finnish firm faces massive data-retention fine
data law