Finnish DPA Fines Online Retailer €856K Over Indefinite Data Storage

Finland's data protection authority has imposed an €856,000 fine on e-commerce company Verkkokauppa.com for violating the GDPR by failing to define retention periods for customer account data and requiring users to register accounts to make online purchases.

In a decision issued on March 6th, the Finnish Data Protection Ombudsman found that Verkkokauppa.com had been storing personal data from customer accounts indefinitely without specifying any deletion timeframe.

The online retailer claimed customers themselves determined the data storage period since they could request account closures and data erasure. However, the DPA ruled this practice did not comply with GDPR requirements for controllers to explicitly define appropriate retention periods.

By not setting concrete data storage limits, the investigation found purchase details and other account information was being retained for excessively long periods after transactions.

Beyond the data retention violation, the DPA also took issue with Verkkokauppa.com's policy of mandatory customer account creation for all online purchases, declaring it an infringement of data protection laws.

"Creating a customer account or storing personal data resulting from this cannot be required simply for making individual online purchases," the DPA stated in its decision.

Along with the €856,000 administrative fine, the watchdog ordered Verkkokauppa.com to remedy the violations by specifying proper data retention periods aligned with GDPR principles, as well as ending forced account registration for e-commerce purchases.

The DPA justified the high fine amount based on factors such as Verkkokauppa.com's annual turnover. It cited a recent precedent where Finland's Supreme Administrative Court upheld a similar GDPR penalty over unlimited data storage.

Verkkokauppa.com has announced plans to appeal the decision to Finland's Administrative Court. The case exemplifies heightened scrutiny by European regulators over e-commerce data practices, particularly regarding retailers' retention and account registration policies.

It also underscores the GDPR's strict data minimization and storage limitation requirements that prohibit open-ended or indefinite personal data retention without establishing and enforcing concrete deletion periods.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.