Ellos Group AB – Complaint Upheld (Sweden, 2022)

The controller was an e-commerce website, which had a practice of "merging" customer profiles in case two or more accounts were created using the same personal data. The aim of this process was to limit processing of personal data. Seemingly, the controller did not ensure that the data provided actually belonged to the same customer. The merging system would automatically link accounts, which resulted in some customers losing access to their original account and others gaining access to personal data of third parties, such as their purchase history. A data subject, who was not able to use their original account anymore due to a "merging" process, filed a complaint at the Norwegian DPA, which transferred the complaint to the Swedish DPA. The latter was the lead supervisory authority in this decision pursuant to Article 56 GDPR. The concerned supervisory authorities were located in Norway, Denmark and Finland. The DPA held that any processing of personal data must comply with the principles in Article 5 GDPR. One of these principles is the requirement of security under Article 5(1)(f) GDPR (‘integrity and confidentiality’). Article 32 GDPR regulates the security of processing. The DPA determined that the controller violated Article 32(1) GDPR by failing to take appropriate measures to ensure an appropriate level of security for the “merge process”. The DPA determined that, after supervision started on May 21 2021, the controller had taken steps to ensure that the purchase history was no longer available upon activation of the “merge customer process” and intended to take security measures. The DPA determined that there were no reasons to doubt the use of the “merge customer” process, based on its purpose of limiting processing, after the mentioned improvements had been made by the controller. However, the DPA found that the “merge process” (prior to the start of supervision by the DPA on 21 May 2021) was designed that a customer’s purchase and return history coul