Kesko Oyj – Violation Found (Finland, 2023)

The Finnish DPA had asked the controller (Kesko Oyj, Finland's largest retail chain) to explain how it processed and stored personal data in connection with its loyalty program. In response to the request, the controller clarified that it processed basic customer information, such as the person's name and contact information, and purchasing behaviour data. Purchasing behaviour data indicates customers' detailed and product-specific purchase data. Depending on the situation, the information related to the customer was erased at the end of the customer relationship or anonymised no later than 25 months after the end of the customer relationship. The controller also stated that it processes purchase data for business development, the provision of benefits and services, and the implementation and targeting of marketing. The controller emphasised that unjustifiably prohibiting or restricting the collection and processing of data that benefits the customer would undermine data-driven innovations and product development. The DPA stated that tying the storage period of purchase data to the duration of the customer relationship had resulted in the data being stored in a form that enables identification of the data subject for potentially very long periods, even decades. A storage period based on the duration of the customer relationship could therefore lead to very long storage of the purchase data, even for the lifetime of the data subject. Moreover, according to the DPA, some of the purchase data could be used to infer detailed information about the person's life situation, lifestyle and movements. Purchase data may also indirectly reveal personal data belonging to the special categories of personal data within the meaning of Article 9 GDPR. For example, customers had the opportunity to collect loyalty points by using certain healthcare services. The risk associated with the processing of such data increases the more extensive data is collected and the longer it is store