depo-diy – €17,495 Fine (Latvia, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Latvia's data protection authority fined depo-diy EUR 17,495 for forcing customers to consent to unnecessary data processing to get extra services. Customers had to provide personal details for a customer card, even when not needed. This case shows that consent must be freely given and not tied to unrelated services.
What happened
depo-diy required customers to consent to unnecessary data processing to receive additional services, violating GDPR's consent requirements.
Who was affected
Customers of depo-diy who wanted to access additional services like home delivery or accounting receipts.
What the authority found
The Latvian authority ruled that depo-diy's consent practices were not freely given and violated GDPR's principles of consent and data minimization.
Why this matters
This decision highlights that businesses cannot force customers to give consent for unrelated data processing to access services. Companies should review their consent practices to ensure they comply with GDPR.
GDPR Articles Cited
DEPO (the controller) is a do-it-yourself store based in Latvia. In order to receive the additional services (such as home delivery or an accounting receipt) customers must obtain a customer card. Without such a card, the additional service is not provided. To obtain a card, customers must consent to the processing of their personal data for a number of unrelated purposes, such as registration in the accounting system, return of the purchase price to the customer card, identification when using additional services, allocation of the card and allocation of bonuses. The personal data to be included to achieve all these purposes: name, surname, personal identification number, date of birth (for non-residents), business registration number, address and telephone number. Following several complaints from customers, the Latvian DPA started an investigation.The DPA found that customers who had not obtained a customer card - and thus consented to the processing of their personal data - could not receive the additional services. The DPA held that this did not ensure compliance with the definition of consent set out in Article 4(11) GDPR. It stated that consent cannot be considered as freely given if its withholding results in the service not being received at all. In addition, the DPA found that the controller unreasonably based processing of personal data on Article 6(1)(a) GDPR. For example, the processing of personal data related to invoices. Given that this processing does not depend on customers' will, it cannot be carried out on the basis of consent. Moreover, the DPA found that the controller violated the principle of data minimisation. For example, customers were required to provide a personal identification number in order to receive an invoice for the purchase of goods, which is not necessary for the specific service. The controller stated that the issue of a customer card is necessary to identify customers, e.g. when making a delivery. However, the DPA held that
Related Enforcement Actions (0)
No other enforcement actions found for depo-diy in LV
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. depo-diy - Latvia (2022). Retrieved from cookiefines.eu
Last updated: