Verkkokauppa.com Oyj – €856,000 Fine (Finland, 2024)

The Finnish DPA was notified that the controller (Verkkokauppa.com Oyj, an IT retailer) required customers to create a customer account in order to make online purchases, even for one-time purchases. The DPA then asked the controller to explain why it required the creation of a customer account, for what purposes and for how long it stored the personal data of its customers. Regarding the purpose of the creation of a customer account, the controller clarified that the processing of customers' personal data was necessary for the provision of services and for the performance of the contract with the customer. The controller argued that it was able to reliably identify the data subject, demonstrate its accountability and facilitate the exercise of data subject rights through the customer account. The controller explained that it sells long-lasting devices that may have very long warranty and defect liability periods. Therefore, it was in the customers' interest to have access to information and receipts regarding their online purchases through the customer account throughout the customer relationship. The controller emphasised that if it allowed its customers to make online purchases without a customer account, it would have to process and store the personal data required for the placing and delivery of the order on an order-by-order basis, which would not be appropriate from a data security perspective and would not be in line with the principle of data minimisation. Regarding the data retention periods, the controller stated that the contractual relationship was for an indefinite period, the duration of which was determined by the customer. Thus, the controller stored personal data until the customer account was deleted at the request of the data subject. The controller claimed that it was not in a position to assess on behalf of the customer how long the customer relationship should last. On the basis of the information provided by the controller, the DPA conside