Verkkokauppa.com Oyj – €856,000 Fine (Finland, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Verkkokauppa.com Oyj was fined €856,000 for requiring customers to create accounts to make online purchases. This matters because it highlights the importance of being clear about how long customer data is kept. Small business owners should ensure they explain their data retention policies to avoid similar penalties.
What happened
Verkkokauppa.com Oyj required customers to create a customer account to make online purchases.
Who was affected
Customers who wanted to make purchases from Verkkokauppa.com were affected.
What the authority found
The Finnish DPA found that Verkkokauppa.com did not specify how long it would keep customer account data, violating GDPR's transparency requirements.
Why this matters
This case emphasizes the need for companies to clearly communicate their data retention practices. It sets a precedent for other businesses to ensure they are transparent about how they handle customer data.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The Finnish DPA was notified that the controller (Verkkokauppa.com Oyj, an IT retailer) required customers to create a customer account in order to make online purchases, even for one-time purchases. The DPA then asked the controller to explain why it required the creation of a customer account, for what purposes and for how long it stored the personal data of its customers. Regarding the purpose of the creation of a customer account, the controller clarified that the processing of customers' personal data was necessary for the provision of services and for the performance of the contract with the customer. The controller argued that it was able to reliably identify the data subject, demonstrate its accountability and facilitate the exercise of data subject rights through the customer account. The controller explained that it sells long-lasting devices that may have very long warranty and defect liability periods. Therefore, it was in the customers' interest to have access to information and receipts regarding their online purchases through the customer account throughout the customer relationship. The controller emphasised that if it allowed its customers to make online purchases without a customer account, it would have to process and store the personal data required for the placing and delivery of the order on an order-by-order basis, which would not be appropriate from a data security perspective and would not be in line with the principle of data minimisation. Regarding the data retention periods, the controller stated that the contractual relationship was for an indefinite period, the duration of which was determined by the customer. Thus, the controller stored personal data until the customer account was deleted at the request of the data subject. The controller claimed that it was not in a position to assess on behalf of the customer how long the customer relationship should last. On the basis of the information provided by the controller, the DPA conside
Related Enforcement Actions (0)
No other enforcement actions found for Verkkokauppa.com Oyj in FI
This is the only recorded action for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Verkkokauppa.com Oyj - Finland (2024). Retrieved from cookiefines.eu
Last updated: