Indefinite storage of customer data can lead to GDPR fines

The online retailer had come to the authority’s attention after a customer complaint.

The amount of the fine relates to the turnover of the business.

Verkkokauppa.com had not specified the storage period of the data collected for the customer accounts of its online shop. Thus, Anu Talus, the Finnish data protection ombudsman, found that customer accounts data had been stored indefinitely, unless the customers requested their data to be deleted.

Also, Verkkokauppa's practice of requiring customers to create an account to make online purchases violated data protection law, especially the EU's General Data Protection Regulation (GDPR). According to Talus, customers must have the option to check out from online shops as "guests", leaving only the minimum of personal data that is necessary for payment and delivery.

"Large GDPR fines have tended to flow from security incidents and cyber attacks that have led to personal data being compromised and made available on the dark web," Malcolm Dowden, a data protection expert at Pinsent Masons, said. "Examples include the £20 million imposed by the ICO on British Airways in 2020 and the £4.4 million imposed on Interserve in 2022. However, data protection authorities also have power to impose substantial fines when the routine practices of a business involve violation of data protection laws."

According to Dowden, the online retailer had failed to specify the storage period for personal data provided by customers when making a purchase.

In addition to the fine, the Data Protection Ombudsman ordered Verkkokauppa.com to specify an appropriate storage period for customer account information and rectify its practice of mandatory registration.

Nicola Barden of Pinsent Masons said: "The fine demonstrates why it is important for controllers to consider data protection laws throughout their customer journey and beyond. Indefinite storage of personal data will comply with data protection laws in very limited circumstances. It also creates additional risk for controllers if a data breach was to occur, and makes responding to data subject rights requests more challenging."

Verkkokauppa.com is a Finnish online retail founded in 1992. It sells information technology, consumer electronics, household appliances and a wide range of other products. According to its Head of Investor Relations Marja Mäkinen, the website attracts over 80 million visits annually. Verkkokauppa has also four physical stores located in Helsinki, Pirkkala, Raisio and Oulu.

The company said that it would appeal the decision in the Administrative Court.