Finnish online retailer fined €856,000 over GDPR failures

Webshop Verkkokauppa.com was found to be storing customer account data indefinitely.

Verkkokauppa.com Oyj, a Finnish online retailer, has been fined €856,000 ($930,175) by Tietosuojavaltuutetun toimisto, the Finnish Data Protection Ombudsman, for failing to define the storage period of its customer data.

And in another violation of data protection provisions, customers had to create customer accounts to make online purchases.

Verkkokauppa.com had earlier been earlier been declared Finland’s most usable web shop by Adage in 2006, and the best webstore in 2010 by TNS Gallup. But an investigation into the company began after a customer filed a complaint after having to create an account to be able to buy products from the website.

The Office of the Data Protection Ombudsman then found Verkkokauppa.com was storing customer account data indefinitely.

Violated EU GDPR

According to the company, customers could determine how long it could store their data, and also request their accounts be closed and data erased if they wished to.

“Due to this practice, the details of individual purchases have been stored for very long times,” the Data Protection Ombudsman said. “Creating a customer account or the storage of personal data resulting from the practice may not be a requirement for making individual purchases online.”

“Creating a customer account or the storage of personal data resulting from the practice may not be a requirement for making individual purchases online.”

The Finnish Data Protection Ombudsman

Besides the fine, Verkkokauppa.com has also been ordered to set an appropriate timeframe within which to store customer account data, and to rectify its requirement for mandatory registration to make a purchase. It has also been given a reprimand for violating data protection provisions.

The company has announced that it will appeal the decision in the Administrative Court.