PogoWasRight.org

Menu
  • About
  • Privacy
Menu

Finnish SA: Administrative fine of € 856,000 for failing to define storage period of customer data

Posted on May 13, 2024 by Dissent

As seen on EDPB:

Origin of the case

The Finnish Supervisory Authority (SA) investigated the activities of the online retailer Verkkokauppa.com due to a complaint filed by a customer. The controller had required the person to register themselves as a customer before making purchases online. Shopping in the online shop was not possible without creating a customer account.

Key Findings

The controller had not specified the storage period of the data collected for the customer accounts of its online shop. The Finnish SA found that customer accounts data had been stored indefinitely. According to the controller, the customers themselves determined the storage period of their data, since they could request the closure of their accounts and erasure of their data if they wish. For this reason, the details of individual purchases have been stored for very long periods.
In addition, the controller’s practice of requiring the creation of a customer account to make online purchases violated data protection law. Creating a customer account or the storage of personal data resulting from this creation may not be a requirement for making individual purchases online.

Decision

The Finnish SA imposed an administrative fine of 856,000 euros on the controller for failing to define storage period of customer account data. The controller was ordered to specify an appropriate storage period for customer account data and rectify its practice of mandatory registration. The company was also given a reprimand for practices in violation of data protection law.

For further information: 

  • Finnish SA’s press release: Administrative fine imposed on Verkkokauppa.com for failing to define storage period of customer data – requiring customers to register was also illegal

No related posts.

Category: BreachesBusinessGovtNon-U.S.

Post navigation

← Massachusetts Data Privacy Act Approved by Legislative Committee
Telemarketing: the Privacy Guarantor sanctions Enel Energia. The company had not protected its databases from access by abusive brokers →

Now more than ever

Search

Contact Me

Email: info@pogowasright.org

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

Categories

Recent Posts

  • Germany’s top court holds that police can only use spyware to investigate serious crimes
  • Flightradar24 receives reprimand for violating aircraft data privacy rights
  • Nebraska Attorney General Sues GM and OnStar Over Alleged Privacy Violations
  • Federal Court Allows Privacy Related Claims to Proceed in a Proposed Class Action Lawsuit Against Motorola
  • Italian Garante Adopts Statement on Health Data and AI
  • Trump administration is launching a new private health tracking system with Big Tech’s help
  • Attorney General James Takes Action to Protect Sensitive Personal Information of Tens of Millions of People

RSS Recent Posts on DataBreaches.net

  • Connex Credit Union notifies 172,000 members of hacking incident
  • Federal judiciary says it is boosting security after cyberattack; researcher finds new leaks (CORRECTED)
  • Bank of America Refused To Reimburse Georgia Customer After Hackers Hit Account. Then a News Station Showed Up.
  • NCERT Issues Advisory on “Blue Locker” Ransomware Targeting Pakistan’s Key Institutions
  • Scattered Spider has a new Telegram channel to list its attacks
©2025 PogoWasRight.org. All rights reserved.
Menu
  • About
  • Privacy