Finland: Issued Finnish Supervisory Authority ruling in the investigation into Verkkokauppa retention of personal data compliance with GDPR

On 6 March 2024, the Finnish Supervisory Authority (SA) issued a decision against the online retailer Verkkokauppa, imposing an administrative fine of EUR 856'000. The fine was imposed due to the retailer's failure to define a storage period for the data collected through customer accounts on its e-commerce platform. The investigation, initiated by a customer complaint, determined that the retailer required customers to create an account to make purchases, a practice found to be in violation of data protection laws. Furthermore, the investigation found that the company allowed for the indefinite storage of customer data, as it did not specify a storage period, effectively placing the responsibility on customers to request account closure and data erasure. The SA ordered the company to rectify its mandatory registration practice and to define an appropriate data storage period.