Our team has highly specialized, proven qualifications in data protection and information security. Industry-specific expertise and many years of experience guarantee our customers professional and goal-oriented support. Regular training and further education of all employees guarantee our cutting-edge performance standards. Our technical equipment is at the highest level and promotes the individual needs of work design.
For us, teamwork means above all sharing technical and legal expertise with all colleagues. This benefits our customers. Regular meetings and events are the focus of exchange and team building. Our way of working allows extensive possibilities of communication and availability to provide our services. Secure data exchange, digital meetings, 24/7 accessibility, international on-site visits and multilingual communication are all part of the package.
Dr. Michael Foth
CGEIT, CISA, CRISC, CFE, CPDSE, CEPE T
CEO
Marc Neumann
Data Protection Auditor (TÜV), CEPE T
Authorized representative | Managing Consultant
Huyen Vladi
Head of Finance & Controlling
Sophie Schille, LL.M.
Data Protection Auditor (TÜV)
Senior Consultant Data Protection
Dominika Juszczyk, LL.M.
CIPP/E (IAPP)
Legal Counsel
Zoran Popovic, Jurist
Data Protection Officer (TÜV)
Consultant Data Protection
Johann Stiegler, Dipl. Ing.
Senior Consultant Data Protection
Klaus-Dieter Rissmann
Data Protection Officer (TÜV)
Senior Consultant Data Protection
Patrick Vieregge
Data Protection Auditor (TÜV)
Senior Consultant Data Protection
Sabrina Piepenhagen, Juristin
Legal Counsel
Nora Breviescas Foth
Management Assistant
Mara Lia Schilling
Working Student
Philip Candelaria
Key Account Manager UAE
Yoshi
Maskottchen
Curious?
Join our team!
Our team has highly specialized, proven qualifications in data protection and information security. Industry-specific expertise and many years of experience guarantee our customers professional and goal-oriented support. Regular training and further education of all employees guarantee our cutting-edge performance standards. Our technical equipment is at the highest level and promotes the individual needs of work design.
For us, teamwork means above all sharing technical and legal expertise with all colleagues. This benefits our customers. Regular meetings and events are the focus of exchange and team building. Our way of working allows extensive possibilities of communication and availability to provide our services. Secure data exchange, digital meetings, 24/7 accessibility, international on-site visits and multilingual communication are all part of the package.
Dr. Michael Foth
CGEIT, CISA, CRISC, CFE, CPDSE, CEPE T
CEO
Marc Neumann
Data Protection Auditor (TÜV), CEPE T
Authorized representative | Managing Consultant
Huyen Vladi
Head of Finance & Controlling
Sophie Schille, LL.M.
Data Protection Auditor (TÜV)
Senior Consultant Data Protection
Dominika Juszczyk, LL.M.
CIPP/E (IAPP)
Legal Counsel
Zoran Popovic, Jurist
Data Protection Officer (TÜV)
Consultant Data Protection
Johann Stiegler, Dipl. Ing.
Senior Consultant Data Protection
Klaus-Dieter Rissmann
Data Protection Officer (TÜV)
Senior Consultant Data Protection
Patrick Vieregge
Data Protection Auditor (TÜV)
Senior Consultant Data Protection
Sabrina Piepenhagen, Juristin
Legal Counsel
Nora Breviescas Foth
Management Assistant
Mara Lia Schilling
Working Student
Philip Candelaria
Key Account Manager UAE
Yoshi
Maskottchen
Curious?
Join our team!
The DSK (Conference of the Independent Data Protection Authorities of the Federal Government and the States of Germany) published guidance on data minimization in online commerce in a resolution dated March 24, 2022.
The principle of data minimization pursuant to Art. 5 para. 1 lit. c GDPR states that personal data must be adequate and relevant to the purpose and limited to what is necessary in relation to the purposes of the processing.
The DSK points out that customers in online commerce should also have the option of ordering via guest access, irrespective of the provision of a customer account.
According to the DSK, with few exceptions, the creation of a permanent customer account is not necessary for the fulfillment of the contract. Accordingly, the legal basis for such a customer account can only be a consent pursuant to Art. Art. 6 para. 1 lit. a, Art. 9 para. 2 lit. a GDPR.
Pursuant to Art. 7 para. 4 GDPR in conjunction with Recital 43 consent shall not be deemed to have been given voluntarily if the performance of a contract is dependent on consent, even though such consent is not necessary for performance.
Accordingly, ordering in online commerce (fulfillment of contract) may not be made dependent on the creation of a permanent customer account (consent) and an equivalent ordering option or guest accessmust be offered.
A guest account not only dispenses with access data (user name/password), but also with the continuous storage of customer data and order history as well as other optional data in the productive store system.
The fulfillment of legal retention obligations in connection with an order should take place in a separate system (restricted) anyway.
The evaluation of the contract history for advertising purposes as well as the continued storage of the means of payment can also only take place with informed consent in the context of a permanent customer account.
The distinction between guest access and continued (permanent) customer account as well as the legal basis applicable in each case (contract fulfillment / consent) must be presented to customers in a transparent manner when the data is collected.
In addition to the information obligations pursuant to Art. 13 GDPR the consent to a permanent customer account, including the evaluation of the contract history for advertising purposes and the permanent storage of means of payment, must be given in an informed manner.
In principle, any controller offering goods or services online is affected by this decision.
Of course, there are cases in which a permanent customer account may be the subject of the contract and thus necessary for the fulfillment of the contract. However, the DSK does not cite any specific examples here.
If you offer goods or services online, we recommend the following procedure:
The full text of the decision can be found on the DSK website under this external link. Unfortunately, the document is only available in German.
In its decision of 24.03.2022, the DSK published guidance on data minimization in online commerce.
