Information from the German Data Protection Commission (DSK) – Data protection compliant online commerce via guest account
The DSK (Conference of the Independent Data Protection Authorities of the Federal Government and the States of Germany) published guidance on data minimization in online commerce in a resolution dated March 24, 2022.
What is it about?
The principle of data minimization pursuant to Art. 5 para. 1 lit. c GDPR states that personal data must be adequate and relevant to the purpose and limited to what is necessary in relation to the purposes of the processing.
The DSK points out that customers in online commerce should also have the option of ordering via guest access, irrespective of the provision of a customer account.
According to the DSK, with few exceptions, the creation of a permanent customer account is not necessary for the fulfillment of the contract. Accordingly, the legal basis for such a customer account can only be a consent pursuant to Art. Art. 6 para. 1 lit. a, Art. 9 para. 2 lit. a GDPR.
Pursuant to Art. 7 para. 4 GDPR in conjunction with Recital 43 consent shall not be deemed to have been given voluntarily if the performance of a contract is dependent on consent, even though such consent is not necessary for performance.
Accordingly, ordering in online commerce (fulfillment of contract) may not be made dependent on the creation of a permanent customer account (consent) and an equivalent ordering option or guest accessmust be offered.
A guest account not only dispenses with access data (user name/password), but also with the continuous storage of customer data and order history as well as other optional data in the productive store system.
The fulfillment of legal retention obligations in connection with an order should take place in a separate system (restricted) anyway.
The evaluation of the contract history for advertising purposes as well as the continued storage of the means of payment can also only take place with informed consent in the context of a permanent customer account.
The distinction between guest access and continued (permanent) customer account as well as the legal basis applicable in each case (contract fulfillment / consent) must be presented to customers in a transparent manner when the data is collected.
In addition to the information obligations pursuant to Art. 13 GDPR the consent to a permanent customer account, including the evaluation of the contract history for advertising purposes and the permanent storage of means of payment, must be given in an informed manner.
Who does it affect?
In principle, any controller offering goods or services online is affected by this decision.
Of course, there are cases in which a permanent customer account may be the subject of the contract and thus necessary for the fulfillment of the contract. However, the DSK does not cite any specific examples here.
If you offer goods or services online, we recommend the following procedure:
Check if you already offer a guest access / guest account in addition to a permanent customer account.
If you do not yet offer guest access or alternative “one-time” ordering options, set them up.
Ensure that all personal data within the scope of the guest order is required exclusively for the fulfillment of the contract.
Ensure that all customer and order data, in particular the means of payment used, are no longer stored in the store system after the conclusion of the contractual relationship (contract fulfillment delivery/payment).
Ensure that information subject to retention (e.g. invoice, delivery bill, etc.) is stored separately from the store system.
Ensure informed consent is obtained prior to creating a permanent customer account;
Explain the difference between voluntarily creating the customer’s account based on consent and fulfilling the contract separately;
Explain the equivalence of customer account and guest access, with no effect on the conclusion of the contract.
Customize the privacy information / privacy notice in your online store.
Ensure that personal data of data subjects who withdraw their consent to a permanent customer account are no longer stored in the productive shopping system. Separate storage applies to information that must be retained anyway (see 5.).
Full text of the resolution
The full text of the decision can be found on the DSK website under this external link. Unfortunately, the document is only available in German.