In accordance with Art. 5 (1) lit. c) of the General Data Protection Regulation (GDPR), the principle of data minimisation applies. Against this background, only the data required for the digital processing of a transaction may be collected. A German court, the Hamburg Regional Court (LG), has now ruled that the provision of a guest account by an online retailer in Germany is not mandatory under certain conditions. It also clarified questions regarding the use of customer data (judgment of 22 February 2024, Ref.: 327 O 250/22).
Starting point of the procedure
The subject of the judgment was a lawsuit against an online mail order company and online marketplace. Registration or a customer account is required in order to place orders. In addition, the operator of the online shop reserves the right to use customer data for advertising purposes.
The plaintiff objected to both points.
Is a customer account required for online shops?
Firstly, the plaintiff complained that it was only possible to place an order with prior registration. It refers to the resolution of the German Data Protection Conference (DSK) of 24 March 2022, according to which online shops should at least offer consumers the option of guest access for orders.
The LG Hamburg stated that although this decision can be taken into account, it is not binding for the court. It is possible to deviate from the DSK decision and accept an exception to the principle formulated therein if there are special circumstances in individual cases.
Pursuant to Art. 6 (1) lit. b) GDPR, data collection is generally permitted if the personal data is necessary for the proper fulfilment of the transaction. This is the case if the online marketplace is available to a large number of retailers and the creation of a customer account enables the necessary communication to be realised and guarantee, warranty and return rights to be guaranteed. The aim of this data collection is to significantly reduce the time and resources required for all parties involved (both buyers and sellers).
A special circumstance may also exist if the processing of personal data hardly differs from an order with or without a customer account. In the present case, the only difference between guest access and a customer account would be an additional password, which is why the online retailer is not committed to offering separate guest access. The intensity of the intervention for customers can therefore be assessed as rather low compared to the associated effort for all participants.
What may customer data be used for?
Secondly, the plaintiff criticised the fact that there was no legal basis for the use of customer data for advertising purposes in accordance with Art. 6 GDPR. It had not given its consent to the processing of customer information for advertising and marketing purposes. Such use of the data is inadmissible until the data subjects have given their express consent.
However, the court did not see any violation of the GDPR requirements here either. The defendant’s actions were certainly justified on the basis of a legitimate interest in accordance with Art. 6 (1) lit. f) GDPR. Accordingly, data processing is lawful if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
According to recital 47 GDPR, such a legitimate interest of the company can be assumed when it comes to data processing for the purpose of direct advertising. However, the data subject must have the opportunity to object to this type of advertising at the time of initial collection and at any time thereafter.
Furthermore, recital 47 GDPR states that data processing is also authorised if the personal data is collected by the company in order to take preventive action, for example to prevent fraud or identity theft in good time.
In the present case, the collection of data is therefore necessary both for the purpose of direct advertising and for fraud prevention and therefore does not violate the rights of the plaintiff.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
Data protection assessment
The DSK’s resolution (in German) essentially contains four principles:
- The principle is that online retailers should offer their customers a guest account for orders. This principle is based on the aforementioned standard of data minimisation.
- The creation of a customer account can only be regarded as voluntary consent if guest access is also offered.
- Data processing for the purpose of advertising and the storage of information regarding the means of payment for the purpose of a new, simplified transaction require the consent of the data subject.
- Online retailers must fulfil their information obligations when collecting data.
However, it seems questionable to what extent the possible commitment of online retailers to comply with the first three principles interferes with entrepreneurial freedom if they are prohibited from requiring mandatory registration for their online trade. Ultimately, this could be seen as an infringement of freedom of contract.
As already stated by the LG Hamburg, an executive decision is not binding for the courts. For companies, however, resolutions such as that of the DSK represent a meaningful request or recommendation for action. Last but not least, the data protection supervisory authorities impose fines on companies that (in their view) violate GDPR requirements.
Conclusion
The Regional Court of Hamburg ruled that online retailers can waive guest access under certain conditions. In the specific case, the effective functioning of the defendant’s broad online marketplace could be impaired by the provision of a guest account. Without registration via a customer account, the desired communication between buyer and seller(s) would not be guaranteed. Buyers would have to provide personal data in order to be identified if they had questions about their orders – a procedure that could be disadvantageous for data protection reasons. In contrast, a customer account enables this interaction without data protection concerns.
In this case, a guest account can therefore be dispensed with and a customer account requested.
However, it should be noted in the judgment that the court has dispensed with a further description and definition of the term “special circumstances”, so that it remains questionable under which other circumstances a guest account can be dispensed with. It therefore remains necessary for companies to continue to check whether it is possible to provide a guest account.
In addition, there may also be an overriding legitimate interest of the company for the purpose of direct advertising within the meaning of Art. 6 (1) lit. f) GDPR in accordance with recital 47 of the GDPR if data subjects are given the opportunity to object to the use at the same time.