Norwegian Privacy Regulator Fines Elkjøp €1.7 Million Over Customer Club Data Practices

Key Takeaways

• €1.7 Million Fine Issued: Norway's data protection authority fined Elkjøp €1.7 million (NOK 20 million) for GDPR violations linked to its customer club.
• Consent Found Invalid: Regulators concluded that Elkjøp failed to obtain valid consent despite relying on consent as the primary legal basis for processing customer data.
• Multiple Compliance Deficiencies Identified: The investigation found shortcomings involving purpose limitation assessments, legitimate-interest evaluations, and responses to customer rights requests.
• More Than Six Million Members Affected: The violations impacted customer club members throughout the Nordic region, increasing the significance of the enforcement action.
• Loyalty Programs Face Increased Scrutiny: The decision highlights regulatory expectations around informed, voluntary, and specific consent, as well as the sharing of customer data with third parties.

Deep Dive

Norway's data protection authority has imposed a €1.7 million (NOK 20 million) administrative fine on Elkjøp after finding multiple violations of the General Data Protection Regulation (GDPR) related to the retailer's customer club, a program used by millions of consumers across the Nordic region.

The decision follows an investigation launched after the regulator received data breach notifications, complaints, and tips concerning the company's handling of customer information. Inspectors conducted an audit of Elkjøp Nordic AS and Elkjøp Norge AS in June 2022, focusing on the collection and use of personal data within the customer club.

According to the Norwegian Data Protection Authority, Elkjøp stated during the inspection that the primary purpose of the customer club was the marketing of products and services and that consent served as the legal basis for processing customer data. The regulator ultimately concluded that the company had failed to obtain valid consent and identified several additional compliance deficiencies.

Among the violations cited were failures to secure legally valid consent for processing personal data within the customer club, insufficient assessments when using personal information for new purposes, inadequate evaluations of legitimate interest as a legal basis for processing, and delays in responding to customer rights requests within the timeframes required under GDPR.

The authority emphasized that while the individual violations were not among the most severe privacy breaches it encounters, the scale of the program significantly increased their impact. More than six million customer club members across the Nordic countries were affected by the practices under review.

That scale played a central role in the regulator's decision to impose a financial penalty. The authority noted that the amount was calculated with reference to the turnover of the broader corporate group to which Elkjøp belongs. Although substantial in absolute terms, the regulator said the fine remains relatively modest when measured against the group's overall revenue.

The case was handled as a cross-border GDPR proceeding. Supervisory authorities in Sweden, Denmark, Finland, and Iceland participated as concerned authorities and were given an opportunity to provide input before the final decision was adopted through the GDPR's cooperation and consistency mechanism. Elkjøp may challenge the decision before the Oslo District Court.

Lessons for Loyalty Programs

Beyond the enforcement action itself, the regulator used the case to highlight broader concerns surrounding customer clubs and loyalty programs, which have become increasingly common across the retail sector. The authority warned that businesses should be cautious about offering general discounts in exchange for enrollment in customer programs if participation effectively requires customers to agree to personal data processing they may not fully understand or expect.

Many retailers seek to use customer information to personalize marketing campaigns, analyze purchasing behavior, or share data with advertising and analytics partners. While these activities may be permissible, the regulator stressed that organizations must establish a valid legal basis before processing begins and clearly explain those activities to customers.

The decision outlines several principles that businesses should consider when relying on consent. First, consent must be informed. Customers must receive sufficient information about how their personal data will be used before consent is obtained, enabling them to understand the consequences of their decision. The authority noted that relying solely on verbal explanations at checkout can make it difficult to satisfy this requirement because the information provided may vary between employees.

Second, consent must be voluntary. Customers must have a genuine choice regarding whether their information is processed and must not suffer disadvantages or lose access to core services if they decline.

Third, consent must be specific. Businesses must clearly identify each purpose for which personal data will be used. General references to "marketing" are unlikely to be sufficient where multiple processing activities are involved. For example, direct marketing communications and profiling for personalized advertising may require separate consent choices.

The authority also emphasized that sharing customer data with third parties, including social media platforms and analytics providers, is not automatically covered by an existing consent mechanism. Such disclosures often constitute separate processing purposes that require independent assessment and clear communication to customers.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.