Following an extensive investigation, the Federal Data Protection and Information Commissioner (FDPIC) came to the conclusion that Digitec Galaxus AG violates the principles of data protection, transparency and proportionality when processing customer data. The background and our assessment can be found in the following article.
I. Initial situation
In March 2020, a data subject drew the FDPIC’s attention to the fact that Digitec Galaxus AG was only able to consent to all data processing as part of the ordering process. In particular, Digitec Galaxus AG’s privacy policy states that personal data is collected in order to record and evaluate purchasing behaviour in an individualised and personalised form. The personal data collected is also linked to personal data from past orders placed with the online shop, other Migros Group companies or publicly accessible personal data.
In the opinion of the FDPIC, this indicates the creation of personality profiles of customers. The privacy policy also stated that the personal data is also passed on to other companies in the Migros Group.
Digitec Galaxus AG informed a customer who wanted to object to her address and credit card data being passed on that its privacy policy would apply equally to all customers without exception and that it could not offer an individual data protection setting.
After becoming aware of these circumstances, the FDPIC carried out a comprehensive investigation and issued a recommendation.
II Recommendations of the FDPIC
a. Detailed privacy policy
The FDPIC requires Digitec Galaxus AG to amend its privacy policy (DATA PROTECTION DECLARATION) to provide clear information about data processing. It should be clear to customers which data is processed for which purpose. In addition, customers should also be clearly informed about the web analysis tools used.
b. Declarations not in stock
The FDPIC also recommends that the DATA PRIVACY DECLARATION should only describe the processing of personal data that is actually carried out. In order to increase transparency vis-à-vis customers, the DATA PRIVACY DECLARATION should not authorise data processing “in advance”. This is also reflected in the principle of purpose limitation of data processing, which is prescribed in Art. 6 para. 3 DPA.
c. Customer account
In addition to the recommendations already mentioned, the FDPIC also came to the conclusion that it should be possible for customers to order as guests and not necessarily have to open a customer account. Until now, Digitec Galaxus AG has linked data processing to the obligation to open an account. In the opinion of the FDPIC, this is not proportionate and violates the principle in Art. 6 para. 2 FADP and the informational self-determination of customers. Digitec Galaxus AG is expected to submit proposals to the FDPIC in due course to restore the lawful situation. Digitec Galaxus AG’s main argument is that returns could otherwise not be processed.
It is undisputed that a customer base is necessary for the internal IT system. However, this does not mean that customer data must also be displayed to the customer on the front end as part of a customer account. It is understandable that this leads to more effort for e-commerce, but it should be easy to manage in terms of customer friendliness.
As soon as these proposed changes from Digitec Galaxus AG are submitted to the FDPIC, it will be examined whether and to what extent action will be taken against the processing that is the subject of recommendations that have not been implemented in accordance with the law.
III Digitec Galaxus AG statement
In a published company news from Digitec Galaxus AG, the company responds to the FDPIC’s allegations and recommendations. Even though they clearly state that they disagree with the findings, they still intend to comply with the recommendations.
In response to the recommendation to expand the data protection declaration and provide clear information about data processing and the purpose, Digitec Galaxus AG replied that a new DATA PROTECTION DECLARATION had been introduced during the ongoing proceedings and that this recommendation had already been anticipated.
Looking at Digitec Galaxus’ privacy policy, we believe that this is not yet sufficiently the case. It remains to be seen how the FDPIC will assess this. In our opinion, a detailed privacy policy is necessary so that customers can protect their rights. If declarations are made “en bloc”, the customer can hardly identify how he should set the cookies so that certain analysis data is not passed on to the analysis provider or whether he would not be better off switching to another provider due to the “sharing frenzy” of data.
With regard to the requested extension of the privacy policy, Digitec Galaxus AG claims that the FDPIC’s recommendations on transparency go too far and thus clearly exceed the legal requirements. They do not consider a longer and more comprehensive DATA PROTECTION DECLARATION to be in the interests of their customers.
In our opinion, this also has to do with the design of a privacy policy. It is important that customers are focussed and find the information they want. Disinformation is out of place and suggests that data protection is not practised.
It is often tempting to include in a privacy policy what may be used in the future or for a purpose for which it will be used at some point in the future. However, the latter would mean that the purpose limitation would be undermined.
With regard to informational self-determination, Digitec Galaxus AG does not consider the guest purchase option to be expedient, as on the one hand it makes the fulfilment of services such as returns and warranty cases more cumbersome. On the other hand, personalisation and suitable offers can be found less quickly in the shop with a guest account, which would make the shopping experience inefficient. Digitec Galaxus also puts forward the argument of international competition and that a customer account must also be opened with competitors such as Amazon or Aliexpress. The FDPIC’s recommendations would treat them unequally. The guest purchase recommendation is further criticised because it is too vague and is only mentioned as an alternative.
IV. Our assessment
In principle, we consider the FDPIC’s recommendations to be justified and expedient in order to comply with the principles of personal data processing set out in the Swiss Data Protection Act. Even if the recommendations listed are rather comprehensive, they offer customers the desired transparency and also the purpose of the processing.
A short “one-pager” privacy policy was perhaps still permissible under the old law. Today, however, this is outdated and is no longer considered customer-friendly. In our opinion, a comprehensive and well-structured privacy policy is more effective and transparent for customers.
It should also be noted that compliance with the FDPIC’s requirements of transparency and purpose limitation with regard to the privacy policy also complies with the European standard and the GDPR. The only exception to this is the ban on mandatory customer accounts, which is also controversial, particularly in Germany. Only in the case of continuing obligations is there already an obligation to give notice of cancellation in Germany.