On April 17, 2024, the Federal Data Protection and Information Commissioner (FDPIC) announced that it concluded an investigation into the processing of customer data carried out by Digitec Galaxus AG and found in its report that it violated the principles of transparency and proportionality under the Federal Act on Data Protection 2020 (FADP).

Background to the decision

The FDPIC highlighted that on March 26, 2020, an individual alerted it to the fact that customers of Digitec Galaxus had to agree to all data processing described in the data protection notice in order to place an online order. The notice outlined that the data collected to evaluate customer and purchasing behavior may be linked to personal data collected by Digitec Galaxus, third parties, or other publicly available data.

The FDPIC stated that it received several inquiries from individuals regarding the rejection by Digitec Galaxus of the objection requests submitted, and carried out several exchanges with Digitec Galaxus on the matter. Lastly, the FDPIC highlighted that Digitec Galaxus updated its data protection notice on December 2, 2021.

Findings of the FDPIC

The FDPIC found that regarding the transparency requirement and obligation to provide the information outlined under Articles 4(3), 4(4), and 14 of the FADP, the data protection notice of Digitex Galaxus, among other things:

• did not include which personal data will be processed, for what purpose, and to whom it will be passed on, in particular regarding customer behavior analysis;
• did not provide accurate and up-to-date information on which data processing is carried out; and
• built expectations that individuals could object to certain data processing when this did not appear to be the case in practice.

Furthermore, regarding the principle of proportionality under Article 4(2) of the FADP, the FDPIC found that every individual has a right to self-determination to decide how their personal data is used. In particular, the FADP noted that as Digitec Galaxus couples the online ordering process with the mandatory requirement of a customer account, the personal data processing to be assessed in the context of this clarification of the facts turns out to be inadmissible because it violates the requirement of necessity, and thus violates the principle of proportionality of data processing under Article 4(2) of the FADP.

Outcomes

Based on the above information, the FDPIC issued the following recommendations to Digitec Galaxus:

• update its data protection notice to better inform users on the data processing; and
• align the processing related to the mandatory creation of a customer account with the principle of proportionality.

You can read the press release, available in multiple languages, here, and download the report, only available in German, here.