The Norwegian Data Protection Authority (also called Datatilsynet) has opened an investigation into one of the largest consumer electronic groups in Norway, Elkjøp. The Norwegian Datatilsynet has completed an on-site inspection of Elkjøp's offices. This is done by Datatilsynet sometimes, but it is unusual.
The background for the inspection is that the Norwegian Datatilsynet has received several complaints on the handling of personal (i.e. customer) information by Elkjøp ( https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/tilsyn-med-elkjop/).
Datatilsynet has publicised that, alongside more common measures (e.g., looking through privacy documents), they undertook a more significant investigation of Elkjøp. This included random searches of customer cases, as well as interviews with employees, to establish if wrongdoing had occurred and, if so, whether it was widespread.
Focus was also on processing of personal data in a group where there are franchisees and arrangements on joint controllership. They also had focus on information security where smart products being used by one customer are sold further.
Read more on the case here https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/tilsyn-med-elkjop/
Learning point from this? Well, we must wait to see what the conclusions from Datatilsynet will be. But it is evident there is an increasing focus on handling of customer data and, if customers complain about the processing of their data, all retail businesses are at risk of an investigation by the Norwegian Datatilsynet.
The Danish Datatilsynet has also recently given a relevant decision on loyalty programs which differ substantially from what has been the general view in Norway and other countries. The Danish Datatilsynet received a complaint stating that the consent obtained by the department store Magasin was not voluntary because Magasin "bundled" receiving newsletters with membership to a loyalty programme. If the consumer did not want a newsletter, the consumer could not be part of the loyalty programme. However, Datatilsynet found this to be acceptable, much beacuse the consumer weas free to buy products from Magasin at ordinary terms. Read the decision here (https://www.datatilsynet.dk/afgoerelser/afgoerelser/2022/apr/indhentelse-af-samtykke-ved-indmeldelse-i-kundeklub-var-i-overensstemmelse-med-gdpr-).
This decision is important for many retail businesses, but we will wait to see if it will be upheld by data protection authorities in other jurisdictions.