Guidance from the Conference of Independent Data Protection Authorities of the Federal Government and the States

In its guidance of March 24, 2022, the Conference of Data Protection Authorities stated that controllers offering goods or services in online commerce must generally provide their customers with a guest account- i.e., for placing an order – regardless of whether they also provide them with an ongoing account.

This means that it must be possible for customers to conclude an online transaction without creating an ongoing account.

According to Art. 6 (1) 1 b) GDPR, only processing of personal data that is necessary for the performance of the individual contract is permitted. In the case of a first-time order, the controller cannot per se assume that it may retain customer data for possible but unknowable future transactions. A corresponding conscious declaration of intent by the customer is required to set up a continuous customer account.

For customers who, on the other hand, do not wish to enter into a permanent business relationship with the controller or who reject the processing of data not required for business transactions, guest access must be provided on a regular basis. With this guest access, only the personal data and information of the customers required for the execution of the contract and for the fulfillment of the legal obligations may be collected by the controller.

Furthermore, personal data no longer required after fulfillment of the contract must be deleted immediately in accordance with Art. 17 (1) a) GDPR. If, in addition, the personal data is only processed within the scope of retention obligations regulated by special law – e.g. from commercial or tax law – the controller must take technical and organizational measures to separate this data from the data in operational access.

Author: Thomas Hertl