Date 08.06.2026
e Norwegian Data Protection Authority has imposed a fine of NOK 20 million on the electronics retailer Elkjøp for the unlawful processing of personal data. Many other businesses in the retail sector make similar mistakes. Retailers with loyalty schemes and other reward programmes should review their processing of customer data and ensure GDPR compliance. Otherwise, they risk not only administrative fines, but worst case also having to delete previously collected customer data.
The use of personal data in loyalty schemes and other reward programmes is, in practice, based on consent. Many retailers have not fully grasped what is required for such consent to be valid.
The Elkjøp case makes it clear that a single consent cannot be used for different processing activities. This applies even if the overarching purpose of the activities is to promote the sale of goods or services. The requirements that consent must be freely given and specific mean, for example, that separate consents must be obtained for general marketing, profiling and personalized marketing respectively.
The requirement that a consent must be freely given also means that it must be possible for the customer to opt out of, for example, profiling without thereby being excluded from the loyalty scheme’s general discounts. The same must apply if the customers choose to exercise their right to opt out of receiving marketing via SMS or email. Worth noting, is also that in the Elkjøp case, the Data Protection Authority rejected a line of defense whereunder the provision of personal data could be regarded as ‘payment’ for access to general discounts and benefits.
If sufficient information is not provided regarding how personal data is to be processed and the purpose of the individual processing activities, consent will not be informed. The information must be provided before the customer gives its consent. It is not sufficient for the customer to be given the opportunity to opt out of certain processing activities at a later stage. It is up to the trader to document what information the customer has actually received. Particularly in cases where consent is obtained at the retailer’s checkout, it can be difficult to document exactly what information was provided.
Special care must be taken if customer data is processed in additional ways that do not clearly fall within the scope of the consent obtained.
The Elkjøp case shows that this is particularly relevant in cases where customer data is shared with third parties, typically social media and other advertising platforms, for analysis or marketing purposes. To get more out of its marketing investments, Elkjøp had shared information about customers’ email addresses and telephone numbers with certain advertising platforms. The Norwegian Data Protection Authority considered that such sharing was not compatible with the consents originally obtained, and that Elkjøp did not have any other legal basis for this processing of the customer data. Use of customer data to make online marketing more effective by sharing with third party marketing platform, is likely to require separate consents.
Children’s personal data is subject to special protection. Customers under the age of 18 must not e.g. be subject to profiling.
Even though Elkjøp’s marketing was not specifically targeted at children, the Data Protection Authority emphasized, as an aggravating factor, that Elkjøp lacked mechanisms to ensure that customers in the loyalty scheme were actually over 15 years of age.
Something that was not an issue in the Elkjøp case, but which may be particularly relevant for businesses selling goods and services that may reveal something about the customer’s health, sexual relations or religion, is that storing or otherwise processing information about which such products the customer purchases requires that explicit consent has been obtained.
The Norwegian Privacy Appeals Board has upheld the Norwegian Data Protection Authority’s record fine of NOK 65 million (Euro 6.2 million) for the failure to obtain valid consent to share personal data to AdTech companies for marketing purposes. This is the highest GDPR violation fine imposed thus far in Norway. The decision is the result of a complaint from the Norwegian Consumer Council, which has been assisted by Hjort’s GDPR team.
For some time there have been very different views on whether the use of cookies requires active consent from the visitors to an internet page. In Norway the basis has been that the use of cookies is dependent on the user’s browser settings.
In January, the Court of Justice of the European Union (CJEU) issued a landmark ruling on the principle of data minimization and the necessity requirement in processing personal data based on contract or legitimate interest.
In a recent ruling, the European Court of Justice has established the right of transgender persons to have information about their gender identity corrected in public registers without being required to undergo gender reassignment surgery.
As digitalisation rapidly advances, digital threats are also increasing. The use of artificial intelligence (AI) creates new opportunities, but also introduces new vulnerabilities that can be exploited by cybercriminals. With the introduction of stricter legislation such as the Digital Security Act and the NIS 2 Directive, the requirements for corporate cybersecurity are becoming ever more stringent.
The EU Data Regulation, also known as the Data Act, will soon come into force in the EU. The regulation governs access to data from products and services connected to the internet, including cloud services. Operators offering services covered by the regulations, or who wish to access data covered by them, should familiarize themselves with what the regulation entails.
