In a resolution as of 24 March 2022, the Conference of German Supervisory Authorities in Data Protection (Datenschutzkonferenz – “DSK”) provided guidance for data protection-compliant online trading of goods and services. The key message is that online customers must be given the option of a guest access for their orders. According to the DSK, online traders (controllers) therefore must enable online purchasing without customers having to create an account.
The DSK recalled that the principle of data minimization also applies in online trading. Customers must be free to decide in each case if they want to enter their data for each order and thus be treated as a temporary guest, or if they are willing to enter into a permanent business relationship that is linked to an ongoing customer account.
The DSK is of the opinion that without guest access or an equivalent ordering option, consent would not be provided voluntary. An ordering option can be considered equivalent if it does not entail disadvantages for the customer. The effort required to order and access this option must be equivalent to that of a customer account.
The DSK further pointed out that a customer account allows online traders to evaluate the contract history for advertising purposes as well as to store information about means of payment. Such processing would require informed consent.
According to the DSK, there may nevertheless be special circumstances that justify the setting up of a customer account as necessary for the performance of a contract, e.g. for specialist retailers regarding certain professional groups. But even then, the principle of data minimization must be observed, e.g. by automatically deleting the customer account after a short period of inactivity.