Data pro­tec­tion in e‑commerce: guest accounts required?

Cus­to­mers orde­ring mer­chan­di­se online will typi­cal­ly open a cus­to­mer account without thin­king twice. Asi­de from pro­vi­ding a means to easi­ly con­ta­ct the retailer, cus­to­mers fre­quent­ly use the­se accounts to check the sta­tus of their order or make chan­ges to their order. Accounts also give cus­to­mers an easy way to place addi­tio­nal orders without having to enter all of their infor­ma­ti­on again every time. Becau­se the­se accounts fos­ter cus­to­mer rela­ti­ons­hips in this way, some retailers actual­ly requi­re cus­to­mers to open an account befo­re pla­cing an order. But in accordance with a recent­ly publis­hed reso­lu­ti­on (PDF only in Ger­man) by the Con­fe­rence of Inde­pen­dent Federal and Sta­te Data Pro­tec­tion Aut­ho­ri­ties (the “Data Pro­tec­tion Con­fe­rence,” or “DSK”), this prac­ti­ce vio­la­tes data pro­tec­tion law.

The view of the Data Pro­tec­tion Conference

Given the legal basis for pro­ces­sing in this case, per­for­mance of a con­tract, as well as the princip­le of data mini­miz­a­ti­on, DSK con­clu­des in its reso­lu­ti­on that con­trol­lers which offer goods or ser­vices online are gene­ral­ly requi­red to allow cus­to­mers to place orders via guest access, inde­pendent­ly of the opti­on of crea­ting a regis­tered account. The reso­lu­ti­on notes that the pro­ces­sing of per­so­nal data in the form of a regis­tered cus­to­mer account, inclu­ding user names and pass­words, can only be based on per­for­mance of a con­tract if the cus­to­mer actual­ly intends to place recur­ring orders, which would requi­re a deli­be­ra­te state­ment of intent from the cus­to­mer, in the form of con­sent. Sin­ce con­sent must be vol­un­ta­ry in accordance with the GDPR, DSK takes the view that retailers are requi­red to offer an alter­na­ti­ve in the form of guest accounts, through which retailers collect only the per­so­nal data which is necessa­ry for per­for­mance of the con­tract and ful­fill­ment of their legal requirements. 

Is the DSK reso­lu­ti­on unconstitutional?

DSK’s ana­ly­sis, which is based sole­ly on data pro­tec­tion law, has encoun­te­red sub­stan­ti­al objec­tions from the view­point of con­sti­tu­tio­nal law. DSK’s reso­lu­ti­on can be view­ed as an encroach­ment on the con­sti­tu­tio­nal­ly gua­ran­te­ed free­dom of con­tract, a key pil­lar of the right of self-determination. As an indi­vi­du­al gua­ran­tee, the free­dom of con­tract gua­ran­tees all indi­vi­du­als the right to ful­ly arran­ge their own legal affairs through con­tracts, and also embo­dies a right to resist mea­su­res by the sta­te which limit their per­so­nal right of self-determination without con­sti­tu­tio­nal jus­ti­fi­ca­ti­on. Asi­de from the right to enter into con­tracts and the right to choo­se the terms of the agree­ment, free­dom of con­tract also gives indi­vi­du­als the right to make con­trac­tu­al arran­ge­ments inde­pendent­ly without regard for for­mal requi­re­ments, inclu­ding the right to pro­vi­de for for­mal requi­re­ments, such as the regis­tra­ti­on of a cus­to­mer account.

Even if a limi­ta­ti­on on the free­dom of con­tract may be jus­ti­fied in any indi­vi­du­al case based on con­si­de­ra­ti­ons of data pro­tec­tion law, such a deter­mi­na­ti­on would at the very least requi­re us to weigh all the cir­cum­s­tan­ces of the case. Given DSK’s very one-sided focus on the rights of the cus­to­mer, and in light of the free­dom to choo­se an occup­a­ti­on and the right to estab­lish and ope­ra­te a busi­ness, it appears doubt­ful that such an ana­ly­sis was per­for­med. Last but not least, the right to estab­lish and ope­ra­te a busi­ness pro­tects the company’s right to con­ti­nue its pre­vious acti­vi­ties undis­tur­bed based on the ope­ra­tio­nal pre­cau­ti­ons alrea­dy taken and the free­dom to choo­se an occup­a­ti­on in accordance with Arti­cle 12 of the Ger­man Constitution.


While DSK’s rea­so­ning may be under­stand­a­ble and defen­si­ble from the view­point of data pro­tec­tion law, the reso­lu­ti­on fails to weigh the­se con­si­de­ra­ti­ons against the rights and eco­no­mic inte­rests of retailers. It would have been bet­ter if the reso­lu­ti­on were to spe­ci­fy excep­ti­ons to the rule or exp­lain the con­di­ti­ons under which com­pa­nies may offer cus­to­mer accounts exclu­si­ve­ly. In our view, an assess­ment is requi­red in each indi­vi­du­al case in order to deter­mi­ne whe­ther com­pa­nies are requi­red to pro­vi­de guest accounts. In any case, DSK’s near-absolute requi­re­ment for com­pa­nies to set up guest accounts repres­ents a worri­so­me encroach­ment upon con­sti­tu­tio­nal­ly gua­ran­te­ed per­so­nal free­doms, in line with the ten­den­cy which has alrea­dy been detec­ted in the prac­ti­ces of cer­tain data pro­tec­tion aut­ho­ri­ties with regard to pro­duct warnings. We the­re­fo­re belie­ve that a prac­ti­ce which devia­tes from DSK’s reso­lu­ti­on would be defen­si­ble on the­se grounds.


Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.