[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fooRRPDRJ9X3q_cF6wIippJeoQ3i_V7BJwgo4a7k3OdY":3},{"article":4,"iocs":56},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"b53d497b-e8c1-4033-a981-2908dcd5152d","Datatilsynet (Norway) - 22\u002F00049-13","datatilsynet-norway-22-00049-13-376a5e","Created page with \"{{DPAdecisionBOX |Jurisdiction=Norway |DPA-BG-Color= |DPAlogo=LogoNO.png |DPA_Abbrevation=Datatilsynet |DPA_With_Country=Datatilsynet (Norway) |Case_Number_Name=22\u002F00049-13 |ECLI= |Original_Source_Name_1=Datatilsynet |Original_Source_Link_1=https:\u002F\u002Fwww.datatilsynet.no\u002Fcontentassets\u002Fc8d0551d2a64403285e006f76170b8b6\u002Felkjop---vedtak-om-overtredelsesgebyr---kundeklubb-og-de-registrertes-rettigheter.pdf |Original_Source_Language_1=Norwegian |Original_Source_Language__Code_...\" Show changes","Norway's Datatilsynet has fined Elkjøp Nordic AS and Elkjøp Norge AS NOK 20 million (€1.83 million) for multiple GDPR violations. The violations include invalid consent for their customer club, unlawful use of customer match tools, insufficient assessment of offline conversion tracking, and delays in handling data subject rights requests.","Norway's Datatilsynet fines Elkjøp NOK 20 million for invalid consent and data misuse.","Help Datatilsynet (Norway) - 22\u002F00049-13: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 08:44, 11 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators73 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 08:44, 11 June 2026 Datatilsynet - 22\u002F00049-13 Authority: Datatilsynet (Norway) Jurisdiction: Norway Relevant Law: Article 4(11) GDPR Article 5(1)(a) GDPR Article 5(2) GDPR Article 6(1)(a) GDPR Article 6(1)(f) GDPR Article 6(4) GDPR Type: Investigation Outcome: Violation Found Started: Decided: 01.06.2026 Published: Fine: 20,000,0000 NOK Parties: Elkjøp Nordic AS Elkjøp Norge AS National Case Number\u002FName: 22\u002F00049-13 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): Norwegian Original Source: Datatilsynet (in NO) Initial Contributor: bms The DPA fined Elkjøp NOK 20 million (€1,829,000) for invalid customer club consent, unlawful customer match use, insufficient offline conversion assessments and delayed rights requests. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The DPA carried out an on-site inspection at Elkjøp Nordic AS, the controller, and Elkjøp Norge AS on June 2022. The inspection concerned the controller’s processing of customer information. It followed several personal data breach notifications, complaints and tips concerning the controller’s customer club. The controller operated a customer club for marketing purposes. Membership was presented to customers mainly as a way to receive discounts, exclusive offers and other benefits. However, membership also involved several processing activities, including newsletters, SMS marketing, profiling, personalisation and analysis. The controller relied on consent under Article 6(1)(a) GDPR for this processing. The controller described the customer club consent as an “all or nothing” solution and as a “package”. A customer could not join the customer club without also accepting profiling, personalisation, analysis and marketing communications. The controller considered these activities to form one commercial value proposition. After joining, customers could opt out of certain marketing channels, but they were not given a granular choice before giving consent. The controller also tested the use of customer match tools. This involved matching customer email addresses and\u002For telephone numbers with identifiers held by advertising platforms. The personal data used for this tool had originally been collected in connection with the customer club. The controller relied on Article 6(1)(f) GDPR for this processing and did not carry out a compatibility assessment under Article 6(4) GDPR, as it considered the purpose to be the same as the customer club purpose. In addition, the controller used offline conversion tools to measure and estimate the effect of digital marketing on purchases made in physical stores. After an in-store purchase, the controller sent information to Google and Facebook to compare purchases with clicks on digital advertisements. The controller relied on Article 6(1)(f) GDPR for this processing. Finally, the DPA reviewed the controller’s handling of data subject rights requests. The controller had unresolved rights requests, including rectification requests, where the one-month deadline had expired. Some requests dated back to at least December 2021, and documentation also indicated unresolved cases from February 2021. Requests for rectification of email addresses were automatically treated as complex, which led to an automatic extension of the deadline. Holding The DPA held that the controller violated Article 6(1)(a) GDPR, read together with Article 4(11) GDPR, because the customer club consent was not valid. First, the consent was not specific. The DPA considered that sending general marketing communications, profiling for personalised marketing and analysing customer behaviour to improve marketing were separate purposes. A broad reference to marketing was not sufficiently concrete to cover all these processing activities. Second, the consent was not freely given. The DPA found that the controller bundled several processing purposes into one customer club membership. The data subject could not join the customer club and receive general benefits without also accepting profiling, personalisation and analysis. The possibility to opt out after joining did not cure this issue, because the data subject should have been able to make a granular choice before giving consent. Third, the consent was not informed. The information provided to customers before consent was mainly focused on discounts and benefits. The DPA found that the controller did not clearly explain, before consent was given, that the customer club involved personalised marketing, profiling and analysis, nor the consequences of such processing. The DPA also noted that the information depended largely on individual store employees, which created a significant compliance risk. The DPA further held that the seriousness of this infringement was increased by the fact that children’s personal data was also processed. The customer club was open to customers from the age of 15 at the time of the inspection, but the controller did not register age and had no mechanism to verify that customers met the age requirement. Regarding customer match, the DPA held that the controller violated Article 6(1) GDPR and Article 6(4) GDPR. The controller used personal data originally collected for the customer club for a new advertising-related purpose. The DPA considered that customers who consented to joining a customer club to receive discounts and benefits could not reasonably expect their data to later be used for customer matching with advertising platforms, especially where this involved sharing data with third parties. Therefore, Article 6(1)(f) GDPR could not serve as a valid legal basis. The controller also failed to assess whether the new purpose was compatible with the original purpose, as required by Article 6(4) GDPR. Regarding offline conversions, the DPA held that the controller violated Article 5(2) GDPR, read together with Article 5(1)(a) GDPR. The DPA did not decide whether Article 6(1)(f) GDPR could in principle be used for offline conversions. Instead, it found that the controller had failed to demonstrate that the processing was lawful. Its legitimate interest assessment was too brief and omitted key elements, including the number of data subjects affected, categories of personal data, possible processing of children’s data, reasonable expectations of the data subjects and potential negative consequences of sharing data with Google and Facebook. Regarding rights requests, the DPA held that the controller violated Article 12(3) GDPR. A rectification request concerning an email address was not, in itself, complex. The controller could not automatically extend the one-month deadline for all such requests. Any extension had to be based on a specific assessment of the number and complexity of the requests. The DPA also found that some requests were not handled even within the extended three-month deadline. The DPA imposed an administrative fine of NOK 20,000,000 under Article 58(2)(i) GDPR. It considered that the infringements concerned core GDPR principles and affected many data subjects, including children. The DPA also considered the infringements intentional, since the controller had consciously chosen the relevant customer club structure and marketing tools, and had been aware of risks linked to the consent model. At the same time, the DPA took mitigating factors into account. The controller cooperated during the investigation, had shown increased privacy awareness, implemented improvements after the inspection and addressed some of the identified issues. The DP","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=Datatilsynet_(Norway)_-_22\u002F00049-13&diff=51861&oldid=0","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fe\u002Fe8\u002FLogoNO.png","2026-06-11T08:44:45+00:00","2026-06-11T10:00:07.262218+00:00",7,[18,21,24,27,29,31],{"name":19,"type":20},"Datatilsynet","vendor",{"name":22,"type":23},"customer club","product",{"name":25,"type":26},"customer match tools","technology",{"name":28,"type":26},"offline conversion tools",{"name":30,"type":23},"Google",{"name":32,"type":23},"Facebook","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":33,"icon":35,"name":36,"slug":37},null,"GDPR","gdpr",[39,41,46,51],{"category":40},{"id":33,"icon":35,"name":36,"slug":37},{"category":42},{"id":43,"icon":35,"name":44,"slug":45},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":47},{"id":48,"icon":35,"name":49,"slug":50},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":52},{"id":53,"icon":35,"name":54,"slug":55},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]