As part of a fol­low-up audit, the FDPIC ana­ly­zed the data flows in con­nec­tion with the Coop Super­card and review­ed com­pli­ance with data pro­tec­tion requi­re­ments. It found a “posi­ti­ve over­all pic­tu­re of data pro­ce­s­sing”, but pre­sen­ted various pro­po­sals for adjust­ments in the final report. Coop has accept­ed these.

Con­sent, duty to inform

The sub­ject of the fol­low-up inspec­tion was the shop­ping cart ana­ly­sis intro­du­ced in Sep­tem­ber 2012. Coop expli­ci­t­ly sta­tes in the GTC that the cus­to­mer cons­ents to the eva­lua­ti­on of cus­to­mer pro­files (i.e. per­so­na­li­ty pro­files), and does so vol­un­t­a­ri­ly and expli­ci­t­ly. This also ful­fills the duty to inform accor­ding to DSG 14:

In con­nec­tion with the Super­card, Coop gene­ral­ly stores all purcha­ses made by cus­to­mers regi­stered with it (if the card is pre­sen­ted at the check­out and the cus­to­mer has accept­ed the new Gene­ral Terms and Con­di­ti­ons) and can thus obtain a pic­tu­re of the con­sump­ti­on habits of the indi­vi­du­als, which gives a Per­so­na­li­ty pro­fi­le in the sen­se of Art. 3 lit. d DSG. As alre­a­dy men­tio­ned in sec­tion 5.2. of this final report, Coop informs in the Gene­ral Terms and Con­di­ti­ons for Super­card that “.shop­ping bas­ket ana­ly­ses are car­ri­ed out on the basis of purcha­ses from the Coop Group, which can reflect con­su­mer beha­vi­or as well as con­sump­ti­on pro­files.” It fur­ther informs that Coop uses this data to Eva­lua­te and ana­ly­ze for mar­ke­ting and adver­ti­sing pur­po­ses. Coop thus com­plies with its duty to inform pur­su­ant to Art. 14 para. 1 FADP.

Both on the regi­stra­ti­on form and on the online regi­stra­ti­on form, cus­to­mers expli­ci­t­ly con­firm that they allow Coop to pro­cess their shop­ping cart data for the pur­po­se of cus­to­mer pro­fil­ing. This con­sti­tu­tes a Con­sent of the cus­to­mers for the pro­ce­s­sing of per­so­na­li­ty pro­files within the mea­ning of Art. 4 para. 5 sen­tence 2 FADP. Coop also sepa­ra­te­ly refers again on the appli­ca­ti­on to the rele­vant clau­ses in the GTC regar­ding its data pro­ce­s­sing in con­nec­tion with cus­to­mer pro­fil­ing and adver­ti­sing, which is to be wel­co­med from the point of view of trans­pa­ren­cy (Art. 4 para. 2 FADP).

The cus­to­mer also has the opti­on of revo­king his con­sent to recei­ve adver­ti­sing on Coop’s web­site (opt-out). Howe­ver, in the view of the FDPIC, the wor­ding used for the check­box the­re is – pro­ba­b­ly right­ly – not sufficient:

The wor­ding on the home­page “Plea­se send me infor­ma­ti­on about the Super­card by mail”. is, howe­ver, mis­lea­ding. It is not clear that this refers to tar­ge­ted adver­ti­sing based on par­ti­ci­pa­ti­on in the Super­card pro­gram. In the inte­rests of trans­pa­ren­cy pur­su­ant to Art. 4 (2) FADP, the wor­ding should be adapt­ed accordingly.

The FDPIC the­r­e­fo­re pro­po­ses the fol­lo­wing text:

“I her­eby wish to opt-out of recei­ving adver­ti­se­ments and offers based on my Super­card-rela­ted shop­ping behavior.”

(Mea­ning, I guess, “I her­eby decla­re … to renounce”).

In con­nec­tion with the trans­pa­ren­cy obli­ga­ti­on, the FDPIC also recom­mends remo­ving an unclear refe­rence in the GTC to health-rela­ted claims. With this, Coop wan­ted to cover the eva­lua­ti­on of claims when purcha­sing aller­gy pro­ducts. Howe­ver, the cor­re­spon­ding state­ment was unclear and should the­r­e­fo­re be omit­ted, espe­ci­al­ly sin­ce the­re was no health-rela­ted cus­to­mer seg­men­ta­ti­on (which would be dis­pro­por­tio­na­te any­way, accor­ding to the FDPIC). One may won­der, howe­ver, whe­ther the FDPIC ther­eby takes the view that the unin­ten­tio­nal, non-syste­ma­tic acqui­si­ti­on of per­so­nal data requi­ring spe­cial pro­tec­tion does not fall under Art. 14 DPA, becau­se other­wi­se Coop would have to expli­ci­t­ly inform about the pro­cu­re­ment of the­se data and the pur­po­se of pro­cu­re­ment. This would be in line with the opi­ni­on of David Rosen­thal; Astrid Epi­ney agrees.

Right to infor­ma­ti­on, refusal

It is also inte­re­st­ing to note that the FDPIC sta­tes that all requests for infor­ma­ti­on to the Legal Ser­vice be for­ward­ed. Not all com­pa­nies loca­te this func­tion direct­ly with the legal ser­vice (an alter­na­ti­ve is, for exam­p­le, cus­to­mer ser­vice, pro­vi­ded that ins­truc­tions exist for clear cases and a pro­cess is defi­ned for escala­ting less clear cases to the legal ser­vice). Coop also appears to want to con­sider trans­fer­ring this func­tion to ano­ther depart­ment in the future. – In this con­text, the FDPIC also comm­ents in pas­sing on the que­sti­on of what con­sti­tu­tes a trade secret (it is not enti­re­ly clear why DPA 9 IV was appli­ca­ble in view of the third-par­ty dis­clo­sure of cus­to­mer addresses):

Con­tra­ry to Coop’s view, the Seg­men­ta­ti­on port­fo­lio as listed in sec­tion 7.2. of this final report No trade secret which would out­weigh the right to infor­ma­ti­on of a data sub­ject within the mea­ning of Art. 9 DPA. On the other hand, the exact method of cal­cu­la­ti­on as to how Coop Super­card arri­ved at the­se results does not have to be dis­c­lo­sed, as this infor­ma­ti­on is to be under­s­tood as a trade secret and the­r­e­fo­re as a ground for rest­ric­tion within the mea­ning of Art. 9 (4) FADP. It is suf­fi­ci­ent that Coop pro­vi­des infor­ma­ti­on in a gene­ral man­ner here.

The lat­ter rest­ric­tion cor­re­sponds to the Schufa case law of the BGH.

Final Report Decem­ber 14, 2015:

[pdf-embedder url=“http://datenrecht.ch/wp-content/uploads/2016/02/SchlussberichtzumKundenbindungsprogrammSupercard28Nachkontrolle291.pdf”]