As part of a follow-up audit, the FDPIC analyzed the data flows in connection with the Coop Supercard and reviewed compliance with data protection requirements. It found a “positive overall picture of data processing”, but presented various proposals for adjustments in the final report. Coop has accepted these.
Consent, duty to inform
The subject of the follow-up inspection was the shopping cart analysis introduced in September 2012. Coop explicitly states in the GTC that the customer consents to the evaluation of customer profiles (i.e. personality profiles), and does so voluntarily and explicitly. This also fulfills the duty to inform according to DSG 14:
In connection with the Supercard, Coop generally stores all purchases made by customers registered with it (if the card is presented at the checkout and the customer has accepted the new General Terms and Conditions) and can thus obtain a picture of the consumption habits of the individuals, which gives a Personality profile in the sense of Art. 3 lit. d DSG. As already mentioned in section 5.2. of this final report, Coop informs in the General Terms and Conditions for Supercard that “.shopping basket analyses are carried out on the basis of purchases from the Coop Group, which can reflect consumer behavior as well as consumption profiles.” It further informs that Coop uses this data to Evaluate and analyze for marketing and advertising purposes. Coop thus complies with its duty to inform pursuant to Art. 14 para. 1 FADP.
Both on the registration form and on the online registration form, customers explicitly confirm that they allow Coop to process their shopping cart data for the purpose of customer profiling. This constitutes a Consent of the customers for the processing of personality profiles within the meaning of Art. 4 para. 5 sentence 2 FADP. Coop also separately refers again on the application to the relevant clauses in the GTC regarding its data processing in connection with customer profiling and advertising, which is to be welcomed from the point of view of transparency (Art. 4 para. 2 FADP).
The customer also has the option of revoking his consent to receive advertising on Coop’s website (opt-out). However, in the view of the FDPIC, the wording used for the checkbox there is – probably rightly – not sufficient:
The wording on the homepage “Please send me information about the Supercard by mail”. is, however, misleading. It is not clear that this refers to targeted advertising based on participation in the Supercard program. In the interests of transparency pursuant to Art. 4 (2) FADP, the wording should be adapted accordingly.
The FDPIC therefore proposes the following text:
“I hereby wish to opt-out of receiving advertisements and offers based on my Supercard-related shopping behavior.”
(Meaning, I guess, “I hereby declare … to renounce”).
In connection with the transparency obligation, the FDPIC also recommends removing an unclear reference in the GTC to health-related claims. With this, Coop wanted to cover the evaluation of claims when purchasing allergy products. However, the corresponding statement was unclear and should therefore be omitted, especially since there was no health-related customer segmentation (which would be disproportionate anyway, according to the FDPIC). One may wonder, however, whether the FDPIC thereby takes the view that the unintentional, non-systematic acquisition of personal data requiring special protection does not fall under Art. 14 DPA, because otherwise Coop would have to explicitly inform about the procurement of these data and the purpose of procurement. This would be in line with the opinion of David Rosenthal; Astrid Epiney agrees.
Right to information, refusal
It is also interesting to note that the FDPIC states that all requests for information to the Legal Service be forwarded. Not all companies locate this function directly with the legal service (an alternative is, for example, customer service, provided that instructions exist for clear cases and a process is defined for escalating less clear cases to the legal service). Coop also appears to want to consider transferring this function to another department in the future. – In this context, the FDPIC also comments in passing on the question of what constitutes a trade secret (it is not entirely clear why DPA 9 IV was applicable in view of the third-party disclosure of customer addresses):
Contrary to Coop’s view, the Segmentation portfolio as listed in section 7.2. of this final report No trade secret which would outweigh the right to information of a data subject within the meaning of Art. 9 DPA. On the other hand, the exact method of calculation as to how Coop Supercard arrived at these results does not have to be disclosed, as this information is to be understood as a trade secret and therefore as a ground for restriction within the meaning of Art. 9 (4) FADP. It is sufficient that Coop provides information in a general manner here.
The latter restriction corresponds to the Schufa case law of the BGH.
Final Report December 14, 2015:[pdf-embedder url=“http://datenrecht.ch/wp-content/uploads/2016/02/SchlussberichtzumKundenbindungsprogrammSupercard28Nachkontrolle291.pdf”]