The Finnish Supreme Administrative Court clarifies the limits of data storage obligations – key takeaways from the ruling

3 July 2026

The Finnish Supreme Administrative Court's (SAC) recent decision (12 June 2026/1604) demonstrates that obligations regarding storing of personal data are not merely administrative compliance requirements. Rather, they form a core component of the GDPR's accountability framework, requiring controllers to actively determine and justify how long personal data may be stored.

In its decision, the SAC examined the practices of Verkkokauppa.com Oyj (Verkkokauppa.com), whose online store required customers to create an account before making a purchase. Personal data associated with customer accounts were generally stored until the customer actively requested deletion of their data. The SAC held that the company's approach to storing personal data was contrary to the GDPR and upheld the Administrative Court's decision confirming an administrative fine of EUR 792,639.

What happened?

The case originated from a complaint investigated by the Office of the Data Protection Ombudsman concerning Verkkokauppa.com’s data storage practices. Customers were required to create an account in order to make purchases through the company’s online store, and personal data stored in those accounts were kept for as long as the customer relationship remained active. In practice, the customer relationship only ended when the customer requested deletion of their data.

The Data Protection Ombudsman concluded that the company had failed to define storage periods or criteria for determining the storage time as required under the GDPR. In practice, the storage of personal data was linked to the actions of the customer rather than to an assessment made by the controller as to how long the data needed to be kept for the purposes of processing.

The Data Protection Ombudsman ordered the company to bring its processing activities into compliance with the GDPR, delete or anonymize data that had been kept for excessive periods, and issued a reprimand for the infringement. In addition, the sanctions board imposed an administrative fine of EUR 856,000. The Administrative Court had reduced the amount to EUR 792,639 but otherwise upheld the findings of infringement. The SAC reached the same conclusion.

Determining storage periods is the controller's responsibility

The SAC emphasized that, before processing begins, controllers must determine storage periods for personal data or, at a minimum, establish the criteria used to determine such periods. Furthermore, controllers must be able to demonstrate that personal data is deleted or anonymized once their storage is no longer necessary for the purposes for which they were collected.

According to the SAC, Verkkokauppa.com’s practice of storing all customer data indefinitely demonstrated that the controller had not carried out an assessment of the storage period necessary in light of the purposes of processing. The SAC emphasized that storage times must be derived from an assessment of what is necessary for the relevant processing purpose, rather than from the mere existence of a customer account. Controllers must therefore establish storage periods based on identified processing purposes and be able to demonstrate that those periods have been consciously assessed and implemented.

The SAC’s reasoning also highlights that personal data should be stored for the shortest period possible and that controllers should establish mechanisms ensuring that personal data is not stored longer than necessary. Verkkokauppa.com argued that it had fulfilled its obligations because customers could request deletion of their data and terminate their customer relationship at any time. In SAC’s view, the storage period must be based on the controller’s own assessment of necessity, not on whether the data subject remembers or chooses to exercise their right to erasure.

Consequently, an indefinite storage period cannot be justified solely by relying on the data subject to take action and request deletion.

Focus on storage limitations rather than the account-based processing

A noteworthy aspect of the case is that the parties and the SAC confined their analysis to the issue of data storage, and the SAC did not find that requiring customers to register before making purchases in an online store was, in itself, contrary to the GDPR. The case was therefore not about whether an online retailer may structure its business model around customer accounts, as instead, the decisive issue was how personal data associated with that business model were stored.

The decision therefore leaves businesses with considerable flexibility in designing customer relationship models. At the same time, it underscores that storage periods must be properly defined regardless of whether the processing is based on a one-off transaction or an ongoing customer relationship.

Freedom to conduct a business does not override data protection obligations

Verkkokauppa.com relied on the freedom to conduct a business, arguing that the measures imposed by the Data Protection Ombudsman interfered with its ability to operate its chosen business model.

The SAC rejected this argument. According to the SAC, the freedom to conduct a business protects the right of companies to engage in economic activity, but that right must be exercised within the framework of applicable regulation.

Administrative fines and the seriousness of storage-related infringements

One major aspect of the judgment concerns the administrative fine.

Verkkokauppa.com argued that the alleged infringement involved a genuinely debatable interpretation of the law and had not caused any concrete harm to data subjects. According to the company, corrective measures such as a reprimand or compliance order would have been sufficient.

The SAC did not alter the Administrative Court’s assessment of the appropriateness of the fine. It accepted the lower court’s conclusion that the infringement had been long-standing, systematic and large-scale. The complete absence of defined storage periods was not an isolated error but rather an inherent feature of the company’s operating model over several years.

The decision demonstrates that infringements relating to storage obligations are regarded as serious as other GDPR violations, irrespective of whether the case involves a personal data breach or evidence of concrete harm to individuals.

Looking ahead

The SAC’s decision provides important clarification regarding the content of the GDPR’s storage limitation principle and emphasizes the controller’s active responsibility throughout the entire lifecycle of personal data.

For controllers, the message is clear: the storage of personal data cannot be based solely on open-ended customer relationships or on the actions of data subjects themselves, instead, controllers must independently define, justify and implement GDPR-compliant storage periods. More broadly, the decision reinforces a fundamental principle underlying the GDPR – responsibility for lawful processing rests primarily with the controller, not with the data subject.

For more information on the topic and advice in relation to data protection, please contact Martina Simpanen or Sonja Heiskala.