Guest access in the online store: OLG Hamburg strengthens entrepreneurial freedom of design

Guest access is not always required in the online store.
Categories:

Does an online store always have to offer guest access that customers can use without registering? The Hanseatic Higher Regional Court had to deal with this question, taking into account key principles of data protection law. The focus was on the following topics Data minimization and personalized Advertisingon which clear statements were made in favor of entrepreneurial leeway.

Consumer association sues over lack of guest access

A consumer protection association brought an action against a trading and service company that operates an online marketplace under a well-known domain.

Firstly, the plaintiff objected to the fact that the company did not offer "guest access" for ordering. For each purchase transaction, it was mandatory to set up a permanent customer account with the entry of extensive personal data such as name, address, date of birth, telephone number and email address. The plaintiff saw this as a Infringement against the principle of Data minimization pursuant to Art. 5 para. 1 lit. c GDPR and against the principle of data protection-friendly default settings pursuant to Art. 25 para. 2 GDPR. In particular, the mandatory creation of a customer account is neither objectively necessary for the execution of the contract nor for the fulfillment of legal obligations.

Secondly, the complaint was directed against the company's practice, personal data from the customer account to personalize advertising content without explicit, informed consent. Consent of the data subjects. The plaintiff argued that this use was not covered by Art. 6 para. 1 lit. f GDPR covered and a comprehensive Profiling that goes beyond permissible direct advertising in accordance with Section 7 (3) UWG.

The Hamburg Regional Court dismissed the action in its entirety. In support of its decision, it referred, among other things, to a statement by the Hamburg Commissioner for Data protection and Freedom of Information (HmbBfDI), in which the defendant's practice was assessed as compliant with data protection regulations. In particular, the statement clarified that the restrictions demanded by the plaintiff were too sweeping and that the defendant's legitimate interests in structured customer management and fraud-preventive data processing should be taken into account.

In his appeal, the plaintiff pursued his claims in full and challenged the judgment of the regional court on several points. The defendant countered that the claims were too broad and without merit and defended the design of its customer account structure as appropriate and necessary under data protection law.

The Higher Regional Court of Hamburg dismissed the appeal and confirmed the decision of the court of first instance.

No obligation to provide guest access

The OLG confirmed the opinion of the Regional Court, according to which no data protection law Infringement due to the lack of provision of guest access. Although the court recognizes the principle of Data minimization from Art. 5 para. 1 lit. c GDPR in principle. However, this is not violated if the Processing as in the present case to safeguard legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR is required.

The court placed particular emphasis on the assessment of the Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI). In an official statement, the Commissioner classified the design of the ordering process without guest access as unobjectionable under data protection law. This opinion was based, among other things, on the fact that the additional range of functions associated with a customer account was beneficial to both consumers and the provider and that there was no excessive data processing.

The proceedings also included the decision of the Data protection conference (DSK) of 24.03.2022, according to which Responsible persons should generally offer guest access in online trading. Unless special circumstances justify a deviation. The court considered such circumstances to exist in the specific case and thus expressly followed the view expressed by the HmbBfDI.

The defendant had comprehensibly demonstrated that a large amount of the data stored in the customer account (e.g. date of birth, telephone number) was necessary for fraud prevention, credit checks or coordination of shipping deliveries. The court found that this data collection would be necessary even in the case of guest access and therefore saw no less restrictive means of achieving the legitimate purposes.

None Infringement against data protection-friendly default settings

As part of its review, the Hanseatic Higher Regional Court also dealt with the question of whether the design of the ordering process by the defendant violated Art. 25 (2) of the German Civil Code. GDPRi.e. the principle of data protection-friendly default settings (privacy by default). This provision obliges Responsible persons to this, through Technical and organizational measures ensure that, by default, only the personal data required for the respective purpose is processed. The aim is to ensure the best possible data protection right from the presetting of a system.

The court came to the conclusion that the defendant fulfilled this obligation. It found that setting up a password-protected customer account was not only permissible, but even conducive to data protection. This is because users can use such an account to view their orders, manage returns, assert warranty rights and efficiently handle their communication with the provider. Personal data is stored for a specific purpose and to an extent limited by legal requirements. The fact that a customer account is required to place an order does not contradict the principle of data protection-friendly default settings, as long as the data processing remains limited to what is necessary.

In particular, the court emphasized that no data should be passed on to unauthorized third parties without the active involvement of users. Third and access to the data is protected by a secure login procedure. In addition, the Transparency positively emphasized by the defendant: The data subjects are informed of the nature, scope and purposes of the data processing when setting up the account, which fulfills the requirement of the Transparency pursuant to Art. 5 para. 1 lit. a GDPR supplemented.

Overall, the court confirmed that the specific technical and organizational measures taken by the defendant to ensure data protection-friendly default settings within the meaning of the GDPR are appropriate and proportionate. A Infringement against Art. 25 para. 2 GDPR is therefore not apparent.

Advertising and profiling: No obligation to Consent?

With regard to the use of customer data for the personalization of Advertising the court also denied a claim for injunctive relief. Although this process is subject to the scope of application of the GDPR and not Section 7 (3) UWG. However, the court considered the evaluation of the order history for personalization to be a legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR. In particular, the Senate did not recognize any comprehensive profiling or use of external data sources that would allow a Consent would have been necessary.

The decisive factor is that the personalization is limited to similar products and services and is clearly distinct from comprehensive profiling within the meaning of Art. 4 No. 4 GDPR differentiate between the two. The latter would include a systematic analysis of personal aspects, such as interests, behavior or whereabouts, for which an explicit Consent and the user is granted a right to object at any time, as provided for in Art. 21 (2) GDPR. GDPR provides for.

Reading tip: Cookie banner must also contain "reject all" option

Guest access: Principle of Data minimization not absolute

The judgment of the OLG Hamburg makes it clear that the GDPR does not establish a general obligation to provide guest access in online retail. The principle of Data minimization is not absolute, but always requires a purpose-oriented consideration. The ruling also reinforces the view that the use of customer data to personalize Advertising under certain conditions even without Consent may be permissible, especially for existing customers.

For companies, this means a certain degree of legal certainty, provided that they document their data processing processes well and are aware of legitimate interests can support.

The central role of the balancing of interests pursuant to Art. 6 para. 1 lit. f GDPR particularly emphasized: companies must check whether their legitimate interests outweigh the rights and freedoms of the data subjects. Only if this is the case can data processing be carried out without Consent be carried out lawfully.

Source: Judgment of the Hanseatic Higher Regional Court of 27.02.2025 (5 U 30/24)

Do you want to make your online processes compliant with data protection regulations and minimize legal risks? As experts for data protection, Compliance and digital business models, we support you in the evaluation, optimization and Documentation of your data processing processes. Arrange a non-binding initial consultation with our expert consultants - and get your company on the road to success in a secure and GDPR-compliant manner.

Contact us
Tags:
, ,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts