Data Protection lessons for e-commerce businesses from the Digitec Galaxus case

Last Updated 06/05/2024

Ever wondered how important data protection really is for your e-commerce business? Let’s talk about Digitec Galaxus, Switzerland’s largest online retailer, and the lessons we can learn from their recent run-in with the Swiss Federal Data Protection and Information Commissioner (FDPIC). 

Background on the Digitec Galaxus Case 

Back in March 2020, Digitec Galaxus got flagged for how they handled customer data. Fast forward to April 2024, the FDPIC wrapped up an extensive review and reached its conclusion: the company wasn’t clear enough about what they did with customer data and was way off on its data protection game. The main problems identified were related to: 

  • Unclear data usage: Their data protection policy was vague about why they were collecting personal data. 
  • Mandatory customer accounts: To use their services, users had to create an account and agree to let the company use their personal data. 
  • Vague information on data sharing: There were not enough details on how personal data might be shared within the corporate group, raising fears of misuse. 

What this means for you 

If you’re running an e-commerce platform, here’s how you can steer clear of the issues Digitec Galaxus faced: 

  • Detailed and user-friendly privacy policies: update your policies so that anyone can easily get why and how you process their personal data. No legal jargon, just simple explanations. 
  • Pay particular attention to web analytics: web analytics can be particularly intrusive, so it is important to list the tools you use and explain what data they gather. 
  • Offer non-mandatory customer account options: Introduce the option for users to make purchases “as guests” without creating a mandatory customer account. This serves as a proportional measure in handling data and respects the users’ choice and privacy. 
  • Respect users’ rights: Include detailed information on how the rights users have and how they can be exercised. This includes information on how they can object to your marketing messages or how they can access and delete the personal data you store about them. 
  • Keep data processing to a minimum: minimize data processing and only collect data that you really need for the services you offer. For additional purposes, make sure you obtain valid consent from data subjects. 

Clear and lawful data practices aren’t just good for compliance; they make your business more trustworthy. Being upfront and honest about your data practices not only helps avoid legal headaches but also boosts your company’s image. 

Sounds difficult to do in practice? 

This might seem like a lot, but it doesn’t have to be. If you’re unsure about how to apply these lessons to your business, LEXR is here to help with tailored privacy policies and data protection compliance checks. Contact us today to ensure your data protection practices are up to scratch and your customer trust is solid. 


Let’s Go!

Book a free, non-binding discovery call to discuss how we can help you achieve your business goals.

Or feel free to reach us directly via email at [email protected].

Book a free call