In general

The Nordic commerce sector, represented by Dansk Ehrverv (the Danish Chamber of Commerce)[i], Kaupan liitto (the Finnish Commerce Federation)[ii], Svensk Handel (the Swedish Trade Federation)[iii], welcomes the revision of the Data Protection Directive from 1995 since its rules are outdated and the implementation in the member states is fragmented. The commerce sector calls for an effective, modern and balanced framework for the data protection on the internal market and supports harmonization that is highly needed to facilitate growth in cross border trade.

Due to the current situation in the negotiation process we need to emphasize the importance of quality over speed. The discussed texts are ambiguous and it is very hard to oversee the consequences for businesses when put into practice. The GDPR is a dossier of utmost importance for the competitiveness of European businesses.

The amount of data collected grows constantly since people and businesses are increasingly going online. Using personal data in business is essential for companies today, to market goods and services effectively and develop new products and business models. At the same time the data subject is in need of a high level of protection to prevent integrity breach. The final regulation must rely on a balance between these two interests and hold a high level of clarity.

Below, please find our opinion on a few of the most pressing issues for the Nordic commerce sector.

Unambiguous consent

The fundamental rule being that the data subject should give an unambiguous consent to every use of their personal data is obvious. Although there have to be a possibility to use personal data in business based on a balance of legitimate interest. When dealing with non-harmful data companies should be able to process such data even without an explicit consent if it is in the interest of the consumer. In addition, it is of high interest that the provisions regulating consent does not put up barriers in form of technical or form requirements.

Personalization (profiling)

Profiling is one of the most important issues for the commercial sector. Analyzing data facilitate marketing of relevant products to the market and to different categories of consumers. We are of the opinion that the consumer to a large extent wants a few targeted offers instead of a host of general ones. The commerce sector is developing towards more and more personalized shopping experiences, all due to the demand from the consumers. Also profiling is used to evaluate patterns of consumers to improve the measures needed for as an example fraud fighting and credit evaluation. Certainly there need to be a balance between the interests of businesses and the consumers. We advocate that this interest is met with clear provisions providing the consumer with the possibility to under certain circumstances object to profiling, an opt-out solution (which can be of different nature depending on technological developments). We mean that the proposed provision in article 20 is too far-reaching and uncertain. This lack of clarity will seriously affect companies’ possibilities to analyze data to improve business models and to market their products effectively, hampering the competitiveness for the European industry.

Data portability

The Nordic commerce sector is concerned by the right for the data subject to transmit the personal data concerning the subject from one operator to another. First, we can neither - from a retail perspective - see the relevance of this possibility for the data subject, nor the proportionality in the measure as the demand would severely infringe upon company trade secrets. Second, the right must be limited to data provided by the subject guaranteeing that no analysis, specific safeguards or confidential contract provisions is transmitted from the first operator to the other operator. Otherwise it will be easy for a competitor to get information about other companies’ strategies.

Data Protection Officer

The obligation to designate a data protection officer should be risk-based. It should only apply to SMEs whose core businesses involve handling data, since the cost for regular SMEs is disproportionate to the effect for the data subjects. The obligation should be related to the kind of business activity, not based on the number of data subjects processed. We want to emphasize that the core business for companies in the commerce sector, e-commerce as well as brick-and-mortar, is to market and sell products, not to process personal data. The processing of data makes the marketing and selling more effective, although it is not the core business. Therefore, e-commerce companies should not, automatically be obligated to designate a costly data protection officer.


For businesses operating cross border and in different member states there need to be a possibility to keep contact with one Data Protection Authority instead of the authority in every member state where the business is established or operates. Although the one-stop-shop has met strong opposition in the negotiations we would like to stress the importance of this. A one-stop-shop solution would ease the administrative burden for businesses and simplify for the industry to adapt to the regulation in a coherent way.


There is a need for discouraging sanctions for a breach of data protection rules resulting in an infringement of integrity, although we consider the proposed sanctions to be out of proportion. There must be a possibility for the supervisory authorities to give a warning for an unintentional breach of the regulation instead of a pecuniary sanction. Also the authority needs to adjust the administrative fee to the situation of the processor as well as the actual harm the infringement has caused the data subject. Unclear wording and reference to subsequent clarifications on essential parts of the legislative texts make even more unjustified the high penalties envisaged under Art 79.

May 2015


Dansk Erhverv Kaupan Liitto   Svensk Handel
Henrik Hyltoft  Juhani Pekkala Karin Johansson
Director CEO CEO

[i] Dansk Ehrverv (The Danish Chamber of Commerce) is the network for the service industry in Denmark. It is one of the largest professional business organisations in Denmark with more than 200 employees, offices in Copenhagen, Aarhus and in Brussels. The Chamber represents 17,000 Danish companies and 100 trade associations within trade, tourism, business services, IT, welfare services and transportation.

[ii] Kaupan liitto (Finnish Commerce Federation) is a nationwide lobbying organisation whose mission is to promote Finnish commerce. Kaupan Liitto work to improve the operating conditions for companies active in wholesale and retail trade, to stimulate co-operation within the sector and to enhance the commercial and employer interests of our members. Kaupan Liitto plays an important role in the labour market, negotiating collective labour agreements, resolving labour disputes and serving members in employment issues.

[iii] Svensk Handel (Swedish Trade Federation) is the employers’ organisation serving the entire trade and commerce sector. Svensk Handel is tasked with creating the best trading conditions for commercial enterprises both large and small. Svensk Handel has 13,000 member companies with around 300,000 employees, active across various branches of retail and wholesale trade.