In two Bavarian branches of Netto Marken-Discount, customers have recently been able to test shopping carts using the Hybridloc system, using the Hybridloc system. This can be controlled via the open Netto app. The process has raised fears that the discounter could collect and evaluate a lot of personal data and track the length of stay, location in the store and detailed shopping habits. When asked by heise online, a spokeswoman for the responsible Bavarian State Office for Data Protection Supervision (BayLDA) explained that the authority had not previously been aware of the project. However, there is only an obligation to consult in exceptional cases if, despite taking measures to protect the people concerned, “a high residual risk remains”.
Data protection impact assessment not required
Based on the information available so far, the BayLDA does not consider it necessary for Netto to have submitted a data protection impact assessment in advance. However, the retailer must “of course observe the general data protection principles” such as data minimization, transparency, storage limitations and earmarking, explained the supervisory authority’s spokeswoman. The company therefore has to determine “exactly which data it intends to process for which purposes”. Those affected must be informed about this clearly and transparently, along with “other relevant aspects of the processing” such as its duration.
Customers have the right to know whether Netto “evaluates the time, duration and location of the purchase,” explains the authority representative. If this is the case, the market and app operator must also explain in a clear and understandable manner “exactly what purposes this serves and which data protection legal basis applies from Netto’s perspective”. In addition, the person responsible must document the processing, including all purposes, in a separate directory.
“For competitive reasons, no further details”
According to the spokeswoman, the BayLDA reserves the right to examine the app more closely. In principle, such control is “always possible”. Corresponding checks are based “on general aspects of our prioritization, but also on the topics on which we receive complaints or other input.” It also plays a role whether there are an increasing number of letters about certain services or whether there are “indications of particular risks or even indications of data protection violations”. The mere fact that a digital product such as an app is expanded to include functions does not in itself suggest that data protection requirements are not being met. A Netto spokeswoman asked Heise online for understanding that beyond one general message “For competitive reasons, no further details about the test” will be communicated.