Norway's data protection authority has imposed a NOK 20 million fine on Elkjop Nordic AS and Elkjop Norge AS following a multi-year investigation into how the electronics retailer processed personal data in its customer loyalty program, finding four distinct violations of the GDPR that affected more than six million club members across the Nordic region.

The decision, dated June 1, 2026, was published by Datatilsynet - the Norwegian Data Protection Authority - and represents one of the most detailed public rulings yet on how loyalty programs must handle consentpurpose limitation, and data subject rights under European data protection law. The case began with an on-site inspection in June 2022 and took nearly four years to reach a final fine.

Four violations, one loyalty club

According to Datatilsynet, the inspection revealed four separate infringements of the GDPR. The first and most central concerned the consent mechanism itself. Elkjop relied on consent as its legal basis for processing personal data in the context of its customer club. The club offered members general discounts, personalised offers, newsletters, and exclusive access - and to join, customers were required to accept all associated data processing at once.

The authority determined that this consent was not valid for three cumulative reasons. It was not specific, because the consent covered processing activities linked to different purposes - distribution of newsletters, sending text messages, profiling, personalisation, and analytics - without clearly separating them. It was not freely given, because customers faced an all-or-nothing situation: accept every form of processing or receive no membership. The Elkjop Compliance Team itself described the approach as "all or nothing" and as a "package". It was not informed, because the material presented to customers at the point of sign-up emphasised discounts and benefits while failing to explain the profiling and analytics activities that the membership also entailed.

According to Datatilsynet, the information provided to customers at store checkouts varied depending on which individual employee was serving them, creating a structural risk that the quality of disclosure was inconsistent and often inadequate. The authority noted that Elkjop had internally discussed the consent design in February 2022 and had identified the risk that supervisory authorities could find the consent invalid - yet the company kept the mechanism in place.

The violation was further aggravated by the processing of children's personal data. At the time of the inspection, the minimum age for club membership was 15 years, and Elkjop lacked technical mechanisms to verify customer age. According to Datatilsynet, the company did not register or store age information. Gaming products on the website attracted younger customers, and the authority concluded that children were included in the profiling by design rather than incidentally.

Customer Match and the purpose limitation problem

The second violation concerned Customer Match - a tool provided by advertising platforms that allows companies to upload customer contact details to match against platform user profiles for targeting purposes. Elkjop was in a test period for Customer Match use at the time of the June 2022 inspection and planned to implement it from June or July 2022.

Elkjop explained to inspectors that personal data originally collected in the context of the customer club - on the basis of consent - would be further processed in the Customer Match context. The purpose, according to the company, was to achieve more effective marketing, target specific customer groups, and improve media investment efficiency.

The legal issue was straightforward but had been ignored. According to Datatilsynet, processing data for Customer Match constituted a purpose other than that for which the data was originally collected. Under Article 6(4) of the GDPR, that requires a compatibility assessment. Elkjop had not carried out any such assessment - and explicitly told inspectors it had not done so because it considered the purposes identical.

The authority also rejected Elkjop's secondary argument that Article 6(1)(f) - legitimate interest - could serve as the legal basis for Customer Match processing. The fairness principle in Article 5(1)(a) requires that personal data not be processed in ways that are unexpected or misleading to data subjects. Customers who joined the club to receive discounts could not reasonably have expected their contact details to later be shared with advertising platforms for audience matching. According to Datatilsynet, the Customer Match tool specifically involved sharing personal data with third parties - something customers neither consented to nor could reasonably have anticipated.

The point is not academic. Customer Match has been undergoing significant technical changes in 2026, with Google migrating the upload infrastructure from the Google Ads API to its new Data Manager API. That migration formally concluded on April 1, 2026, with the Google Ads API no longer accepting new Customer Match uploads through the OfflineUserDataJobService and UserDataService endpoints. The Elkjop decision adds a GDPR compliance layer to a tool that retailers across Europe are simultaneously being asked to re-integrate technically.

Offline Conversions: inadequate documentation

The third violation involved Offline Conversions - a measurement tool that allows advertisers to send in-store purchase data to platforms like Google and Meta in order to measure the impact of digital advertising on physical retail sales. After a customer purchased in an Elkjop store, the company sent data to Google and Facebook to match those sales against clicks on the platforms' advertisements.

Elkjop identified Article 6(1)(f) - legitimate interest - as the legal basis for this processing. The accountability principle in Article 5(2) of the GDPR requires controllers to be able to demonstrate that processing is lawful. That demonstration, in the case of legitimate interest processing, requires a legitimate interest assessment (LIA) that evaluates whether the interests of the controller are overridden by the interests, rights, and freedoms of data subjects.

According to Datatilsynet, Elkjop had produced such an assessment, but it was inadequate. The balancing exercise lacked central elements: the number of data subjects affected, the categories of data processed, the implications for children's personal data, the reasonable expectations of data subjects, and - critically - the possible negative consequences of sharing personal data with Facebook and Google. Without identifying those potential consequences, the authority concluded, a proper balancing of interests was impossible to perform.

The authority did not reach any conclusion on whether Article 6(1)(f) could serve as a valid legal basis for Offline Conversions if conducted properly. The violation was procedural: Elkjop could not demonstrate lawfulness, which itself constitutes an infringement of Article 5(2).

Following the inspection, Elkjop informed Datatilsynet that it had discontinued the use of Offline Conversions with Meta due to unclear terms in the data processing agreement. The authority considered that use of the tool with Google continued.

Google has been expanding its Data Manager API to handle offline conversion data for retail, including store sales, in parallel with the Elkjop investigation. The legal assessment obligations highlighted in this case apply regardless of which technical pipeline is used.

Data subject rights: years of delay

The fourth violation was procedural. Article 12(3) of the GDPR requires controllers to respond to data subject requests within one month. That period may be extended by two further months where justified by complexity, on a case-by-case basis.

According to Datatilsynet, Elkjop had a systemic problem: requests to rectify email addresses were automatically categorised as complex, triggering the three-month extension as a matter of routine rather than individual assessment. A customer contact centre agent interviewed during the inspection confirmed that he had never assessed the complexity of any individual request.

The scale of the problem was documented. Elkjop shared evidence showing 75 unresolved requests that exceeded the one-month deadline as of June 1, 2022. Data subject request cases dating back to February 2021 remained unsolved at the time of the June 2022 inspection - a gap of more than 16 months. When contacting customers about overdue rectification requests, Elkjop told them it was "currently experiencing technical issues" and was unable to correct the error.

The authority noted that Elkjop was aware of at least one earlier case from April 2020 in which a customer's incorrect email address caused their personal data - including receipt and payment information - to be sent to the wrong recipient. That customer contacted Elkjop repeatedly from April 22, 2020, but the address was not corrected until November 27, 2020. Datatilsynet had closed that case in June 2021 after receiving assurances, only for the systemic problem to persist through the 2022 inspection.

How the fine was calculated

The fine of NOK 20 million amounts to approximately 1.85 million euros at current exchange rates. It is substantially lower than the starting range suggested by EDPB guidelines for an undertaking of this size.

Elkjop Nordic AS and Elkjop Norge AS are subsidiaries of Currys plc, the British electronics retailer. For the purposes of calculating the fine, Datatilsynet applied the turnover of the Currys group as a whole - a requirement established in European Court of Justice case law. According to Currys' annual report for 2024-25, total revenue was 8,706,000,000 GBP, which Datatilsynet converted to approximately 108,563,800,000 NOK and 10,052,205,000 EUR using Norges Bank exchange rates from May 27, 2026.

The infringements qualify under Article 83(5) of the GDPR, which sets a maximum of 20 million euros or 4 percent of worldwide annual turnover, whichever is higher. At 4 percent of Currys' turnover, the theoretical maximum would be approximately 402 million euros. EDPB guidelines recommend a starting point of 0.4 to 0.8 percent of turnover for infringements of moderate seriousness - a range that translates to roughly 434 to 868 million NOK.

The authority chose a final figure of NOK 20 million, well below even the lower bound of the guidelines' starting range. Datatilsynet identified several mitigating factors: Elkjop had been cooperative throughout the inspection process, had shown an increasing level of data protection awareness within the organisation, had implemented technical solutions for handling rectification requests by June 2023, and had made other improvements following the inspection. The long case handling time - nearly four years from inspection to decision - was separately identified as a mitigating factor, with Datatilsynet acknowledging that part of the delay was attributable to slow progress on its own side.

Intentionality was treated as an aggravating factor. According to the decision, Elkjop had been aware as early as May 2022 - the month before the inspection - that supervisory authorities could find its consent mechanism invalid, having received a similar finding in the so-called "Christmas calendar case" from Datatilsynet. The authority concluded that the consent design, the use of Customer Match, and the use of Offline Conversions all represented deliberate commercial choices, not accidental oversights.

According to Datatilsynet, the EDPB guidelines suggest a starting point of 0.4 to 0.8 percent of global turnover for moderate infringements of this type. The final fine of NOK 20 million is considerably below that range, reflecting the totality of mitigating circumstances.

Cross-border enforcement and scope

The case was handled as a cross-border matter under the GDPR's one-stop-shop mechanism. Because Elkjop has its main establishment in Norway, Datatilsynet acted as the lead supervisory authority. Data protection authorities in Sweden, Iceland, Finland, and Denmark were given the opportunity to comment on the draft decision as concerned supervisory authorities. The final decision was adopted in accordance with the cooperation and consistency mechanism established under Articles 56 and 60 of the GDPR.

According to the decision, more than six million customer club members across the Nordic countries were affected by the violations. Elkjop reported a total customer base of 11 million. The group operates under the brands Elkjop and Elkjop Phonehouse in Norway, Elgiganten and Elgiganten Phonehouse in Sweden, Elgiganten in Denmark, Gigantti in Finland, Elko in Iceland, Elding in the Faroe Islands, and Pisiffik in Greenland, with more than 400 stores.

The decision can be appealed before the Oslo District Court. It cannot be referred to the Norwegian Privacy Appeals Board because it was adopted as a cross-border case under Chapter VII of the GDPR.

Why this matters for the marketing community

The Elkjop decision is directly relevant to anyone operating retail loyalty programs, customer data platforms, or first-party audience strategies in Europe. Three of the four violations involve tools and practices that are standard in the marketing technology stack: loyalty club consent architecture, Customer Match for audience targeting, and Offline Conversions for retail measurement.

The EDPB's 2025 annual report, covered by PPC Land in April 2026, recorded 1.145 billion euros in GDPR fines during 2025 across the European Economic Area - a figure that underlines sustained enforcement intensity. Norway's own regulatory activity has been notable in recent years. The Norwegian court upheld a 6.5 million euro fine against Grindr in October 2025 for sharing sensitive user data with advertising partners without valid consent. Datatilsynet also raised concerns in May 2026 about Schibsted's model of charging a monthly fee to readers who declined personalised advertising consent, framing the practice as making privacy a luxury item.

The Elkjop case reinforces three specific points that are practically relevant to marketing operations. First, describing consent as covering "marketing" is not sufficiently specific under the GDPR. Sending general newsletters, conducting profiling for personalised advertising, and running analytics to improve marketing are separate purposes that may each require separate consent - or a different legal basis entirely. Second, using customer data collected under consent for Customer Match processing on advertising platforms requires either a compatibility assessment or fresh consent. The EDPB has consistently stated that where data is collected on the basis of consent, further processing under legitimate interest is precluded. Third, legitimate interest assessments for tools like Offline Conversions must document the potential consequences for data subjects - including the number of people affected, children's data, and the implications of sharing with third parties. A brief assessment noting that the processing is "industry standard" does not satisfy the requirement.

PPC Land has tracked the technical migration of both Customer Match and Offline Conversions to Google's Data Manager API across multiple updates in 2025 and 2026. Those technical changes do not alter the underlying legal obligations. The GDPR requirements that Elkjop failed to meet apply to how data is collected and used - not which API carries it.

Timeline

  • 2016: Elkjop's Swedish operations begin customer club operations, establishing the basis later examined in the cross-border case
  • 2019: Elkjop launches its customer club in Norway, Denmark, and Finland
  • April 22, 2020: A customer contacts Elkjop to request rectification of an incorrectly registered email address; the correction is not made until November 27, 2020
  • February 2021: Data subject request cases created in this month remain unresolved at the time of the June 2022 inspection
  • January 2021 to 2023: Datatilsynet receives multiple complaints and tips about the Elkjop customer club across several case references
  • May 9, 2022: Datatilsynet issues a finding in the "Christmas calendar case" regarding an earlier Elkjop consent mechanism for a seasonal promotion, concluding the consent was invalid; Elkjop receives notice of the authority's position on consent specificity
  • June 20-22, 2022: Datatilsynet conducts an on-site inspection at Elkjop's offices in Nydalen, Oslo, covering Elkjop Nordic AS and Elkjop Norge AS
  • June/July 2022: Elkjop implements Customer Match following the test period that was active at the time of inspection
  • June 1, 2023: Datatilsynet provides Elkjop with the preliminary factual inspection report
  • June 22, 2023: Elkjop submits comments on the factual inspection report; also informs Datatilsynet of the technical solution for rectification requests finalised this month - Norwegian court upholds Grindr fine in related Norwegian enforcement action, October 2025
  • October 30, 2025: Datatilsynet issues advance notification of intent to impose a fine
  • February 1, 2026: Elkjop submits comments on the advance notification, following a deadline extension from December 10, 2025
  • April 1, 2026: Google's Customer Match API in Google Ads stops functioning for new developers, with uploads required to move to the Data Manager API - PPC Land coverage
  • June 1, 2026: Datatilsynet issues the final decision imposing an administrative fine of NOK 20,000,000 on Elkjop Nordic AS and Elkjop Norge AS
  • June 5, 2026: Datatilsynet publishes its public summary of the administrative fine decision

Summary

Who: Datatilsynet, the Norwegian Data Protection Authority, acting as lead supervisory authority under the GDPR's one-stop-shop mechanism, in cooperation with the data protection authorities of Sweden, Iceland, Finland, and Denmark. The entities fined are Elkjop Nordic AS and Elkjop Norge AS, subsidiaries of Currys plc, the UK-listed electronics retailer.

What: An administrative fine of NOK 20,000,000 - approximately 1.85 million euros - for four violations of the GDPR: invalid consent for customer club data processing (Article 6(1) and Article 4(11)); unlawful use of Customer Match without a compatibility assessment (Article 6(1) and 6(4)); inadequate documentation of the legal basis for Offline Conversions processing (Article 5(2) and 5(1)(a)); and failure to handle data subject rights requests within legal deadlines (Article 12(3)).

When: The inspection took place on June 20 and 22, 2022. The final decision was issued on June 1, 2026. The violations occurred across a period beginning as early as 2016 for the Swedish customer club, with Norwegian, Danish, and Finnish operations beginning in 2019. Data subject rights failures extended back to at least December 2021.

Where: Elkjop's main establishment is in Norway, making Datatilsynet the lead supervisory authority for this cross-border case. The violations affected customer club members across Norway, Sweden, Denmark, Finland, Iceland, Greenland, and the Faroe Islands - more than six million individuals in total. The on-site inspection was conducted at Elkjop's offices in Nydalen, Oslo.

Why: Datatilsynet concluded that the infringements touched core principles of GDPR data protection law - lawfulness, purpose limitation, accountability, and data subject rights - and that the large number of affected individuals, including children, and the deliberate nature of the choices made by Elkjop warranted a formal fine. The authority noted that Elkjop had been aware of the regulatory risk associated with its consent mechanism before the inspection and had chosen to maintain it regardless.