Shopping over the internet has become one of the main means of concluding consumer contracts over the past two decades. This development has brought undeniable benefits in terms of speed, accessibility, and convenience, but it has also fundamentally changed the conditions under which customers’ personal data are processed.
One of the most prominent manifestations of this transformation is the widespread practice of mandatory user account creation. The requirement to create an account is typically justified by the aim of simplifying future purchases, increasing security, or improving the quality of services. However, substantively this is not simply a one-time provision of data for a specific transaction, but the establishment of a long-term relationship between the controller and the data subject that enables persistent identification of the user and further processing of personal data beyond completion of a single purchase.
From the perspective of the GDPR,[1] this increasingly popular practice in the e-commerce sector is problematic primarily with regard to the choice and fulfilment of the relevant legal basis for processing under Article 6(1) GDPR and compliance with the fundamental principles of processing under Article 5 GDPR. Mandatory registration comes into particular tension with the principle of data minimisation under Article 5(1)(c) GDPR, the principle of purpose limitation under Article 5(1)(b), and the principle of storage limitation under Article 5(1)(e) GDPR. It leads to the retention of personal data for a period that may clearly exceed what is necessary for the performance of a specific contract, while at the same time creating space for their further use for secondary purposes.
These problematic areas are addressed by the European Data Protection Board (hereinafter the “EDPB”) in its new Recommendations 2/2025[2] on the legal basis for requiring the creation of user accounts on e-commerce websites, adopted on 3 December 2025 (hereinafter the “Recommendations”). The aim of these Recommendations is to provide data controllers with guidance on assessing under which conditions mandatory creation of user accounts may be considered lawful under Article 5(1)(a) and Article 6(1) GDPR, and in particular to determine whether it may be based on the legal ground of performance of a contract under Article 6(1)(b) GDPR, compliance with a legal obligation under Article 6(1)(c) GDPR, or legitimate interest under Article 6(1)(f) GDPR, with particular emphasis on the principle of data protection by design and by default under Article 25 GDPR.
Definition of an Online User Account and the Material Scope of the Recommendations
The Recommendations define an “online user account” as a personal online space assigned to a user and accessible through an authentication mechanism based on the use of an identifier and password, possibly supplemented by multi-factor authentication. This definition does not cover temporary access based on temporary access tokens that do not require the creation of a password or a permanent profile.
The EDPB also defines the material scope of the Recommendations as covering e-commerce websites, including online marketplaces acting as intermediaries between sellers and consumers. By contrast, the scope does not include, for example, social networks, online search engines, audiovisual media services, online news websites, or platforms connecting individuals in a non-professional capacity (so-called C2C services). From a practical perspective, it is crucial that the Recommendations focus exclusively on situations where account creation is a mandatory condition for accessing the offer or completing a purchase, not on voluntary registration as such.
“Logged-In Environments” as a Structural Risk to Personal Data Protection
At the outset of the Recommendations, the EDPB warns that mandatory creation of user accounts exposes data subjects to increased risks to their rights and freedoms and simultaneously encourages the emergence of so-called “logged-in environments,” i.e. environments in which users are systematically identified during individual actions, including browsing content, concluding contracts, or using ancillary service functions. This fundamentally changes the nature of personal data processing from originally one-time, transaction-limited processing to continuous and repeated identification of the user across visits, purchases, and other interactions within the online user account.
In such environments, not only personal data directly provided by the data subject are processed, but also personal data “generated or derived” by the controller based on the analysis of behaviour, browsing history, and purchasing preferences. In this context, the EDPB notes that this secondary layer of personal data often exceeds the scope of the original purpose of processing, typically the conclusion and performance of a sales contract, and may be further used for marketing, analytical, or other forms of commercial targeting without an appropriate legal basis under Article 6 GDPR and without meeting the conditions for compatibility of further processing under Article 5(1)(b) and Article 6(4) GDPR.
Logged-in environments also facilitate the long-term storage of personal data in active databases for periods longer than necessary for the performance of a specific contract, thereby increasing the risk of infringing the principle of storage limitation under Article 5(1)(e) GDPR. If data subjects do not exercise their right to erasure under Article 17 GDPR, personal data tend to remain stored even in the case of long-unused or “orphaned” accounts, increasing their vulnerability to unauthorised access and other security risks.
Special attention is also paid in the Recommendations to risks associated with authentication mechanisms. The EDPB points to the widespread use of weak or reused passwords and to insufficiently secured credential recovery processes. Mandatory creation of user accounts may therefore ultimately increase the likelihood of identity misuse, unauthorised account access, and other forms of fraudulent conduct, with the negative consequences of such incidents typically borne primarily by the data subjects themselves.
The Online User Account as a Long-Term Legal and Technical Construct
The EDPB further emphasises in the Recommendations that an online user account is not merely a technical means of authentication, but an organisational and technical framework for long-term and systematic processing of personal data. Account creation typically results in the establishment of a permanent profile linked to a specific data subject identity, which is retained for a period exceeding what is necessary for the performance of a one-time sales contract and which is gradually supplemented over time with additional personal data and information about user behaviour. This long-term and cumulative nature fundamentally distinguishes mandatory registration from the one-time provision of data via a transaction-specific form.
Whereas one-off processing of personal data can be terminated after the contract has been performed and limited to what is necessary for archiving and statutory obligations, mandatory creation of user accounts creates both a factual expectation and a technical infrastructure for permanent storage and further use of personal data. This significantly increases the requirements for precise definition of processing purposes and for the selection and sustainability of appropriate legal bases under Articles 5 and 6 GDPR.
Systematic Interpretation of Legal Bases for Processing under Article 6 GDPR
In the Recommendations, the EDPB provides a systematic and detailed interpretation of individual legal bases for processing and their applicability in the context of mandatory creation of online user accounts. The fundamental premise is that the creation of an online user account does not constitute an independent purpose of processing personal data, but merely an organisational/technical means that must always be subordinated to a specific legal basis for processing within the meaning of Article 6 GDPR.
In situations where the creation of an online user account is imposed as a condition for accessing an offer or completing a purchase on an e-commerce website, the EDPB expressly does not consider consent to be a relevant legal basis for such processing, as the user has no genuine choice and “consent” enforced by the impossibility of completing the transaction would lack the requirement of voluntariness under Article 4(11) and Article 7 GDPR. The Recommendations therefore focus on assessing three legal bases under Article 6(1) GDPR that are most commonly relied upon by controllers in this context: performance of a contract under Article 6(1)(b) GDPR, compliance with a legal obligation under Article 6(1)(c) GDPR, and legitimate interest under Article 6(1)(f) GDPR.
Performance of a Contract and the Concept of Necessity under Article 6(1)(b) GDPR
When interpreting the legal basis of processing for performance of a contract, the EDPB repeatedly emphasises that the concept of “necessity” must be interpreted restrictively. Only processing without which performance of the specific contract would not be factually possible may be considered necessary, and the controller must be able to demonstrate that no other less intrusive and equally effective solution exists. Processing that is merely convenient, comfortable, or economically advantageous for the controller does not fall under this legal basis.
For one-time purchases, the EDPB notes that personal data required to conclude and perform a specific transaction, such as a sales contract, can be obtained without creating a user account. Identification and contact data may be collected directly during the ordering process, while subsequent communication, order confirmation, delivery information, or shipment tracking can be ensured via email and one-time links. Likewise, handling complaints and exercising consumer rights can be ensured without a permanent account. The EDPB therefore concludes that, in the case of standard one-time sales, mandatory account creation can hardly be justified as processing “necessary for the performance of a contract”. By contrast, in long-term contractual relationships, typically subscription-based services, account creation may be considered necessary if repeated authentication and service management via an account are an integral part of the service provided. Even in such cases, however, the EDPB stresses that processing based on Article 6(1)(b) GDPR must be limited to the duration of the contractual relationship and that the controller must address account termination and subsequent data retention in accordance with the principle of storage limitation.
Compliance with a Legal Obligation and Its Limits under Article 6(1)(c) GDPR
The EDPB critically assesses the argument that mandatory creation of an online user account is necessary in order to comply with legal obligations, in particular in the area of tax and accounting. Such obligations are generally linked to the retention of specific documents, such as invoices and accounting records, rather than to the long-term maintenance of comprehensive customer profiles in active databases. Retention of such documents can be ensured through a separate archiving regime, an appropriate retention period, and a limited circle of authorised persons, without the need to maintain an active online user account. In this context, the EDPB also recalls that the controller should not maintain identification of data subjects “just in case” and without a specific purpose, which is also reflected in Article 11 GDPR, limiting the obligation of the controller to maintain or re-establish identification if it is no longer necessary for the purposes of processing. For these reasons, the EDPB concludes that the legal obligation under Article 6(1)(c) GDPR will only exceptionally constitute a relevant legal basis for the very requirement of a mandatory online user account in ordinary e-commerce practice.
Legitimate Interest and the Application of the Balancing Test under Article 6(1)(f) GDPR
The most extensive part of the Recommendations is devoted to the legal basis of legitimate interest and the application of the three-step test comprising (i) identification of the legitimate interest of the controller or a third party, (ii) assessment of the necessity of the processing for the purposes of that interest, and (iii) balancing of the controller’s interests with the rights and freedoms of the data subjects.
The EDPB acknowledges that legitimate commercial interests may exist in the e-commerce environment; at the same time, however, it emphasises that Article 6(1)(f) GDPR does not constitute a “universal legal basis for processing” and that each processing operation must pass the necessity test and subsequently the balancing test. The controller must demonstrate that no other less intrusive solution exists that would achieve the intended purpose equally effectively.
In the Recommendations, the EDPB analyses typical purposes invoked by controllers to justify mandatory account creation, such as order tracking, management of subsequent order changes, facilitation of future purchases, customer loyalty building, or fraud prevention, and repeatedly concludes that a mandatory account generally does not represent the least intrusive means within the meaning of the principle of data minimisation and the necessity test. Many of these purposes can be achieved through temporary technical solutions, one-time links, email communication, or voluntary registration.
The EDPB places particular emphasis on the part of the balancing test concerning the reasonable expectations of data subjects and the impact on their rights and freedoms. A customer entering an online shop for the purpose of making a one-off purchase typically does not expect to be forced to create a long-term user account or to have their personal data stored and further used beyond the performance of the contract. The EDPB also expressly highlights the issue of “last-minute” registration, where the obligation to create an account is presented to the user only at the final stage of the ordering process, which may be contrary to the principle of transparency and fairness of processing under Article 5(1)(a) GDPR.
Guest Mode as a Possible Solution
In light of the above, the EDPB concludes that, in the vast majority of standard e-commerce scenarios, the most appropriate solution is to offer users a genuine choice between creating a user account and purchasing without registration, i.e. in “guest mode”. The EDPB considers this model to best meet personal data protection requirements and the obligation of data protection by design and by default under Article 25 GDPR. It makes it possible to limit the scope of processing to data necessary for a specific transaction, appropriately set retention periods, and reduce the risk of further use of personal data for purposes no longer related to contract performance.
At the same time, the EDPB emphasises that neither guest checkout nor voluntary registration in itself constitutes a legal basis for further processing of personal data. The controller is obliged to determine an appropriate legal basis separately for each individual processing purpose, duly fulfil the information obligation, and fully respect the rights of data subjects. Where additional services such as personalisation, loyalty programmes, or marketing communications are offered within a voluntary user account, these purposes must be clearly separated from the purchasing process itself and based on the relevant legal basis, typically consent, which must be withdrawable at any time in the same manner and with the same ease as it was given.
Conclusion
Although the Recommendations do not constitute a directly binding legal instrument, they represent a generally accepted authoritative interpretation of the GDPR, which supervisory authorities will undoubtedly take into account in their decision-making practice. Operators of e-commerce websites (i.e. online shops, online marketplaces, and other entities identified in the Recommendations) should consider these Recommendations already at the stage of designing and modifying their processes, in particular when setting up ordering procedures, default user choices, and in the ongoing assessment of legal bases for individual personal data processing purposes.
From a legal compliance perspective, it can reasonably be expected that mandatory registration as a standard condition of a transaction will become a frequent subject of supervisory and sanctioning activity, especially where it is required for one-time purchases without demonstrable necessity or where it is combined with non-transparent user interfaces and a disproportionate scope of collected personal data.
From a practical standpoint, the most likely direction of further development appears to be the strengthening of guest checkout as the default standard, while user accounts will increasingly be perceived as a voluntary value-added service rather than as a condition for access to basic performance. This shift may have significant implications not only for the technical architecture of e-commerce websites, but also for internal personal data management processes, retention settings, security measures, and the structure of marketing activities.
The Recommendations thus represent a very interesting shift in the interpretation of the GDPR in the e-commerce sector. According to the EDPB, mandatory creation of user accounts is clearly permissible only in exceptional situations, while in the case of standard one-time purchases such practice will generally be incompatible with the requirements of lawfulness, data minimisation, and storage limitation. At the same time, the EDPB promotes a model of genuine choice and purchase without registration as the solution that best corresponds to personal data protection principles and obligations under Article 25 GDPR. Operators of e-commerce websites who fail to adapt their processes to this interpretative framework expose themselves not only to increased regulatory risk, but also to reputational risk. This applies especially in the situation where it may be expected that supervisory authorities will systematically refer to the interpretative standards formulated by the EDPB.
If you have any questions in the area of personal data protection, e-commerce, and compliance, we at PEYTON legal are at your disposal.
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR).
[2] Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites, available at: Recommendations 2/2025 on the legal basis for requiring the creation of user accounts on e-commerce websites | European Data Protection Board
Mgr. Jakub Málek, managing partner – malek@plegal.cz
JUDr. Tereza Pechová, advokátní koncipientka – pechova@plegal.cz
Anna Němcová, právní asistentka – nemcova@plegal.cz
29. 1. 2026