General Data Protection Regulation (GDPR)

Last updated

The General Data Protection Regulation (GDPR) is a European privacy law.

The GDPR affects not only European companies, but every company that processes data of EU nationals or can potentially process their data. So that’s basically every company in the world regardless of its location and the GDPR can affect your store even if it is not located in Europe.

The GDPR gives people more rights over their personal data. It specifically gives people the right to access, correct, delete, and restrict processing of their data, and sets out strict guidelines about how you need to get customers to agree that you can use their data (get their consent). If you collect or store any information that can be linked to an individual, that counts as personal data.

You can read the full text of the GDPR.

We recommend to look for professional lawyer advice regarding the GDPR as every business is different, and some of them might need more preparation than others to comply with this law. This article provides general directions on the GDPR compliance and is aimed to help you to pay attention to most common requirements.

In this article:

Steps to take when preparing for the GDPR

According to the GDPR, the merchants who are based in Europe or who sell to the customers from the EU have to comply with the GDPR regulation.

Online store collects and processes personal data in a compliant manner however it is also your responsibility to comply with GDPR requirements when you collect and process personal data from your EU customers. Under the new regulation, personal data is defined as any information that can be used to directly or indirectly identify a person. This includes: a name, a photo, an email address, bank details, posts on social networking websites, medical information, IP address, random code that is assigned to users to track them for analytics and A/B testing and more.

Below are the key things that we recommend to implement in the first place.

Get a clear consent before collecting any data

You need to obtain consent to process personal data of your customers. So, you have to prepare a clear privacy policy with the detailed information about your company, why you collect the personal data, explain what data is stored and provide with a right to withdraw the consent to the use of personal data.

In Online store you can require your customers to accept terms of service before checkout. To do it just enable the Show “I agree with Terms & Conditions” checkbox at checkout checkbox in your Control Panel → Settings → General → Legal Pages. As it is impossible to place an order without agreeing to Terms and Conditions, the fact that an order is placed is a confirmation of consent.

To see how to add a privacy policy, terms & conditions and other legal pages to your store, please refer to the article about legal pages.

Provide customers with the right to access their data

This means that you have to provide your customers with a copy of their personal data in an easily readable and portable format. If you are requested to provide personal data, Online store can give you the information that it stores. Also, you should take into consideration the 3rd party services that you might use in your store and who may have access to your customers’ personal data.

Provide customers with the right to delete, edit, restrict certain data uses

As as well as with the access requests, Online store can help you to delete personal data that it stores on your behalf. There is also information you can delete yourself. If your customer asks to delete their order, you must do it according to the law.
You should also remember about the 3rd party services that you might use in your store.

We recommend to store data only digitally, encrypted to an acceptable standard and protected with a password of minimum recommended strength – or protected by means of a password generator. It is difficult to securely store say paper copy invoices, so you should rely on digital data only.

Data breach notifications

Online store acts as Data processor and our merchants act as Data controllers. If your website is experiencing a data breach of any kind, you might be required to notify affected customers. Under the GDPR, a notification must be sent within 72 hours after you become aware of the breach. Data processors are also required to notify users as well as the Data controllers, immediately after becoming aware of a data breach.

What Online store has done to comply with the GDPR

Online store follows the GDPR guidelines on how to collect, store, process and share personal data and complies with the requirements of the GDPR in the following ways:

  • we assigned the Data Protection Officer who is in charge of the Data Protection Policy;
  • we started to deliver the GDPR-focused training to our key teams and personnel;
  • we implemented a detailed procedure to deal with all data subject access requests, deletion requests, and government access requests;
  • we work only with subprocessors who provide an adequate protection of the personal data through robust technical and organizational measures;
  • we developed a reliable method to detect, report and investigate a personal data breach;
  • we established the necessary records of data processing activities;
  • we are certified under the EU - U.S. and Swiss - U.S. Privacy Shield frameworks, which are a legal mechanism to enable the transfer of personal data from the EEA and Switzerland to the US, where certified organisations guarantee to provide a level of protection in line with EU data protection law.