From 25 May 2018, the GDPR (General Data Protection Regulation) or the European Data Protection Regulation.
If you own an e-commerce site it is very important to know the regulations in order to be in compliance by the deadline.
IMPORTANT: with this article we only want to give general information and make people understand what the GDPR is about.
Obviously the same do not constitute a legal opinion and it is assumed that the web agency has the duty to inform the customer but has no obligation to regularize the site without authorization or specific request from the customer.
What is the GDPR?
It's a European legislation which regulates the processing of personal data and which applies to all those structures that process the personal data of residents of the European Union. The objective of the Regulation is to simplify the protection of personal data across Europe, so as to protect all its citizens.
What constraints do e-commerce have?
1 - Collect only the strictly necessary data
Only the data you need can be collected. For example, if you only need to know the age of your customers in order to benefit from a special offer, only the date of birth will be requested but not the location. And then you can keep this information only for the time necessary for its use. That is, if you buy online, the bank card details will be kept only for the time necessary for the conclusion of the payment transaction and if no more transactions take place by that customer in the 3 subsequent years must be canceled.
2 - Ask your customers for consent when collecting their personal data
Before collecting personal data, it is mandatory to ask for authorization and specify the purpose of their use. For example, to subscribe to a newsletter, you must specify that the email will be used only to send informational emails, and it must be indicated how you can unsubscribe if you wish.
Their consent must be given clearly, by signing a contract or by filling out a form. Attention, leaving the boxes checked by default to obtain the consent of a customer, from now on, will be prohibited.
3 - To be able to provide customers with their personal data and respect the right of cancellation
If customers request to be able to consult their personal data, the e-commerce owner will be obliged to provide them in a readable and understandable format indicating the way in which this data is used. If the customer considers that his data are not necessary for the purposes of use, he can request cancellation.
4 - Document the data processing procedures
Di will have to prove, at any time, that the processing of customers' personal data is "carried out in accordance with the regulations" in the event that a check is made. It will be necessary to have "a register of the processing activities carried out under one's responsibility".
The register must contain:
• The name and contact details of the data controller
• The purposes of the processing
• A description of the categories of people involved and the categories of personal data
• The categories of recipients to whom the personal data have been or will be transmitted, including recipients in other countries or international organizations
• In this case, indicate the transfers of personal data to foreign countries or international organizations
• As far as possible, the terms established for the cancellation of the different categories of data
• As far as possible, a general description of the technical and operational security measures "
5 - Secure the collected data
Personal data must be protected from any risk of theft, loss or disclosure by guaranteeing them the complete security, confidentiality, integrity, availability and cancellation of processing systems and services.
Are there penalties?
The severity of the infringement committed will determine the amount of the sanction: the most serious consists in processing the personal data of customers without having previously obtained such consent.
You may have to pay a fine up to 4% of annual turnover or even up to 20 million euros (this is a deterrent for the multinationals that govern the web).
Only a few months remain to adapt to the European Regulation
Our advice is to follow the indications of the GDPR and possibly use a law firm to adapt your privacy documents, cookies and, in support, ask your web agency for a report on the safety of e-commerce.