GDPR and Online Store

EU Data Protection Regulation and online retailer

The great thing about ecommerce is that it is easier than ever to grow your business beyond your borders. The GDPR will apply in all EU member states from 25 May 2018. This General Data Protection Regulation supports cross-border trade and therefore applies to the processing of personal data of all citizens.

GDPR Defines Personal Data as follows: “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. (GPDR 4 art.)

This means that practically all information applies to personal data regulation. Once the legislation comes into effect, merchants must ensure that personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.

Online Stores and Processing Personal Data

The regulation defines when personal data can be processed. Processing shall be lawful only if and to the extent that at least one of the following applies:

  1. (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  2. (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
  4. (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  5. (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  6. (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The merchant may process personal data according to orders. The merchant does not have to ask for consent for the processing of personal data. This is because the order is an agreement where the customer is a party. If a person registers as a customer, there has been made an authentic connection with the purchase, order, reservation, etc. This means that the parties in connection allow processing of personal data.

So, what is changing?

The processing of personal data will be based on an obligation to assign and requires documenting. Requirements for controllers are growing as well as increasing the individual’s right (data subject). In addition, non-compliance is sanctioned. The regulation also defines the obligations between controller and processor that processes personal data on behalf of the controller.

The principle of accountability

The General Data Protection Regulation (GDPR) introduces a new principle to data protection rules in Europe: that is accountability. Regulation requires that the controller is responsible for making sure all privacy principles are adhered to. Moreover, the GDPR requires that your organization can demonstrate compliance with all the principles.
Firstly, the organization must know what principles need to be adhered to. There are six principles set out in the GDPR. These are the principles of lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity and confidentiality. One of the best ways to make sure these principles are adhered to is to make sure your internal privacy governance structure is set up correctly and comprehensively.

Email marketing

Merchants can send emails to customers if there is active consent or the email has been collected with an order and the customer hasn’t actively denied email marketing when given the opportunity. “The consent of the data subject” means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed. Remember to mention email marketing on your Privacy Policy.

Controller vs Processor

GDPR defines different roles for parties handling personal data. It is important to understand the roles and requirements the role sets:

  • “Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data;
  • “Processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. Software suppliers are for example processors, who save, store and processes personal data on behalf of the online store.

This means that online store will have several personal data processors such as onlinestore platform, OGOship warehousing platform, newsletter etc.

What to do now?

You can prepare your online store for the regulation by updating your privacy policy, especially regarding to profiling the customers. Under Article 4(4), data processing may be characterized as “profiling” when it involves:

  • (a) automated processing of personal data; and
  • (b) using that personal data to evaluate certain personal aspects relating to a natural person.

Specific examples include analyzing or predicting “aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.” Among privacy policy you need to update terms of use for your customers. Also keep in mind that the Controller needs to have a written contract with all processors.

Contract between Controller and Processor

GDPR sees merchant as Controller. Controller is the one who determines what data is collected and why. Processors are parties that actually store, save or process the data on behalf of the Controller.
The key requirements of the GDPR in respect of data processing terms is to have a written contract in place when appointing a processor (whether as a controller or a processor appointing a sub-processor). The contract must set out: the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subject and the obligations and rights of the controller.
The contract must contain the following minimum terms,

  • only act on the written instructions of the controller;
  • ensure that people processing the data are subject to a duty of confidence;
  • take appropriate measures to ensure the security of processing;
  • only engage sub-processors with the prior consent of the controller and under a written contract;
  • assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR;
  • assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • delete or return all personal data to the controller as requested at the end of the contract; and
  • submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a Member State.

In other words, data controllers, i.e. customers of data processors, shall only choose processors that comply with the GDPR, or risk penalties themselves. As supervisory authorities enforce penalties on controllers for a lack of proper vetting, processors may find themselves obligated to obtain independent compliance certifications to reassure their would-be customers.

Right of access by the data subject

The GDPR defines more right to data subjects. The regulation does not only define the rights but it also defines how the data shall be presented to the data subject.

Regulation defines that the Controller has to deliver information concerning about the personal data processing for the data subject in transparent and understandable format. Data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: the purposes of the processing; the categories of personal data concerned; Data subjects have for example right to access his/her own data, right to rectification, right to be forgotten and erasure. The first time to act on these rights must be easy and free for the data subjects.

OGOship as data Processor

We at OGOship have tuned our internal processes, customer agreements and our warehouse management system to ensure that we are ready before May 2018. Our customers can continue with the legal transfer of personal data to our systems when the GDPR comes.

Ps. Please note that this post is for informational purposes only, and should not be considered legal advice.

Would you like to know more?

Please feel free to ask us, we’re happy to help!

We try to reply to all queries within 24 h.