GDPR 2018: Everything online shops need to know about data protection

GDPR 2018: Tot ce trebuie să știe magazinele online despre protecția datelor

08/02/2018

No Comments

3990

Beyond the large fines that anyone who does not comply with the General Data Protection Regulation can receive, the most important thing to understand is about data. Specifically, all online traders and beyond (all data controllers) need to know what data they can collect, what obligations they have and for what purposes they can use it.

Another very important aspect is that with the implementation of the General Data Protection Regulation (known as GDPR) on 25 May 2018, the risks of breaching data protection legislation increase significantly, including fines of up to 4% of turnover.

What is GDPR

„GDPR brings several novelties for any personal data controller but the most important one to understand is that beyond the large fines that are usually the main element that bring interest to this topic, it is the real and personalized approach to what data you collect and what you do with it"

GDPR does NOT mean:

a set of documents created by someone outside the company that are placed in the arms of the store;
adopting a security standard;
all employees sign the GDPR text.

"Basically GDPR brings in a relatively new system for law enforcement: instead of saying "Come to my place and let me check you out," it says "Please do your homework." If a problem arises, the Authority will come and ask you if you've done your homework and then look to see if you've done it properly," says the specialist.

Obligations of online shops

"For the most part (the major exception would be the notification of the data security still) the obligations do not differ from the current law (677/2001), except that for most shops these were a non-issue ・in many cases started and ended with the notification to the Authority. The shortest answer is to respect the principles of collection"

Types of data online shops can collect

With the exception of special categories of data or so-called sensitive data (related to health, sex life, political orientation, etc. (see full list here), there are no limitations on the types of data collected. In our experience at Trusted.co.uk, we can encounter the following categories of data collected:

Consumer data obtained following an order
Details of newsletter subscribers
Website visitor data
Facebook page visitor data
Employee data
Customer data in a CRM
Your job applicants' details
How and where the collected data can be used

The GDPR does not set out purposes or places where collected data could not be used. It is just that the purpose must be seen in relation to the lawful basis of the processing, especially to answer the legitimacy of the purpose.

Let's take an example: all shops collect customers' personal data in order to send them products. Here the aim is to legally complete the purchase process and deliver the order. That falls under the legitimacy of Article 6(2) when the processing is necessary for the performance of a contract to which the data subject is a party.

The problem is that most shops do not stop there and they want to use the data for marketing as well and then they have to think about it:

how they define this new goal
what is the legal basis for it (because in this case the processing is NOT necessary for the performance of a contract)
what other obligations they should have (information, data retention periods, etc.)

Who can operate with customers' personal data

Neither here GDPR does not impose strict limits, but requires operators - and in our case online shops - to ensure organisational and technical measures for the protection of personal data - to make sure that the data is used exclusively for the purpose stated above. This refers to any natural or legal person who processes the data collected by the controller. So we refer to both :

employees of online shops
any service provider outside the shop that has access to the data collected by the shop (referred to by law as the "processor")

What obligations online shop employees have when processing data

For employees the store should both oblige them to respect the purpose for which they are processed and their confidentiality, but also educate them on why it is important to do so.

Personal data may be processed according to the conditions laid down in Article 6 of the GDPR:

consent
to perform a contract to which the data subject is a party or to take steps at the request of the data subject prior to the conclusion of a contract;
the fulfilment of a legal obligation incumbent on the operator;
protecting the vital interests of the data subject or another natural person;
the performance of a task carried out in the public interest or in the exercise of official authority vested in the operator;
legitimate interest

What happens to data processed for marketing

Of all the above conditions of legality, the one that is The most reliable in online marketing is consent (agreement), which, very importantly, must be a clear and free action by the user.

The only exception might be the use of "legitimate interest", except that online shops should be aware that legitimate interest must be proven and weighed against users' rights. Here it depends very much on the level of privacy intrusion of the type of marketing used ・ it's one thing to send a newsletter a month to a former customer and quite another to analyse their every move on your site.

"So if the store just says itself or in its privacy policy - we use 'legitimate interest' as the legal basis - it is insufficient. You need a detailed analysis that starts from the data collected and purpose to the user's rights to see if indeed legitimate interest can be considered as a legal basis in that specific case. This is not necessarily a simple matter, so the recommendation for online shops that don't have the necessary expertise is to go for consent as a legal basis," he advises.

Where the data is stored

The storage location is less important. The law only requires that it meets appropriate security conditions. But this includes hosting the data in a country that has an adequate protection regime - the European Union or other countries where this level is recognised, including US firms.

What measures online shops should take to protect data

GDPR applies to all processing of personal data - from an attendance list at an event to health data collected by hospitals. That's why Article 32 of the GDPR only gives generic guidelines on technical and organisational measures. It is up to each shop to identify what is appropriate in these circumstances.

What the law says - Taking into account the current stage of development, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the risk with varying degrees of probability and severity to the rights and freedoms of natural persons, the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk.

What to do in case of data security damage

Here is an important new feature from GDPR - any data breach must be notified to the Authority within 72 hours of becoming aware of it. However, it is not yet clear what procedure in Romania will have to be followed - presumably there will be detailed explanations from the Authority, but for now there is a guide carried out by the Article 29 Working Party (which brings together enforcement authorities from all Member States).

Penalties and fines for non-compliance with the Regulation

Regulation GDPR provides for heavy fines, where only the upper threshold is set - 10 or 20 million euros or 2 % or 4% of turnover. Also, the criteria by which these fines should be applied are set out in Article 83 of the GDPR. We expect that there will be national rules to be adopted later this year which will set out further subsequent details.

Source: startupcafe.ro