What is GDPR (GDPR)?
The new Data Protection Regulation will replace the legislative package and EU guidelines that have been in effect since 1995. Directives that are above the national law of each country and are mandatory for every data controller processing the data of EU citizens came into effect on May 25, 2018.
The General Data Protection Regulation (GDPR) is relevant to all companies that have customer databases and engage in direct marketing, as well as to entities that process or manage the data of EU citizens. Before the regulation comes into effect, companies must adequately prepare, which is why we have selected the relevant points of the regulation for online store owners.
It is worth emphasizing that the majority of laws or obligations, such as the necessity to be registered in the data controllers’ register, cease to be valid from the same day, so small and medium-sized enterprises in Lithuania are inadequately preparing for the implementation of these laws due to circulating rumors and other inaccurate information. The purpose of this entry and description is to familiarize e-commerce owners with the correct and necessary practices and to provide concise and specific information.
Why is it necessary to prepare for GDPR?
Violations are categorized into minor and major violations. For minor violations, administrative fines of up to 10,000,000 Eur or, in the case of a company, up to 2% are imposed. annual turnover, depending on which amount is greater. For major violations, double fines are imposed: up to 20,000,000 Eur or up to 4%. annual turnover (again, this refers to the amount that is greater).
Minor violations:
Violation of the procedure for exercising the rights of data subjects
Failure to cooperate with the supervisory authority
Improper engagement of data processors or improper formalization of relationships with them
Data processing carried out by the data processor without the instructions of the data controller
Failure to inform about data security breaches
Major violations:
Violations of the purpose limitation principle and all other violations of fundamental principles (accuracy, storage duration, etc.)
Processing of special categories without an exception allowing it
Implementation of data subjects’ rights
Illegal data transfer to a data recipient in a third country
To this day, there are theoretical rumors that companies will first be consulted upon identifying violations; however, it is worth noting that the regulation itself does not provide for any warnings and immediately stipulates the application of administrative penalties and sanctions.
Are you interested in PrestaShop integration? You will find more information by clicking this link.
Key Concepts
Personal data – any information related to an identified or identifiable natural person, i.e., information about a person whose identity is clear or can be established at least by obtaining additional data.
In this case, it should be noted that data protection applies to natural persons, while all new GDPR rules and laws do not apply to legal entities. However, the email address of an employee of a legal entity, which includes their first and last name, is already protected by the aforementioned GDPR law. For example, richard.smaizys@prestarock.com is considered protected information, while info@prestarock.com is not.
E-commerce owners should also be concerned with details such as shoe size or dress size, which, when linked to a specific individual and their identity, are already considered their private information that is protected and regulated. The same applies to IP addresses, first names, last names, address information, and other self-evident items.
Another fundamentally interesting example: storing a phone number along with a first and last name in a phone when preparing, for instance, an offer. In principle, this also constitutes data that is regulated in the examples described later. Essentially, without continuing to work with the client (having submitted a proposal but not winning it), you should delete that data. In other words, this example aimed to show that theoretically regulated data even includes those you enter into your mobile phone’s address book (the client’s employee’s first name, last name, phone number).
Processing of personal data means ‘any operation or set of operations performed on personal data, whether by automated means or not, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, blocking, erasure or destruction.’ It is also worth mentioning that the term ‘processing’ encompasses actions by which personal data of one data controller is transferred to the responsibility of another data controller.
The data controller is essentially the one who first obtains permission to collect and process that data and stores it.
The data processor is the one who has the data controller’s permission, and the individual is informed that this specific processor may process the data, which they do according to the concept previously described.
In a specific e-commerce case, the data controller would be the owner of the online store, while the processor would be the company providing the service, which collects individuals’ addresses and subsequently stores, processes, and otherwise uses them to perform the service. In our understanding, a data processor also includes the hosting company providing physical server hosting, programmers who have the ability to access, manage, filter, process, collect, and otherwise handle personal data, etc.
The data protection officer (a relevant concept only for large companies with many employees and collecting large amounts of data) is an intermediary between supervisory authorities and the company’s human resources departments, divisions, individuals whose data is collected (users, clients, partners, visitors to websites, and information captured by video surveillance cameras, etc.).
In companies whose main activity is data processing, where continuous operations with data are performed (for example, an accounting firm) due to their large scale or impact, as well as in special category companies (healthcare, etc.), a data protection officer must be appointed by the authorities.
Such an officer in the company must be involved in all data processing processes, independent of other positions and employees, must be provided with the necessary resources, must be constantly accessible (especially in the case of a breach, to react theoretically immediately or within 24 hours), and he is practically the coordinator of compliance with the data regulation.
A data security breach – a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to data. We recommend that companies have a predefined data security breach procedure in place, which would allow you to assess the scale and extent of the emerging risk, as this will determine whether you need to additionally inform the supervisory authorities and the data subject within 72 hours of the breach occurring. In any case, every company must maintain a record of data security breaches, regardless of the size of the vulnerability.
The assessment of the impact on personal data protection (a new assessment required only for new systems or processes, not applicable to existing approved company or operational processes) – is a process designed to describe, evaluate the necessity and proportionality, and help manage risks that may arise from the rights and freedoms of individuals when processing personal data. A properly conducted assessment can help more easily prove your case in the event of an incident or compliance with GDPR requirements. An assessment must be conducted when it concerns specialized categories (health sector, etc.), large-scale monitoring and data collection, operations specified at the national level that require assessment, etc.
The principles of data protection discussed in GDPR
The principle of legality, fairness, and transparency – the client is informed about the data being collected on an opt-in basis, rather than opt-out
The purpose limitation principle – each data set or processing of personal data requires a clear defined purpose. The same collected data cannot be used for another purpose if the individual whose data is being processed did not provide consent for that purpose.
The data minimization principle – unnecessary and unused data should theoretically be deleted immediately and not retained. An interesting example previously described: storing a phone number along with a first and last name in a phone when preparing, for instance, an offer. In principle, this is also data that is regulated and described in the examples. Essentially, without continuing to work with the client (having submitted a proposal but not winning it), you should delete that data.
Principle of accuracy – data is used only for the purposes for which it was permitted to be used.
Principle of storage limitation – the data controller clearly defines and informs the individual how long they will retain the data in their systems, and subsequently – how and when they will delete it.
Principle of integrity and confidentiality
Legal bases for data processing (when data can be processed)
The performance of the contract – it is recommended to rely on this when it is necessary to process data in order to fulfill contractual obligations.
Consent – it is recommended to rely on this when the data subject has given consent for their personal data to be processed for one or several specific purposes. Consent must be demonstrable (opt-in, not opt-out), must be revocable by the user themselves, and this must be done no more complicated than it is agreed, and consent must be voluntary and separate from the purpose.
Legitimate interests – it is recommended to rely on this when processing data is necessary for the legitimate interests of the data controller or a third party, except where such interests, rights, and freedoms of the data subject, which require the protection of personal data, are overridden, for example, in the case of minors, etc.
The grounds for processing special categories of data are also specifically identified: consent, legal obligation, defense interests, processing of publicly available data, medical records, etc.
What do you need to know if you are transferring data outside the EEA?
If you are transferring data outside the EEA, at least one of the special grounds is required:
EC adequacy decision
Mandatory rules for companies
Standard data protection clauses
Approved code of conduct
Approved certification mechanism
Where to start?
We recommend creating a data structure, for example, in an Excel file, where you will select and find all the information you hold about your user (later you can expand this to employees and others). Essentially, you need to describe and categorize each field or data stored about the user in the system, and then use those systematically linked data for specific purposes. It must be confirmed (agreed) by the visitor and user of your online store.
Having clear objectives for how you will use visitor information and what information you will store will allow you to prepare for the actual integration of GDPR into your online store and to properly describe the privacy policy and terms of service.
Are you interested in PrestaShop integration? You will find more information by clicking this link.
Disclaimer
This information is compiled by programmers from various sources and has no legal validity. This is not legal advice, so if you have any doubts about any point, we strongly recommend consulting your company’s lawyer.
Sources
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_lt
https://www.ada.lt/go.php/lit/12-pasirengimo-zingsniu
Information about Algirdas Sakalauskas’ lectures.
Andrius Iškauskas’ E-Commerce 18 presentation
