This software was made with GDPR requirements in mind to help you make your Kartra GO Store as GDPR compliant as possible by fulfilling the requirements of the regulation exactly and without ignoring the inconvenient requirements that guarantee that you will not get an unpleasant or costly surprise (in the form of a fine).
But you need to be aware that no one extension can make your store 100% GDPR compliant. To achieve maximum compliance you need to process data in accordance with GDPR requirements. You must create your own Privacy, GDPR and other relevant policies. See bottom of page for more information on GDPR.
Regulation (EU) 2016/679 of the European Parliment and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
The regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or no.
The Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
The Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
For eCommerce owner (controller or processor), it means that you need to stick to GDPR in the next cases:
In order to be able to show compliance with GDPR you need to process personal data in accordance with the next principles which states that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The above means that you cannot process personal data only because you want it, as long as it is convenient for you and do everything you want with personal data even if you have the client’s consent to process personal data. The above means that you need to develop a personal data processing strategy: a lawful basis to process personal data, define for what purpose data is collected, define what data category to be collected, define a time limit for data storage. This strategy may be stated in a form or as a part of Terms and Conditions or Terms of Service. Customer needs to be informed about this strategy before you collect his or her personal data.
GDPR defines several lawful bases for data processing. eCommerce can use next:
Contract as a lawful basis can be used in those cases where you need customer’s personal data to process an order: shipping address to ship the order, payment address to send a bill. Also, this basis covers guarantee period and the like.
Consent as a lawful basis can cover almost any cases wherein:
Legitimate interests as the lawful basis can be used for purposes of direct marketing or for fraud protection.
Optimal decision for eCommerce is to use the contract as the lawful basis when collecting personal data for purpose of order processing and consent when a customer creates an account (direct marketing purpose, newsletter). Using consent for order processing purposes will cause a problem when a customer withdraws consent – you are obliged to delete personal data since you have no other legal basis to process the data but you need that data to process the order.
In order to comply with ‘fairness and transparency’ principle of data processing, you need to inform a customer, before collection his or her personal data about next:
A customer as a data subject has next rights concerning his or her personal data