Regulation (EU) 2016/679 of the European Parlament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
The regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or no.
The Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behaviour as far as their behaviour takes place within the Union.
The Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
For eCommerce owner (controller or processor), it means that you need to stick to GDPR in the next cases:
- your business established in EU;
- you operate in EU or with EU citizens (even if someone from EU subscribed to your newsletter);
- if local law requires adherence to GDPR;
In order to be able to show compliance with GDPR you need to process personal data in accordance with the next principles which states that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- accurate and, where necessary, kept up to date (‘accuracy’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
The above means that you cannot process personal data only because you want it, as long as it is convenient for you and do everything you want with personal data even if you have the client’s consent to process personal data. The above means that you need to develop a personal data processing strategy: a lawful basis to process personal data, define for what purpose data is collected, define what data category to be collected, define a time limit for data storage. This strategy may be stated in a form or as a part of Terms and Conditions or Terms of Service. Customer needs to be informed about this strategy before you collect his or her personal data.
GDPR defines several lawful bases for data processing. eCommerce can use next:
- legitimate interests;
Contract as a lawful basis can be used in those cases where you need customer’s personal data to process an order: shipping address to ship the order, payment address to send a bill. Also, this basis covers guarantee period and the like.
Consent as a lawful basis can cover almost any cases wherein:
- consent is given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of a customer agreement to the processing of personal data relating to him or her, such as ticking a box;
- you should be able to demonstrate that the customer has given consent to the processing operation (eg by means of automated logging system);
- should be an option for a customer to give separate consent to different personal data processing operations, if applicable;
- performance of a contract, including the provision of a service, should not be dependent on the consent if such consent not being necessary for such performance;
- if customer withdraw the consent personal data should be erased if there is no any other lawful ground to process personal data;
Legitimate interests as the lawful basis can be used for purposes of direct marketing or for fraud protection.
Optimal decision for eCommerce is to use the contract as the lawful basis when collecting personal data for purpose of order processing and consent when a customer creates an account (direct marketing purpose, newsletter). Using consent for order processing purposes will cause a problem when a customer withdraws consent – you are obliged to delete personal data since you have no other legal basis to process the data but you need that data to process the order.
In order to comply with ‘fairness and transparency’ principle of data processing, you need to inform a customer, before collection his or her personal data about next:
- your (your representative) identity and the contact details;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- the recipients or categories of recipients of the personal data (e.g. payment processor, shipping company), if any;
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period (e.g. if you have something like ’30-day money back guarantee’ such period will be 30 days after order placement);
- the existence of the right to request access to personal data and rectification or erasure of personal data or restriction of processing or to object to processing as well as the right to data portability;
- where the processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the right to lodge a complaint with a supervisory authority;
- whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the customer is obliged to provide the personal data and of the possible consequences of failure to provide such data;
A customer as a data subject has next rights concerning his or her personal data
- Right of access by the data subject – you should provide a copy of the personal data undergoing processing.
- Right to rectification – you should provide rectification of inaccurate personal data
- Right to erasure (‘right to be forgotten’) – you should delete personal data if you don’t need it anymore in relation to the purposes for which they were collected, or data is processed unlawfully or customer withdraw its consent and you have no other legal ground to process data
- Right to restriction of processing – you should stop processing personal data if the accuracy of the personal data is contested by the customer, for a period enabling you to verify the accuracy of the personal data or the data processing is unlawful or you no longer need the personal data for the purposes of the processing
- Right to data portability – the customer should have the right to receive the personal data concerning him or her, which he or she has provided to you, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller