GDPR's newest regulations were on everybody´s minds, during the first few months of 2022.  You might think that you have read everything related to GDPR but, you can always find a new angle to approach the GDPR and eCommerce topic. In our previous blogs, we have detailed what GDPR is, we discovered all the reasons to choose an eCommerce platform 100% GDPR compliantly and we have debated on whether you are keeping GDPR compliance if you work with Shopify and Magento. 

 In this blog, we will decipher most of your GDPR eCommerce doubts and we will provide you with an eCommerce GDPR guide for your eCommerce business.
First of all,  let's focus on the situations where eCommerce data protection applies to :
  • Your company handles data and is based in the European Union,
  • The location of your company is outside the European Union but processes personal data by offering goods or services to European citizens or operating behaviour of individuals within the European Union.
Moreover, non-EU companies which handle personal data for European citizens have to assign a member of the European Union.

    Secondly, these are the situations when data protection does not apply:

  • The person is dead,
  • The subject works in the Legal Department,
  • The processing of personal data is managed by a person who is acting for purposes outside trade, business or job.

How and who processes personal data

   These are tough subject matters, right? Nevertheless, in the processing stage, personal data can go across different companies or organisations. In this particular case, there are two important profiles to deal with processing data:

  • The data controller settles the matter of how personal data is being processed.
  • The data processor keeps and processes data on behalf of the data controller.

Who is responsible for processing personal data?

The DPO, known as the Data Protection Officer, is the person in charge of monitoring how personal data is being processed. Moreover, he can inform and advise the employees who handle personal data about their duties. The DPO collaborates with the Data Protection Authority (DPA), which serves as a contact point between the DPA and the individuals.

Under which circumstances should you assign a Data Protection Officer? 

  • Your company should be in charge of requesting the services of a DPO if:
  • You monitor individuals or process certain categories of information, regularly,
  • Your company is specialized in the processing of data,
  • Data processing, on a larger scale. In case you handle personal data with the purpose of advertising through search engines based on people´s behaviour on the Internet, you are allowed to have a DPO.

Nevertheless, if you send your clients marketing material once a year, then you need a DPO.  If you process personal data on genetics and health for a hospital, in this case, a DPO is required.On the contrary, if you are a doctor who is collecting data on a patient´s health, then you won´t need a DPO.

Who should be my DPO?

The DPO can be a member of your company or might be contracted externally on the base of a service contract.

When is data processing allowed? 

EU data protection rules
mean that you should process data by following the specifications, legitimate purposes and data necessary to fulfil this matter. Moreover, you should make sure that you achieve the main conditions to process the data:

  • In case you have been given consent by the data subject,
  • In case you need the data to meet legal obligations, 
  • Whether you need data to protect the vital interests of the individual
  • If you process data to manage the task in the public´s interest.
  • If you behave in the legitimate interest of your company, the fundamental rights and freedom of the individual, whose data is processed are not gravely affected. When someone is giving consent to their personal data processing, you can only process the data for the purpose for which consent was given. You can also allow them to withdraw their consent.

How to provide accurate information to your customers  

There is no doubt that you should provide individuals with information on who processes their data. You should include the following information as a minimum:
  • Who you are,
  • The reason to process their data,
  • Legal basis,
  • Who should receive the information
Nevertheless, in some cases, the information that you provide should contain also:
  • The contact details of the DPO, when applicable,
  • The legitimate interest, pursued by the company,
  •  What are the measures that are applied for transferring data to a country outside the EU,
  • How long data is stored,
  • The individual´s data protection rightsHow you can retrieve the legal ground of consent

Simple and clear rules for children

The first thing that you can do in case you are collecting the data coming from a child is to get parental consent and send a notification to a parent or a legal guardian. Nevertheless, the age to be considered a child varies from country to country.
As we have seen above, there is always something new to read and discover about GDPR. By following our GDPR guides, you will be able to always be updated with the latest GPPR news for Saas startups. Kooomo simplifies this whole process and provides you with 100% GDPR-compliant software.