TL:DR - https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens_en
Rules for business and organisations: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations_en
Hi Guys,
We are considering this feature for CS-Cart / Multi-Vendor.
Right now I'm trying to find answer to questions: what kind of personal data should customer have access to (export/modify/delete) in CS-Cart.
It looks like:
- User & profile data
- Orders
- Cart & Wishlist content
Besides if client want to be "forgotten" should we erase all the records or we can just anonymize this data - like replace with "deleted user". This is need in order to maintain sychrnonization process - a lot of stores have some kind of synchronisations like CRM, Accounting programms etc. Documentations says there should be 2 optins erase of anonymize, and this is not good(
This is a very important point I think.
Feel free to share you thoughts on this.
We contacted a lawyer for this, since we're in The Netherlands, and basicly it comes down to this.
1) Terms and Conditions need to comply, it should state exactly which user information you are using, why are you using it, if you are storing it, why are you storing it and who you share it with. ie. external mailclient, accounting software and ofcourse which data CS Cart is collecting and why.
2) Privacy policy and disclamer, Same as above.
3) Every customer (new and old) have to agree with a processors-agreement. They have to accept the agreement where it states again which data is collected, why it is collected and whoom it's shared with. Customers have to do this one time only. Old customers need to do this via a pop-up or opt-in via e-mail or similar, and new customers for the first time on checkout, BUT ACTUALLY BEFORE ANY DATA IS COLLECTED. (besides cookies, which need to be in the cookie pop-up)
4) The customers right to forget. Anonimising data is enough. Our accountingsoftware is GDPR complient and does just that. Click on a customer, click on forget and all his personal data (name, address, day of birth) is being anonymized.
There should be a seperate page where customers can request this.
So on 1&2 CS Cart needs to make a list on which data is collected, why and how.
on 3&4 there need to be modifications to the store.
Newsletters, all integrations that look at navigation that might capture/reference an email or user_id that can be resolved to any personal information, any 3rd party addons that my have captured information for other usage (like storing an email address for post-order followup, etc. This could include things like mailchimp, constant contact, klaviyo, etc. And there are probably tons of other areas like blogs and many corner-cases.
Lot of compliance agencies are going to become very wealthy with this. Might make PCI compliance look easy! :-)
Imac, the clock is ticking. Any news about ETA of the cs-cart compliance with GDPR? Store owners need to have time to adapt internal procedures and train personel.
Any news imac ?
We need this. ...
The customer does not have to be able to delete his account information himself, however he should be able to file in a form with a request to delete his account information.
It should be clear to the customer which information is collected by CS.cart and why it is.
The customer has to authorize that the shop stores his information.
If customer information or name is indexed by searchengines that information has to be re-indexed when a customer's profile is being deleted.
As far as i can tell it IS allowed to save the data, like products, but everything that has to do with the customer, cookies, ip address, name, contact information, everything has to be erased. Changing a name to "DELETED" with a number or something IS allowed as long everything else is destroyed.
yes, customer won't be able to delete his profile, in first version of GDPR add-on we develop he have to write a email withy request to delete his data.
As for the authorization (consent) and informing customer we will add texts to each registration form with notice what data and for what reasons we store and process.
Imac, the clock is ticking. Any news about ETA of the cs-cart compliance with GDPR? Store owners need to have time to adapt internal procedures and train personel.
Any news imac ?
We need this. ...
Within next 2 weeks we will post news about GDPR add-on in the blog and also send a newsletter.
The feature is under development at the moment.
Changes in CS-Cart will be implemented as an add-on in case you use latest version you will need just an update. In case you use 4.x.x you will need some help from tech support or developer to add additional hooks.
The add-on will do 3 major features.
1. Get the consent of a customer [Frontend] (customer will get a clear explanation of what data we are going to collect for what reason)
2. Management personal data [Backend] (admin will be able to download all customer data he has in CS-Cart as xml file, and also admin can anonymize customer data
3. Store the history of consent [Backed] (we will have a special table in DB where all customer consents will be stored. There will be email, data, time, text of consent)
For now we do not add any tools to get consent from existing customers - actually this can be done using newsletter with request to confirm they are understand what data is stored in the store and they agree with it.
By the way, here is a very good explenation of what it actually is. https://www.slaughterandmay.com/media/2535637/personal-data-anonymisation-and-pseudonymisation-under-the-gdpr.pdf
Nice. But what about cookies? - http://forum.cs-cart.com/topic/51161-gdpr-policy-in-the-eu/#entry294404- "The expiry period must not exceed one year."
Is there already more news?
I've seen a demonstration of the GDPR Plugin and have to say that CS Cart did a VERY good job on it.
We have a lawyer ready to audit it when it's being released, but from what i could tell it's GDPR complient, only need to customize the legal texts on it.
Judging by what i saw, release should be anytime soon. At least more then soon enough for May 25th.
General Data Protection Regulation
CsCart will have update soon to help us with this rules ?!
There is another topic discussion about this ?
I've seen a demonstration of the GDPR Plugin and have to say that CS Cart did a VERY good job on it.
We have a lawyer ready to audit it when it's being released, but from what i could tell it's GDPR complient, only need to customize the legal texts on it.
Judging by what i saw, release should be anytime soon. At least more then soon enough for May 25th.
could you please share your results. so we can compare our own results with yours.
thank you !
could you please share your results. so we can compare our own results with yours.
thank you !
Not sure what results you're asking of me.
Audit rezults :)
Audit rezults :)
AH! well, the plugin isn't finished yet, as soon as it is we'll let it check and i'll post the results here.
Hello. There is some news about CS-Cart/Multi-Vendor GDPR compliance add-on in our blog. Feel free to discuss it in this topic.
Hello,
is it 100% obligatory to to send newsletter to all existing customers and ask them explicitly to agree with new Privacy Policy?
I am sure 95% of recipients will not even open this email, but it does not mean they want to close the account or will not buy again in the future. They just do not care about GDPR emails from hundreds of companies they have registered in the past 20 years. What happens in this case? Do I have to delete all these customers or what? Any idea how to do it right without disturbing customers? (looks like "law makers" did not care that much about customers from this point of view).