Gdpr Compliance In Cs-Cart And Multi-Vendor



On 25 May 2018, the General Data Protection Regulation of the European Union will become enforceable, with large fines for non-compliance. CS-Cart and Multi-Vendor 4.7.4 (to be released in the first half of May) will have the tools to help you comply with the regulation. Our technical support will be able to assist those who use older versions and can’t upgrade.

This topic is a brief summary. Our blog has a more detailed article about upcoming GDPR compliance tools.

The GDPR (General Data Protection Regulation) describes how you can acquire, store, and process the personal data of EU citizens and residents. You and your lawyers have probably familiarized yourselves with it already, but here is the full text of the GDPR just in case. The upcoming regulation does affect online stores: for example, when a customer gives you an email address for account registration or newsletter subscription, that counts as personal data processing.

CS-Cart and Multi-Vendor 4.7.4 (to be released in the first half of May) will include an add-on called GDPR Compliance (EU). Currently, the add-on is available for testing at http://dev.demo.cs-cart.com.



The add-on will provide the tools to:

1. Ask for consent: optional checkboxes in the standard places where personal data is collected (such as checkout, registration, newsletter subscription, etc.). Each of these checkboxes is accompanied by customizable notices about personal-data processing.

2. Keep consent history: the log of everyone and everything that they have consented to. This history is only accessible via the database and includes the texts of personal data notices as they were at the time when consent was given.

3. Manage personal data: the ability to view all the personal data of a customer in the Administration panel on the customer editing page. If a request is made by email, you’ll be able to export all the personal data of a customer to XML files or anonymize him or her.

Normally, we don’t port new functionality to older versions. But we understand the importance of GDPR compliance, so that’s why our support staff can offer guidance to those using older versions; for a small fee, we can even adapt the add-on from 4.7.4 for your store. If you have extensive customizations (such as a custom theme) or won’t be able to upgrade to version 4.7.4 for any reason, you’re welcome to contact our technical support via Help Desk.

Please note that the add-on by itself won’t make you GDPR-compliant; you’ll need to familiarize yourself with the regulation and see what else needs to be done (our blog has some suggestions, but there’re probably more things to be done).

Feel free to discuss the GDPR, the blog article, and the upcoming add-on in this topic.

I only sell to Australians and deliver to Australian addresses.

Do I need to make my cart GDPR-Compliant ?

no, its for the EU

We are not located in the EU and have less than 1% of our orders (for our very small business) from the EU.

The only information we collect is email address, telephone number and mailing address; no IDs, No payment info etc.

As a practical matter are we effected by this?

We are not located in the EU and have less than 1% of our orders (for our very small business) from the EU.

The only information we collect is email address, telephone number and mailing address; no IDs, No payment info etc.

As a practical matter are we effected by this?

If you sell to customers (not businesses) in the EU you have to be GDPR complient.
You have to notify the customer on how you handle their email, store it locally, google apps, zoho, office 360 etc. If you use an 3rd party, Google Apps for example you have to make sure you sign the agreement with Google aswell and last but not least you have to get customers consent to store/handle their e-mail. Same applies for the Phone number. If you're using an online pbx you have to notify them aswell, and last but not least, all your European customers (not businesses) have the right to be forgotten.
You should be able to delete/anonymize all their data. All of these are covered in the new CS Cart GDPR Plugin.

Remember, this only apply to EU customers (not businesses)
Also make sure that if you sell to the EU you should comply to the EU rules (as far as i know). That means that a customer can ALWAYS return a product without a reason for it. They have 14 days to notify about this and another 14 days to return the product.

The idea behind this law is very good, however, they overdone it.

Hello Mumbomedia,

Mnay thanks for your quick and detailed answer - it sounds like you have thought about this.

They mentioned something about rules for micro businesses (in my case no employees) so I wonder what the exceptions are?

We actually are a craft business making custom orders so no products readymade and we don't use any apps that I can think of other than CS Cart and Gmail. We don't store data locally only Gmail and our CS cart data base on our remote server.

We have maybe one customer a month from the EU.

I think that we should be fine with our privacy statement and maybe add a couple of sentences - do you agree?

Thanks johnbol1.

That's music to my ears.

I've understood by a friend living in the USA that similar rules have been, or are soon going to be activated in Canada. It can be expected that more countries will soon follow.

I think those of you that operate outside EU can mostly ignore the enforcement, as they just can't do much to enforce it to you. Fees are bad if you are in EU, tho.

If you sell to customers (not businesses) in the EU you have to be GDPR complient.
You have to notify the customer on how you handle their email, store it locally, google apps, zoho, office 360 etc. If you use an 3rd party, Google Apps for example you have to make sure you sign the agreement with Google aswell and last but not least you have to get customers consent to store/handle their e-mail. Same applies for the Phone number. If you're using an online pbx you have to notify them aswell, and last but not least, all your European customers (not businesses) have the right to be forgotten.
You should be able to delete/anonymize all their data. All of these are covered in the new CS Cart GDPR Plugin.

Remember, this only apply to EU customers (not businesses)
Also make sure that if you sell to the EU you should comply to the EU rules (as far as i know). That means that a customer can ALWAYS return a product without a reason for it. They have 14 days to notify about this and another 14 days to return the product.

The idea behind this law is very good, however, they overdone it.

About the second part, it's 14 days from the delivery date. And there is a small open door to lower the refund amount if the product is used, etc., so please read carefully your local Customer Protection Law.

And yeah, they really overdid the GDPR, talk to me about protecting large businesses. And we already had personal data operator registration (not sure about the translation), now pointless. And still nobody cares about small ads sales in my country, so much easier to just stay out of the law by not running own business at all or submit to bigger company franchise.

Interesting about the 14 day rule as we have a firm no return policy as all our sales are custom made.

I would love to read an accurate summary of the rules in simple words.

And how can they enforce the rules if you are small with no presence in the EU?

We are not located in the EU and have less than 1% of our orders (for our very small business) from the EU.

The only information we collect is email address, telephone number and mailing address; no IDs, No payment info etc.

As a practical matter are we effected by this?

Anyone that trades within the eu must give the EU customers the GDPR protection. Madness .

I think one aspect of this would be very wise for everyone. Never store creditcard data of customers in your website's database. Always let specialized payment providers handle this part of the checkout. This makes your webshop less attractive to hackers and it really is making sense. In my 'privacy policy', which is a must-do in the EU, I mention this.

Wim,

I agree with you and if you don't have payment information and very little other than mailing address and phone number perhaps this is a not that big of an issue?

The 14 day returns will not be possible for us as everything is custom made - I would be forced to drop the EU before complying.

I still hope to read an official summary that is easy to understand.

Has any one seen one?

The European Court of Justice (ECJ) has ruled that an IP address is a personal date. Especially if it is assigned to a person. ( http://curia.europa.eu/juris/document/document.jsf?text=&docid=184668&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1 )

CS-Cart saves the IP address. In the future, this will only be permissible for 7-14 days (depending on which EU country the shop is located) for prevention of danger. For example, fraud.

In the admin area I can define under Order statuses from which time credit card information (option "Remove CC info") should be deleted.

It would be nice if I get the option at this point where the IP address should be anonymized.

For example, when the order is completed. For this status I choose the checkbox "Anonymize IP-Adress". The address stored in the CS-Cart is then no longer 127.0.0.1 but 127.0.0.xxx and we are fine with the GDPR.

Do I need to make my cart GDPR-Compliant ?

1. Your shop is located within the EU => Absolutely Yes
2. Your shop is located outside the EU but you have EU customers (not businesses) / you deliver to the EU. => Yes
3. Your shop is located outside the EU and all your customers are outside too. => No


Remember to get your Store GDPR-Compliant, that also the use of social media plugins becomes problematic. For example, the Facebook Like button collects and transmits personal data. Also Twitter and so on.
In order for the processing of personal data to be lawful, at least one of the conditions of Article 6 (1) of the UBA must be met. 1 GDPR present. Thereafter, the processing of data is only permitted if it is expressly permitted by one of the statutory facts or the user has consented.

What the GDPR specifically means by consent is defined in Art. 4 No. 11 GDPR. Thereafter, consent is any expression of volition voluntarily given for the particular case, in an informed and unequivocal manner.

And exactly here lies the problem. We shop operators will be "regularly unable" to "create the necessary transparency for the informed consent of users". Because: Effective consent presupposes that users know what they agree to. For example, Facebook does not yet disclose what data is accurately collected and what happens to it, it lacks the necessary information to make an informed informed consent.

Conclusion

Waiver of social plugins or use Shariff solution

Shariff on GitHub: https://github.com/heiseonline/shariff
Shariff PHP backend: https://github.com/heiseonline/shariff-backend-php

The add-on will provide the tool: 1. Ask for consent

That's great, but it only affects to customers who register a new account. Customers who already have an account, must also agree with the terms.
I have to write to all customers and ask them to agree to the new privacy policy, set a deadline and who has not consented at this time delete the data. The add-on does not offer a solution for this yet.

CS-Cart and Multi-Vendor 4.7.4 (to be released in the first half of May) will include an add-on called GDPR Compliance (EU). Currently, the add-on is available for testing at http://dev.demo.cs-cart.com.

Will the add-on appear in our reseller account downloads for earlier versions (before 4.7.4) ?

The add-on will provide the tool: 1. Ask for consent

That's great, but it only affects to customers who register a new account. Customers who already have an account, must also agree with the terms.
I have to write to all customers and ask them to agree to the new privacy policy, set a deadline and who has not consented at this time delete the data. The add-on does not offer a solution for this yet.

Mailshot ? Texts? same as huge operations like Manchester United etc are doing

Interesting about the 14 day rule as we have a firm no return policy as all our sales are custom made.


No worries here then. If custom product customer can't return product, except if product is faulty or customisation has gone wrong

No worries here then. If custom product customer can't return product, except if product is faulty or customisation has gone wrong

Thank you for the clarification.

If we make a mistake which normally does not happen we are always happy to take care of it.

Next we will update our Privacy page and then we should be fine.