Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Improvements To Gdpr Add-On Rate Topic   - - - - -

 
  • UK Promotion
  • Junior Member
  • Members
  • Join Date: 07-May 11
  • 21 posts

Posted 10 May 2018 - 09:39 AM #1

Hi,

 

We love the fact that CS-Cart has introduced a GDPR Compliance add-on and just thought we'd post some ideas on how it can be improved to better adhere to the GDPR laws.

 

  1. Allow the option of letting a user from within their customer account download their order history as XML (which would save them having to email or call the store owner). (GDPR Art. 20 - The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format).  There is no need for this information to be only accessible by admin, it's easier if the user can access it themselves without troubling admin.
     
  2. Allow the option of letting a user from within the customer account choose to "Delete and Anonymize" their account.  (GDPR Art. 17 - The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay).  The only stipulation I would make is that ALL ORDERS must be marked as "complete" before they are allowed to take this step and possibly only then after a certain amount of days (say 30 in case there is a problem with shipping).  The number of days could be configurable in the add-on and should be called the "Retention Period".
     
  3. Add an option to notify users that the site needs cookies to run (an overlay bar at the top or bottom of the page) and a button to allow cookies or disable cookies.  A good example of this being implemented can be seen at https://www.civicuk.com/cookie-control- see how the tracking/analytical cookies are turned off by default and social cookies are turned off by default but they can be turned on if the user wants.  However necessary cookies are turned on and can only be turned off by changing browser settings.  Something like this would be amazing for CS-Cart.
     
  4. If using the option of Deleting / Anonymizing a users account (either an admin or a customer using option 2. above) then if the system is integrated with a 3rd party marketing service such as MailChimp, the user should also be unsubscribed and removed from these lists.
     
  5. An option to view the consent history log in the control panel.
     
  6. GDPR stipulates that you must ensure your data is up to date.  An option to email all users every 12 months since they signed up asking them to login to their account and make sure their information is up to date would be useful.  This could be achieved using a cron.  The email would simply say something along the lines of "Has your information changed? Under the GDPR we are obligated to make sure your information is up to date so if anything has changed over the past 12 months, please could you login at [LINK] and update your information.  If nothing has changed then you can safely ignore this email.  Thank you [StoreName].

 

These changes would make the GDPR compliance by CS-Cart one of the best across all e-commerce platforms.  If anyone has any other useful and relevant ideas to make this module even better please feel free to add to this list below.  But lets try to keep it to things that are required under GDPR and not just personal wish lists.

 

Thank you.


UK Promotion
Fresh and creative brand, marketing, PR and web specialists.

 
  • johnbol1
  • Never Re
  • Members
  • Join Date: 23-Feb 10
  • 4361 posts

Posted 10 May 2018 - 12:48 PM #2

https://forum.cs-car...x/?fromsearch=1

 

Maybe help you


Custom printed hi visibility clothing sale the UK's online hivis safety shop
v4.5.2


 
  • Traveler
  • Senior Member
  • Members
  • Join Date: 02-Feb 07
  • 874 posts

Posted 19 May 2018 - 01:32 AM #3

Customers should not be able to delete anything on their own.


Version 4.7.2 sp2


 
  • UK Promotion
  • Junior Member
  • Members
  • Join Date: 07-May 11
  • 21 posts

Posted 22 May 2018 - 08:14 AM #4

Customers should not be able to delete anything on their own.

 

Actually the "Delete and Anonymize" the account wouldn't delete the account as mentioned in my comments, it would anonymize the data.  The fact that with GDPR the user has the "right" to be forgotten, means if they request to have their account removed (or anonymized) then you must act on that request... Allowing them to do this themselves just eases the burden on the site admin.

 

Also article 7.3 of the GDPR states:

 

 

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

 

You will notice the highlighted part of the text being it shall be as easy to withdraw as to give consent.. In basic terms if a user can create an account WITHOUT asking you to do it for them, then they should be able to delete that account WITHOUT asking you to do it for them (which is why the social networks are now all allowing this option).


UK Promotion
Fresh and creative brand, marketing, PR and web specialists.

 
  • Traveler
  • Senior Member
  • Members
  • Join Date: 02-Feb 07
  • 874 posts

Posted 22 May 2018 - 08:19 AM #5

For you deleting may work but not for everyone - we are small and it is no burden to us.

 

One person in many years has asked us to delete their account which was a surprise - I deleted it but only after talking to him to understand why.


Version 4.7.2 sp2