Jump to content



Member Since 13 Jan 2017
Offline Last Active May 23 2018 08:48 PM

#301046 Gdpr Compliance In Cs-Cart And Multi-Vendor

Posted by mumbomedia on 03 May 2018 - 09:09 AM

The add-on will provide the tool: 1. Ask for consent

That's great, but it only affects to customers who register a new account. Customers who already have an account, must also agree with the terms.
I have to write to all customers and ask them to agree to the new privacy policy, set a deadline and who has not consented at this time delete the data. The add-on does not offer a solution for this yet.

This is something i've actually mentioned to them. Maybe Ilya can clarify this.
Either way, i think you have to send your customers a mail anyhow. You have to get concent from them to send that mail after 24th of may though ;)
The GDPR also applies to invoicing/accountancy software you might be using, external accountants handling their information, etc.

#300760 Gdpr Compliance In Cs-Cart And Multi-Vendor

Posted by mumbomedia on 25 April 2018 - 08:17 AM

We are not located in the EU and have less than 1% of our orders (for our very small business) from the EU.


The only information we collect is email address, telephone number and mailing address; no IDs, No payment info etc.


As a  practical matter are we effected by this?

If you sell to customers (not businesses) in the EU you have to be GDPR complient.
You have to notify the customer on how you handle their email, store it locally, google apps, zoho, office 360 etc. If you use an 3rd party, Google Apps for example you have to make sure you sign the agreement with Google aswell and last but not least you have to get customers consent to store/handle their e-mail. Same applies for the Phone number. If you're using an online pbx you have to notify them aswell, and last but not least, all your European customers (not businesses) have the right to be forgotten. 
You should be able to delete/anonymize all their data. All of these are covered in the new CS Cart GDPR Plugin.

Remember, this only apply to EU customers (not businesses)
Also make sure that if you sell to the EU you should comply to the EU rules (as far as i know). That means that a customer can ALWAYS return a product without a reason for it. They have 14 days to notify about this and another 14 days to return the product.

The idea behind this law is very good, however, they overdone it. 

#299839 Gdpr Policy In The Eu

Posted by mumbomedia on 07 April 2018 - 07:31 AM

Hi Guys,


We are considering this feature for CS-Cart / Multi-Vendor. 


Right now I'm trying to find answer to questions: what kind of personal data should customer have access to (export/modify/delete) in CS-Cart.

It looks like:

- User & profile data

- Orders

- Cart & Wishlist content


Besides if client want to be "forgotten" should we erase all the records or we can just anonymize this data - like replace with "deleted user". This is need in order to maintain sychrnonization process - a lot of stores have some kind of synchronisations like CRM, Accounting programms etc. Documentations says there should be 2 optins erase of anonymize, and this is not good(

This is a very important point I think.


Feel free to share you thoughts on this. 


We contacted a lawyer for this, since we're in The Netherlands, and basicly it comes down to this.


1) Terms and Conditions need to comply, it should state exactly which user information you are using, why are you using it, if you are storing it, why are you storing it and who you share it with. ie. external mailclient, accounting software and ofcourse which data CS Cart is collecting and why.

2) Privacy policy and disclamer, Same as above.


3) Every customer (new and old) have to agree with a processors-agreement. They have to accept the agreement where it states again which data is collected, why it is collected and whoom it's shared with. Customers have to do this one time only. Old customers need to do this via a pop-up or opt-in via e-mail or similar, and new customers for the first time on checkout, BUT ACTUALLY BEFORE ANY DATA IS COLLECTED. (besides cookies, which need to be in the cookie pop-up)


4) The customers right to forget. Anonimising data is enough. Our accountingsoftware is GDPR complient and does just that. Click on a customer, click on forget and all his personal data (name, address, day of birth) is being anonymized.


There should be a seperate page where customers can request this.



So on 1&2 CS Cart needs to make a list on which data is collected, why and how.


on 3&4 there need to be modifications to the store.