GDPR WooCommerce – Implementation on the Website

GDPR for WooCommerce – Implementation on the Website/Online Store. It is one of the strictest European regulations regarding the use, analysis, storage, or commercialization of personal data within the European Union. Learn everything about GDPR implementation in the next article.

18 minutes to read
Posted by ZONK Digital at October 13, 2020

In this article, we will discuss the process of implementing GDPR for WooCommerce, transforming your online store into a secure environment for your customers, in compliance with current European regulations.

The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016,. GDPR (General Data Protection Regulation), replacing Directive 95/46/EC, will come into effect on May 25, 2018. The regulation applies to legal entities based in the EU or those that collect and process personal data of residents within the EU.

The purpose of the new regulations is to protect the rights and freedoms of individuals concerning the processing of personal data. It will regulate the method of obtaining this data, as well as the circulation of such data, aiming for a more uniform format.

What does the processing of personal data mean?

According to the European GDPR regulations, processing of data involves any operation or set of operations such as:

  • Collection,
  • Recording,
  • Organization,
  • Structuring,
  • Storage,
  • Adaptation or alteration,
  • Extraction,
  • Consultation,
  • Use,
  • Disclosure by transmission,
  • Dissemination or making available in any other way,
  • Alignment or combination,
  • Restriction,
  • Erasure or destruction of data.

The GDPR directives apply to companies using automated means for data processing. An example is the newsletter option of an online store. However, they also apply outside the digital space for:

Companies organizing events, parties, street surveys requiring the disclosure of personal information, or street raffles.

What are the principles of GDPR regulations?

  • The regulation outlines 8 fundamental principles and individual rights.

    The right to:

    • be informed about how personal data will be used;
    • access personal data;
    • rectify data if it is inaccurate or incomplete;
    • be forgotten or the Right To Be Forgotten, to no longer be included in communications or further processing;
    • restrict the processing of data beyond its mere retention;
    • data portability, to have data made available as individuals wish to use it on other platforms or services;
    • object to the use of data in marketing campaigns;
    • decision in the case of profiling and automated data processing.

    .

What are personal data according to GDPR?

The new regulations practically expand the scope of information considered to be personal data. Thus, “personal data” is considered to be any information relating to an identified or identifiable natural person. More specifically, a person can be identified directly or indirectly by reference to:

  • a name;
  • an identification number;
  • location data;
  • an online identifier (IP addresses, cookie identifiers, or other identifiers such as radio frequency identification tags);
  • one or more specific elements related to their physical, physiological, genetic, mental, economic, cultural, or social identity.

What is consent according to GDPR?

Consent is any freely given, specific, informed, and unambiguous indication of the data subject’s wishes. This can be expressed through a statement or clear affirmative action, signifying that the data subject agrees to the processing of personal data concerning them.

The rules for the validity of consent are as follows:

  • It must be a freely given manifestation, representing the genuine choice of the data subjects.
  • It must be specific, implying that the data subject is informed about the purpose of the data processing. The consent must be given for each processing purpose separately.
  • It must be informed, ensuring that at least the following information is communicated to the data subject: the identity of the data controller, the purpose of the processing, the personal data collected, the right to withdraw consent, information regarding the use of data for decisions based solely on automated processing (including profiling), and information about possible risks of data transfer to third countries.
  • It must be unambiguous, representing a clear affirmative statement or action from the data subject. For example, ticking a box when visiting a website or any other statement or action that clearly indicates the data subject’s acceptance of the processing of their personal data in that context.

What changes regarding consent are there in the online domain?

The new regulations on consent stipulate that it must be explicitly and specifically given for the processing operation. Consumers must take action to provide consent, and the agreement will be limited or proportionate to the purpose of processing. Therefore, more data than necessary for the declared and legal purpose of processing cannot be collected and processed.

GDPR requires operators to ensure that consent can be withdrawn at any time, just as easily as it can be given, but not necessarily through the same action.

However, in the online environment, if consent for data processing is obtained through a single action (clicking, dragging, keystrokes, etc.), withdrawal should be possible through the same means. Consent must be explicit, and the absence of a response, pre-ticked boxes, or a lack of action should not constitute consent. Thus, statements like “Browsing this site implies your agreement to…” become illegal.

What needs to be done before the entry into force of GDPR rules?

Every online business will have to comply with two aspects of GDPR implementation in Romania. The first part consists of technical measures that need to be implemented at the level of the website, online store, online platform, news portal, etc. The second part involves internal measures that must be taken within each company. These measures are in place to fulfill the commitment to the protection of personal data.

Internally, companies need to establish a data register. Here, they will keep an inventory of personal data collected throughout the company’s activities. Article 171 of the GDPR states that if personal data collected before GDPR regulations were obtained based on consent, then requesting a new agreement is no longer necessary.

If such consent was not given, entities storing this personal data must seek users’ consent to keep and/or process this data. In this case, companies can send a notification email to these users, asking for permission to use their personal data for marketing, research, statistics, etc. Such notification should also include information about which partners or third entities have access to user data and, if so, how they will use this information.

What is a Data Protection Officer (DPO) and how can it help my business?

A Data Protection Officer (DPO) is an individual appointed within a company with the responsibility for data protection. They can be an employee of the company or a person contracted through a service agreement. The person in charge must be appointed based on professional qualifications and knowledge of data protection practices.

The responsibilities of the DPO position will include monitoring the application of the GDPR and the implementation of other European or governmental regulations. All of these tasks revolve around the protection of personal data. The DPO provides specialized support in assessing the impact on data protection.

 

What specific actions are required to comply with the new regulations?

Online, it is necessary to implement a series of both technical and organizational measures, among which we mention:

  • to replace the “implicit agreement” type consent with an “affirmative action”, which implies the modification of the Terms and Conditions page, the Privacy Policy, the subscription forms;
  • to grant consent, it will be necessary to tick a box or any other statement or action that clearly indicates the acceptance by the data subject visiting a website of the processing of his personal data;
  • provide users with the possibility that consent can be withdrawn at any time, as easily as it can be given;
  • inform visitors more clearly about their identity, what data they collect, why they collect it and how long they keep it;
  • to warn visitors about the third parties that still receive said data and at the same time to check whether the third parties to which the data may be sent transmit the information outside the EU;
  • to restrict access to customer data only to employees who need that data to perform their service duties;
  • to keep a register in which to take into account data processing activities when their activity is not occasional;
  • to inform customers about the use of the data they provide, such as billing and delivery data, since informing customers about the data collected is mandatory from the moment the data is collected;
  • to delete, at the customer’s request, his data if the request has a legal basis. regardless of whether this is done by overwriting or permanent deletion, as long as the process is irreversible;

GDPR for WooCommerce and personal data processing for an online store

Through this new definition of the phrase “personal data”. The GDPR actually increases the list of these types of information. The sites ask users when subscribing to the newsletter/creating an account/running a shopping session, etc.

For example, according to the regulations still in force. Online identifiers and location information are not considered such personal data. Starting from May 25, 2018, however, they will be subject to the new regulation. So, websites will have to take this into account in preparing for the GDPR and, further, in complying with its rules.

In the case of websites and online shops that already apply good practice in the use and storage of personal data, it is not necessary to repeat the procedures after May 25, 2018. For example, in the case of newsletter subscribers, it is not necessary to consent is requested again if it was correctly obtained beforehand. Otherwise, any entity holding a database of e-mail addresses, names, physical addresses, CNPs, CUIs or any other personal data will have the obligation to ask the persons concerned for their explicit consent to keep, respectively process this information.

Breach of security

Operators have an obligation to inform users when a security breach has occurred regarding the data collected from them. Breach of security is an action that accidentally or unlawfully leads to:

  • data destruction;
  • data loss;
  • data modification;
  • unauthorized disclosure of data;
  • unauthorized access to the collected data.

What sanctions are at risk for those who do not comply with the new GDPR rules?

Find out everything about GDPR for WooCommerce in the lines below.

Sanctions are granted on a case-by-case basis, and when determining them, the following will be taken into account:

  • the nature, severity and duration of the violation, taking into account the nature or scope and purpose of the processing, as well as the number of affected persons and the damages suffered by them;
  • whether the infringement was committed intentionally or negligently;
  • any previous violations and degree of responsibility;
  • the level of cooperation with the supervisory authority in order to remedy the situation and mitigate possible damages;
  • the way in which the violation was brought to the attention of the supervisory authority;
  • which categories of personal data were affected;
  • any other aggravating or mitigating circumstances applicable to the case such as financial benefits gained or losses avoided directly or indirectly as a result of the infringement.

Fines can reach up to 20 million euros or 4% of the total annual worldwide turnover, whichever is greater. You can discuss more with a lawyer about GDPR implementation.

Grow Your Business Efficiently!

Subscribe to stay updated with the latest IT news and to benefit from free materials useful for growing your business.

    Recent Posts

    Go to Top