ZONK goes International – Tech Company Expansion
We’re thrilled to announce that our tech company is expanding internationally with the opening of our new headquarters…
Read MoreGDPR for WooCommerce – Implementation on the Website/Online Store. It is one of the strictest European regulations regarding the use, analysis, storage, or commercialization of personal data within the European Union. Learn everything about GDPR implementation in the next article.
In this article, we will discuss the process of implementing GDPR for WooCommerce, transforming your online store into a secure environment for your customers, in compliance with current European regulations.
The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016,. GDPR (General Data Protection Regulation), replacing Directive 95/46/EC, will come into effect on May 25, 2018. The regulation applies to legal entities based in the EU or those that collect and process personal data of residents within the EU.
The purpose of the new regulations is to protect the rights and freedoms of individuals concerning the processing of personal data. It will regulate the method of obtaining this data, as well as the circulation of such data, aiming for a more uniform format.
According to the European GDPR regulations, processing of data involves any operation or set of operations such as:
The GDPR directives apply to companies using automated means for data processing. An example is the newsletter option of an online store. However, they also apply outside the digital space for:
Companies organizing events, parties, street surveys requiring the disclosure of personal information, or street raffles.
The right to:
.
The new regulations practically expand the scope of information considered to be personal data. Thus, “personal data” is considered to be any information relating to an identified or identifiable natural person. More specifically, a person can be identified directly or indirectly by reference to:
Consent is any freely given, specific, informed, and unambiguous indication of the data subject’s wishes. This can be expressed through a statement or clear affirmative action, signifying that the data subject agrees to the processing of personal data concerning them.
The new regulations on consent stipulate that it must be explicitly and specifically given for the processing operation. Consumers must take action to provide consent, and the agreement will be limited or proportionate to the purpose of processing. Therefore, more data than necessary for the declared and legal purpose of processing cannot be collected and processed.
GDPR requires operators to ensure that consent can be withdrawn at any time, just as easily as it can be given, but not necessarily through the same action.
However, in the online environment, if consent for data processing is obtained through a single action (clicking, dragging, keystrokes, etc.), withdrawal should be possible through the same means. Consent must be explicit, and the absence of a response, pre-ticked boxes, or a lack of action should not constitute consent. Thus, statements like “Browsing this site implies your agreement to…” become illegal.
Every online business will have to comply with two aspects of GDPR implementation in Romania. The first part consists of technical measures that need to be implemented at the level of the website, online store, online platform, news portal, etc. The second part involves internal measures that must be taken within each company. These measures are in place to fulfill the commitment to the protection of personal data.
Internally, companies need to establish a data register. Here, they will keep an inventory of personal data collected throughout the company’s activities. Article 171 of the GDPR states that if personal data collected before GDPR regulations were obtained based on consent, then requesting a new agreement is no longer necessary.
If such consent was not given, entities storing this personal data must seek users’ consent to keep and/or process this data. In this case, companies can send a notification email to these users, asking for permission to use their personal data for marketing, research, statistics, etc. Such notification should also include information about which partners or third entities have access to user data and, if so, how they will use this information.
A Data Protection Officer (DPO) is an individual appointed within a company with the responsibility for data protection. They can be an employee of the company or a person contracted through a service agreement. The person in charge must be appointed based on professional qualifications and knowledge of data protection practices.
The responsibilities of the DPO position will include monitoring the application of the GDPR and the implementation of other European or governmental regulations. All of these tasks revolve around the protection of personal data. The DPO provides specialized support in assessing the impact on data protection.
What specific actions are required to comply with the new regulations?
Online, it is necessary to implement a series of both technical and organizational measures, among which we mention:
Through this new definition of the phrase “personal data”. The GDPR actually increases the list of these types of information. The sites ask users when subscribing to the newsletter/creating an account/running a shopping session, etc.
For example, according to the regulations still in force. Online identifiers and location information are not considered such personal data. Starting from May 25, 2018, however, they will be subject to the new regulation. So, websites will have to take this into account in preparing for the GDPR and, further, in complying with its rules.
In the case of websites and online shops that already apply good practice in the use and storage of personal data, it is not necessary to repeat the procedures after May 25, 2018. For example, in the case of newsletter subscribers, it is not necessary to consent is requested again if it was correctly obtained beforehand. Otherwise, any entity holding a database of e-mail addresses, names, physical addresses, CNPs, CUIs or any other personal data will have the obligation to ask the persons concerned for their explicit consent to keep, respectively process this information.
Operators have an obligation to inform users when a security breach has occurred regarding the data collected from them. Breach of security is an action that accidentally or unlawfully leads to:
Find out everything about GDPR for WooCommerce in the lines below.
Sanctions are granted on a case-by-case basis, and when determining them, the following will be taken into account:
Fines can reach up to 20 million euros or 4% of the total annual worldwide turnover, whichever is greater. You can discuss more with a lawyer about GDPR implementation.
Subscribe to stay updated with the latest IT news and to benefit from free materials useful for growing your business.
We’re thrilled to announce that our tech company is expanding internationally with the opening of our new headquarters…
Read MoreWe can have an endless chat about the benefits of Microsoft 365 because we use it daily and…
Read MoreEvery anniversary is worth celebrating. At least that’s what our team at ZONK Digital believes; thus, besides treats,…
Read MoreEconomia verde și atingerea neutralității climatice pot părea idealuri de neatins. Dar, prin implicare socială și promovarea soluțiilor…
Read More
Categories