What is GDPR?
GDPR (General Data Protection Regulation) is the General Data Protection Regulation. It comes into effect on 25 May 2018 and applies not only to entities based in the European Union, but to all entities that process personal data of EU citizens. The GDPR unifies the legal framework for the protection of personal data in the EU environment and extends the principles and principles of personal data protection with new rights and obligations.
Processing of personal data
Personal data is, for the purposes of the GDPR, any information that leads to the identification of a specific person. In addition to data such as name, gender or email, this includes information such as IP address, pages visited or goods purchased in the e-shop.
In order to process personal data, you must fulfil at least one of the legal titles. The most commonly used titles include:
- legitimate interest, where the law allows, in a certain situation (for example, after the conclusion of a purchase contract), to assume that the person consents to the use of personal data,
- performance of a contract where the processing of personal data is necessary for the performance of contractual obligations,
- the consent of the visitor whose personal data you are processing.
If you are authorised to process personal data on the basis of legitimate interest or performance of a contract, obtaining consent is unnecessary. It is sufficient to inform the visitor about the processing of personal data. You should only request the data you need and for a period of time that is appropriate to the purpose of the processing.
- contract negotiation or order confirmation,
- consent to the collection of cookies,
- consent to the processing of personal data,
In order to be able to prove what information the visitor has had the opportunity to see, you need to keep the version of the consent that the visitor has agreed to. For example, if you change the period for which you keep personal data on a contact form, you must record the period of time for which a particular visitor has consented to the processing of the data.
Working with GDPR compliant forms
For forms, it is necessary to distinguish for which purposes the data from the form is used.
The creation of an order also creates a legitimate interest. This enables you to use the contacts thus obtained to send marketing communications.
If it is clear from the context that the primary purpose of the newsletter sign-up form is to receive the newsletter, filling out the email may be considered consent. The GDPR does not explicitly specify how a visitor expresses consent.
Web forms that collect personal data about website visitors must include a mandatory confirmation of consent to the processing of personal data. As with the newsletter, it is always necessary to clearly specify for which purpose the information will be processed and to obtain consent for each purpose.
As with cookies, consent to data processing must be freely given, unambiguous and specific and must be informed. In addition, it is necessary to record when and how consent was given.
Consent database and its management
The administrator must be able to demonstrate and prove the subject's consent to the processing of his or her personal data at any time during the period for which the processing takes place. Each website, or its administration system, should be equipped with a database and a module in which data on users and the exact wording of consent are clearly stored. Thanks to such a module, it is possible to provide evidence of the consent given or, on the contrary, to delete the personal data and withdraw the consent at the user's request.
Access to personal data must be restricted so that each employee has access only to the personal data he needs for his work. For example, an article editor or translator should not have access to the personal data database. Therefore, the system must have user rights that allow different levels of access to be set for different roles.
Period for the retention of personal data
For all cases of processing of personal data, it is necessary to determine the period of time for which you will keep and work with the personal data. Data must not be processed for an indefinite period of time. The storage period is determined by its purpose, if it is not possible to determine it specifically, you must specify the factors you will use to determine it. A week is sufficient to answer an enquiry, for an order you need to keep personal data for up to several years for possible claims or litigation.
Current contact database
In addition to the obligations explicitly specified by the GDPR, the GDPR also requires the application of general data protection principles. Data should be protected by adequate means, taking into account the specific context of the data processing, so that the risks of data leakage are minimal. Examples of appropriate security methods are encryption, pseudonymisation or the use of SSL certificates.
Control of third-party services
If the data you collect is processed by a third party, called a processor, you are also responsible for ensuring that your processor complies with the GDPR guidelines. This includes exports to third-party tools such as Google Analytics, Mailchimp or Raynet. Each case of personal data processing must be covered by a written contract or current processing contracts must be updated according to the new conditions. Most of these tools will modify their terms and conditions and will inform you of this.