*** PURPOSE OF THIS POST IS TO RAISE A DISCUSSION ABOUT WHAT NEEDS TO BE IMPLEMENTED IN VIRTUEMART, NOT GENERAL GDPR TERMS CONTENTS ***
GDPR - SUGGESTED CHANGES IN VIRTUEMART:
PERSONAL AND SENSITIVE DATA COLLECTED/STORED/SUBMITTED VIA VM FORMS:
a) name, middle name and last name, username, company name
b) email
c) phone, mobile phone
d) billing address
e) shipping address
f) fax
g) tax exemption number (VAT ID, Reg. ID)
h) IP address
1. CHECKOUT
1.1 FRONT-END:
a) checkbox with popup privacy policy terms such as Terms of Use
b) obligatory field, not checked (those who do not agree cannot complete order).
1.2 BACK-END:
a) field to enter Privacy Policy such as Terms of Use (VENDOR TAB in Configuration), or possibility to enter article ID, or select menu item (this could be handled in SHOPPER FIELD setting actually because most shops have ToU in footer and having it both in articles and in VM config requires changes in two locations)
b) store agreement, e.g. YES in database in separate filterable column - both for registered and guest shoppers -> should be visible on order list and customer list and be able to filter users who did not agree (for purpose of export for newsletter requiring the additional consent)
2. REGISTRATION
FRONT-END:
a) similar checkbox with popup terms such as Terms of Use
- obligatory field, not checked (those who do not agree cannot complete registration).
b) store agreement, e.g. YES in db in separate filterable column -> should be visible on order list and customer list and be able to filter users who did not agree (for purpose of export for newsletter requiring the additional consent)
4. SHOPPER FIELDS
a) add built in checkbox that cannot be deleted just like for terms of use
3. ASK ABOUT A PRODUCT
- this is not stored in DB, but emails are also issue - question is, if VM should store this info for the purpose of consolidated report about submitted sensitive data
similar checkbox with popup terms such as Terms of Use
- obligatory field, not checked (those who do not agree cannot send the question).
4. RECOMMEND A PRODUCT
- this is not stored in DB, but emails are also issue - question is, if VM should store this info for the purpose of consolidated report about submitted sensitive data
5. PRODUCT REVIEW
similar checkbox with popup terms such as Terms of Use
- obligatory field, not checked (those who do not agree cannot send the question).
6. EXPORTS
This could be an extra component, but ability to look up a customer and export/delete all information about him/her in a database is important for whole GDPR process because anyone who stores such information must be able to provide a printable or downloadable report o all personal/sensitive data stored about an individual who requires it and then if asked must be able to easily delete it.
7. SAMPLE GDPR TERMS
- I have them in Czech, not too long, we could translate them into all VM languages and replace vendor data by a variable.
- not necessary, just a way to make things better then others ;)
Hi,
according GDPR there must be some kind of age verfication as well. Agreement can only be accepted in case customer is 13 at least (14 in Austria, 16 in Germany). In case visitor of site is younger agreement of parent is needed.
Buying must be possible as guest without registration at Joomla.
GDPR terms require a lot of explanations. In Germany recommended texts are more than 600 lines with some formatting for better reading ...
Something has to be done with selective cookie disabling as well.
cu, diri
"Buying must be possible as guest without registration at Joomla."
This has always been possible in VM
However - I question whether GDPR creates such a requirement, please point out GDPR clauses where such things are expected
Quotea) name, middle name and last name, username, company name
b) email
c) phone, mobile phone
d) billing address
e) shipping address
f) fax
g) tax exemption number (VAT ID, Reg. ID)
In addition. h) IP address
Quote3. ASK ABOUT A PRODUCT
- this is not stored in DB, but emails are also issue - question is, if VM should store this info for the purpose of consolidated report about submitted sensitive data
similar checkbox with popup terms such as Terms of Use
- obligatory field, not checked (those who do not agree cannot send the question).
4. RECOMMEND A PRODUCT
- this is not stored in DB, but emails are also issue - question is, if VM should store this info for the purpose of consolidated report about submitted sensitive data
I would advise storing additional data in the database, that is not required by law
Such requests appear in email boxes of the organisation. Handling of email is outside the scope of VM
Sensitive data held in emails is withing the scope of GDPR - but that information can come from anywhere. Organisations should already have a policy in place to handle such information.
Stawebnice
Nice introduction to things to be considered.
Note that many of these requirements are NOT "new" as a result of GDPR - these data protection requirements/principles have been around for years - but people are now waking up to them because of all the publicity for GDPR.
Data controllers should already have things in place to manage their data collection and handling. With a clear data audit and data protection policy in place within their business.
All personal data should be kept only for as long as is relevant for the purpose it was intended (in many cases this may be for local tax reporting regulation) Outside of the period or relevance and purpose for collection it is worth considering the functionality below
1. Depersonalisation of sensitive data older than period x
2. Removal of all customer data after period y of inactivity (logon)
3. Ability to depersonalise sensitive data within test systems using database tools
The purpose of data collection is very unlikely to include use for Testing - so time limit does not apply
Do a data audit - Document where your data is within and outside your business
Identify what it is being used for and if this is covered explicitly by your policies to which the customer has agreed
Don't try and hide multiple uses in one huge terms document
After all you are the data controller - if you collected the data, you cannot hand off responsibility to data processors - you are ultimately responsible if your data processors mishandle the data that you allowed them access to.
Anyone handling personal data, should have have undergone some basic training regarding data protection. With only those who need access being given access.
Here is a link for UK businesses (ps. if this is new to you then :'( )
https://ico.org.uk/for-organisations/guide-to-data-protection/ (https://ico.org.uk/for-organisations/guide-to-data-protection/)
well, the purpose of this post was to raise discussion what needs to be implemented in VM - not discussing the actual content of the GDPR terms and internal policy of handling the data inside the company, those are supposed to be handled by the vendor
:)
Hello AH,
*"Buying must be possible as guest without registration at Joomla."
*
*This has always been possible in VM
Hope it works ...
*However - I question whether GDPR creates such a requirement, please point out GDPR clauses where such things are expected
Consent (6.1.1) and coupling ban (7.4).
A Joomla (System) account is never needed to fullfill an order.
cu, diri
Diri
Good to see your response - it may be useful for those out their who may be struggling with these topics.
QuoteHello AH,
*"Buying must be possible as guest without registration at Joomla."
*
*This has always been possible in VM
Hope it works ...
I am unsure what this comment means - You have always been able to purchase items from a VM store without need for joomla registration. Yes it works and has always worked.Quote
Buying must be possible as guest without registration at Joomla.
*However - I question whether GDPR creates such a requirement, please point out GDPR clauses where such things are expected
Consent (6.1.1) and coupling ban (7.4).
A Joomla (System) account is never needed to fullfil an order.
I think you point to this "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."
A somewhat moot point (as VM allows for purchases without Joomla registration. Customer registration can be turned off completely if required - which is the case for some shops I have seen.)
I will watch with anticipation as to how (7,4) "forces" the provision of guest shopping on the larger retailer e-commerce platforms.
Amazon might be one to watch for such new functionality. Maybe they consider themselves outside the EU for this purpose - if not, then guest shoppers will be coming around May 26th.
Just to confirm - guest shoppers is provided for in base VM all versions
Hi AH,
I'm also watching what happens at large shops in this relation.
Keywords are minimize data being collected to bare minimum and "consent is freely given".
You'll find a lot of additional information when watching advertising industry. They have large problems as well. Current public statements are relative vague recommendations only but no real solution.
btw:
WhatsApp introduced a stupid age "verification" now in reaction to GPDR (one click to confirm age 16 or above). I doubt it being sufficient. Facebook moved all user data from Ireland to U.S.A. short time ago.
edit:
Take care when linking to social media. Facebook is tracking non-member data as well in case there is a direct link to "like us".
cu, diri
Quote from: diri on April 26, 2018, 06:05:13 AM
Hi,
according GDPR there must be some kind of age verfication as well. Agreement can only be accepted in case customer is 13 at least (14 in Austria, 16 in Germany). In case visitor of site is younger agreement of parent is needed.
In germany it is 13, but only up to 100 euro per sale. Except for some wares.
Quote from: diri on April 26, 2018, 06:05:13 AM
Buying must be possible as guest without registration at Joomla.
The only information which is additional stored is NOT personal. A nickname is usually either fantasy, or related to the already given data. It depends on the system. The law means something different, which I often encounter, when I explain customers (new vm Users) joomla.
For example a customer thought, that when he creates an account on joomla.org, that he has an account on his webpage. So the law means, it is not allowed that a customer is automatically registered at ANOTHER system. In our case a Joomla account is always used to provide extra services and not for any data mining. So as long a webowner is not installing extra software, the joomla account is just used for obvious, transparent features like customer recognition.
What are the advantages of a registration? A returning customer is recognised, but only IF he uses the account, else he can just checkout as guest. The login just gives a legal history of the user orders. As long you do not connect this data to other data, all is legal, imho. In special if you need it to determine if you give someone support.
Quote from: Milbo on May 23, 2018, 08:58:17 AM
The only information which is additional stored is NOT personal. A nickname is usually either fantasy, or related to the already given data.
So from a legal perspective there is no difference whether the user registers or not, right? From a non technical view maybe it would be logical that if you don't register no data is saved? Or only save information about the products ordered, nothing about the person. Of course this info is needed for the shopowner so VM sends this by email. And add in tos that personal info is deleted when processed (by shopowner deleting mail). AIUI large part of GDPR is communicating to the individual about data stored. Just an idea.
Which brings me to a question, I am getting lots of mails from businesses and organizations regarding GDPR and data they have on me.
Is it neccesary to send out an email to all registered customers?Thanks
My thoughts (for what they are worth) :)
If you register - you give over an email - that is considered personal information
QuoteSo from a legal perspective there is no difference whether the user registers or not, right?
Unless one of us is a data protection lawyer ( in the specific region(s) you and your data subjects are domiciled) - I think it unwise to expect definitive legal answers here.
Storing data required to fulfill an order is all fine if you have a simple privacy notice. If what you collect and store can be reasonably expected as being necessary to fulfill an order and meet your legal requirements for reporting / guarantee validation / or for communication relating to order queries.
Deleting personal information for an order is not required even if the user "demands" it, as long as you have another valid legal reason to keep such data.
Registered users could ask to have their registration details removed.
Regarding communication to existing registered customers - That depends on what data you stored and what you intend to use it for in the future.
Quote from: AH on May 24, 2018, 12:49:22 PM
My thoughts (for what they are worth) :)
Quote from: AH on May 24, 2018, 12:49:22 PM
Unless one of us is a data protection lawyer ( in the specific region(s) you and your data subjects are domiciled) - I think it unwise to expect definitive legal answers here.
Yes, and legal matters are often much less black and white than one can think. And I am not educated in the field. But I don't think its about regions, this is about the whole EU.
Quote from: AH on May 24, 2018, 12:49:22 PM
If you register - you give over an email - that is considered personal information
But the other info (name, address, phone, what you bought) also counts as personal information I would think.
Quote from: AH on May 24, 2018, 12:49:22 PM
Regarding communication to existing registered customers - That depends on what data you stored and what you intend to use it for in the future.
Just what they entered when registering (emal, name, address) and purchase history. Don't intend to use it other than for letting them login again. What is the verdict? Have to inform users (by sending mail before GDPR) that they are in the system - or not?
I am not informing anyone that they registered before GDPR
Nor do I see the requirement to inform those purchasers that there is order data being held.
Quote from: stawebnice on April 26, 2018, 10:10:52 AM
well, the purpose of this post was to raise discussion what needs to be implemented in VM - not discussing the actual content of the GDPR terms and internal policy of handling the data inside the company, those are supposed to be handled by the vendor
:)
When a programmer starts identifying himself as a lawyer ... not long after, the developer will hire a lawyer.
She is right
And if each of you consults a lawyer competent in the matter, he will get a reply that there should be 2 checkboxes. Everything else is pure laziness that will lead to sanctions sooner or later.
Servlet
VM supports the creation of multiple checkboxes which may be used for whatever purpose you deem relevant.
QuoteAnd if each of you consults a lawyer competent in the matter, he will get a reply that there should be 2 checkboxes. Everything else is pure laziness that will lead to sanctions sooner or later.
My statement still stands -
I think it unwise to expect definitive legal answers here.
Maybe the thread can be split up in two? I see no wrong with discussing legal matters of GDPR, but better in its own thread I suppose
Well
What happen in ask a question pop up?
There is no one check box for TOS or I am missing something...
This information is not stored in website DB but it is stored in e-mail servers an it is visible to every one which open the e-mail...
By the low name + e-mail is personal data.
Quote from: servlet on May 25, 2018, 14:16:22 PM
What happen in ask a question pop up?
There is no one check box for TOS or I am missing something...
Can be covered in the site privacy statement which should include the policy for email sent to the store.
If you are registered user it is OK. But if you are not registered you have to check YES.
How many of you have read the new law?
When users provide personal data, they must agree to processing this information.
It is not enough just to have rules and text some were in you your site.
Every shop should have check boxes in every form.
The plugin I have been using for cookie information & refusal/acceptance records the IP of those accepting. The wording is used to suit the site. Nothing new.
QuoteWhen users provide personal data, they must agree to processing this information.
Yes I wondered about this rule, especially for emails they send to you rather than data you collect via a web form.
In such an instance there is no chance of agreement and you cannot prevent them sending you personal information (email of course and whatever else the add to it )
What happens when you advertise and people send you an email asking you lots of questions or providing you with lots of information. You will definitely be storing it in your mail servers :-)
Quote from: AH on May 25, 2018, 16:52:20 PM
What happens when you advertise and people send you an email asking you lots of questions or providing you with lots of information. You will definitely be storing it in your mail servers :-)
If you want to be fully sure you have to be operator of personal data - you can register in your local government...
By the low user who send you information can request data deletion - you will delete his e-mail after all...
So you have to add link with TOS and PP in your signature at the bottom of e-mail.
Quote from: servlet on May 25, 2018, 16:58:24 PM
So you have to add link with TOS and PP in your signature at the bottom of e-mail.
One of the current problems with the GDPR is that many people interpret things into the law that are not intended by the legislator. ;)
Quote from: jenkinhill on May 25, 2018, 15:37:50 PM
The plugin I have been using for cookie information & refusal/acceptance records the IP of those accepting. The wording is used to suit the site. Nothing new.
Read the low
cookie information & refusal/acceptance was acceptable until 25.05.2018
From 25.05.2018 it is very different.
You have to add in your site
TOS - has to be included with check box in checkout, registration, and other from where you have relation with user.
Privacy policy - has to be included with check box in each form where user fill personal data.
Cookie policy - you can use current plugin
If this is missing on the site, someone can report and you will have a lot of trouble and big fines.
You have to give user info about his personal data every time he wants, to change or delete info or profile... There are new extensions give user options to do this himself. Look at JED for this extensions. I am using one of them.
Quote from: servlet on May 27, 2018, 08:42:20 AM
You have to add in your site
TOS - has to be included with check box in checkout, registration, and other from where you have relation with user.
Privacy policy - has to be included with check box in each form where user fill personal data.
Can you tell the paragraph in GDPR which tells you that this is mandatory?
(I doubt that you can) ;)
The text is here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679
Member states may choose to ignore/change some or all of the rules.
So can the moderators or those of you who work on Virtuemart development tell the rest of us what you plan to do to make Virtuemart compliant with GDPR?
What features do you plan to implement and when?
Thank you,
I wouldn't make it more complicated than it is. For my shop I simply wrote my own 'Privacy Policy' into a Joomla article, which is linked in the template footer position.
There are quite a lot of sample GDPR texts for a 'Privacy Policy', which you can find through Google. There are also some online GDPR text generators, but those are usually provided by lawyers who insist on links to their site or ask for the right to contact you for marketing their service in their terms of trade.
It's up to you to decide what you want to include in your privacy policy. I stripped everything which I think is legal junk, not applicable or not required by the law and ended up with 190 words (Last week I've even seen a shorter one on the website of a data privacy expert). But you can easily find privacy statements that are more than 6000 words long.
:)
Hi Petra Prochazkova,
We understand your point of concern and really appreciate your effort, all the active developers of VirtueMart community should join us and contribute their ideas and views on each other so that we all can make a better platform and provide great service to the VirtueMart community users worldwide.
QuoteJoomla GDPR Compliance
Joomla GDPR compliance is an extension with the help of which admin can configure the cookie's group according to his business need simply can add the description of that cookie group and can list cookies under that group. At the front end, a user of a site can see the "cookie setting" also an option to allow cookie groups or not.
One of the most important features of this extension is that we have given a view where a user can ask the admin of the site to show the information that site has captured.
QuoteFeatures-
Admin can set cookies group and provide the user functionality to enable/disable cookies.
Admin can create an extension(s) specific query to provide the user functionality to retrieve their data
Front-end user can download their retrieved data
QuoteFor more details please visit: https://webkul.com/blog/joomla-gdpr-compliance/ (https://webkul.com/blog/joomla-gdpr-compliance/)
It is requested to all members please have a look of this extension and give your valuable suggestions.