GDPR

[stawebnice]

*** PURPOSE OF THIS POST IS TO RAISE A DISCUSSION ABOUT WHAT NEEDS TO BE IMPLEMENTED IN VIRTUEMART, NOT GENERAL GDPR TERMS CONTENTS ***

GDPR - SUGGESTED CHANGES IN VIRTUEMART:

PERSONAL AND SENSITIVE DATA COLLECTED/STORED/SUBMITTED VIA VM FORMS:

a) name, middle name and last name, username, company name
b) email
c) phone, mobile phone
d) billing address
e) shipping address
f) fax
g) tax exemption number (VAT ID, Reg. ID)
h) IP address


1. CHECKOUT

1.1 FRONT-END:
a) checkbox with popup privacy policy terms such as Terms of Use
b) obligatory field, not checked (those who do not agree cannot complete order).

1.2 BACK-END:
a) field to enter Privacy Policy such as Terms of Use (VENDOR TAB in Configuration), or possibility to enter article ID, or select menu item (this could be handled in SHOPPER FIELD setting actually because most shops have ToU in footer and having it both in articles and in VM config requires changes in two locations)

b) store agreement, e.g. YES in database in separate filterable column - both for registered and guest shoppers -> should be visible on order list and customer list and be able to filter users who did not agree (for purpose of export for newsletter requiring the additional consent)


2. REGISTRATION

FRONT-END:
a) similar checkbox with popup terms such as Terms of Use
- obligatory field, not checked (those who do not agree cannot complete registration).

b) store agreement, e.g. YES in db in separate filterable column -> should be visible on order list and customer list and be able to filter users who did not agree (for purpose of export for newsletter requiring the additional consent)


4. SHOPPER FIELDS
a) add built in checkbox that cannot be deleted just like for terms of use

3. ASK ABOUT A PRODUCT
- this is not stored in DB, but emails are also issue - question is, if VM should store this info for the purpose of consolidated report about submitted sensitive data

similar checkbox with popup terms such as Terms of Use
- obligatory field, not checked (those who do not agree cannot send the question).

4. RECOMMEND A PRODUCT

- this is not stored in DB, but emails are also issue - question is, if VM should store this info for the purpose of consolidated report about submitted sensitive data

5. PRODUCT REVIEW
similar checkbox with popup terms such as Terms of Use
- obligatory field, not checked (those who do not agree cannot send the question).


6. EXPORTS
This could be an extra component, but ability to look up a customer and export/delete all information about him/her in a  database is important for whole GDPR process because anyone who stores such information must be able to provide a printable or downloadable report o all personal/sensitive data stored about an individual who requires it and then if asked must be able to easily delete it.

7. SAMPLE GDPR TERMS
- I have them in Czech, not too long, we could translate them into  all VM languages and replace vendor data by a variable.

- not necessary, just a way to make things better then others

[diri]

Hi,

according GDPR there must be some kind of age verfication as well. Agreement can only be accepted in case customer is 13 at least (14 in Austria, 16 in Germany). In case visitor of site is younger agreement of parent is needed.

Buying must be possible as guest without registration at Joomla.

GDPR terms require a lot of explanations. In Germany recommended texts are more than 600 lines with some formatting for better reading ...

Something has to be done with selective cookie disabling as well.

cu, diri

[AH]

"Buying must be possible as guest without registration at Joomla."

This has always been possible in VM

However - I question whether GDPR creates such a requirement, please point out GDPR clauses where such things are expected

[AH]

a) name, middle name and last name, username, company name
b) email
c) phone, mobile phone
d) billing address
e) shipping address
f) fax
g) tax exemption number (VAT ID, Reg. ID)

In addition. h) IP address

[AH]

3. ASK ABOUT A PRODUCT
- this is not stored in DB, but emails are also issue - question is, if VM should store this info for the purpose of consolidated report about submitted sensitive data

similar checkbox with popup terms such as Terms of Use
- obligatory field, not checked (those who do not agree cannot send the question).

4. RECOMMEND A PRODUCT

- this is not stored in DB, but emails are also issue - question is, if VM should store this info for the purpose of consolidated report about submitted sensitive data

I would advise storing additional data in the database, that is not required by law

Such requests appear in email boxes of the organisation.  Handling of email is outside the scope of VM

Sensitive data held in emails is withing the scope of GDPR - but that information can come from anywhere.  Organisations should already have a policy in place to handle such information.

[AH]

Stawebnice

Nice introduction to things to be considered.

Note that many of these requirements are NOT "new" as a result of GDPR - these data protection requirements/principles have been around for years - but people are now waking up to them because of all the publicity for GDPR.
Data controllers should already have things in place to manage their data collection and handling.  With a clear data audit and data protection policy in place within their business.

All personal data should be kept only for as long as is relevant for the purpose it was intended (in many cases this may be for local tax reporting regulation)  Outside of the period or relevance and purpose for collection it is worth considering the functionality below

1. Depersonalisation of sensitive data older than period x

2. Removal of all customer data after period y of inactivity (logon)

3. Ability to depersonalise sensitive data within test systems using database tools
The purpose of data collection is very unlikely to include use for Testing - so time limit does not apply

Do a data audit - Document where your data is within and outside your business
Identify what it is being used for and if this is covered explicitly by your policies to which the customer has agreed
Don't try and hide multiple uses in one huge terms document

After all you are the data controller - if you collected the data, you cannot hand off responsibility to data processors - you are ultimately responsible if your data processors mishandle the data that you allowed them access to.

Anyone handling personal data, should have have undergone some basic training regarding data protection.  With only those who need access being given access.

Here is a link for UK businesses (ps. if this is new to you then  )
https://ico.org.uk/for-organisations/guide-to-data-protection/

[stawebnice]

well, the purpose of this post was to raise discussion what needs to be implemented in VM - not discussing the actual content of the GDPR terms and internal policy of handling the data inside the company, those are supposed to be handled by the vendor

[diri]

Hello AH,

*"Buying must be possible as guest without registration at Joomla."
*
*This has always been possible in VM

Hope it works ...

*However - I question whether GDPR creates such a requirement, please point out GDPR clauses where such things are expected

Consent (6.1.1) and coupling ban (7.4).

 A Joomla (System) account is never needed to fullfill an order.

cu, diri

[AH]

Diri

Good to see your response - it may be useful for those out their who may be struggling with these topics.

Hello AH,

*"Buying must be possible as guest without registration at Joomla."
*
*This has always been possible in VM

Hope it works ...

I am unsure what this comment means - You have always been able to purchase items from a VM store without need for joomla registration. Yes it works and has always worked.

Buying must be possible as guest without registration at Joomla.

*However - I question whether GDPR creates such a requirement, please point out GDPR clauses where such things are expected

Consent (6.1.1) and coupling ban (7.4).

 A Joomla (System) account is never needed to fullfil an order.

I think you point to this "When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."

A somewhat moot point (as VM allows for purchases without Joomla registration. Customer registration can be turned off completely if required - which is the case for some shops I have seen.)

I will watch with anticipation as to how (7,4) "forces" the provision of guest shopping on the larger retailer e-commerce platforms.

Amazon might be one to watch for such new functionality.  Maybe they consider themselves outside the EU for this purpose - if not, then guest shoppers will be coming around May 26th.

Just to confirm - guest shoppers is provided for in base VM all versions

[diri]

Hi AH,

I'm also watching what happens at large shops in this relation.

Keywords are minimize data being collected to bare minimum and "consent is freely given".

You'll find a lot of additional information when watching advertising industry. They have large problems as well. Current public statements are relative vague recommendations only but no real solution.

btw:
WhatsApp introduced a stupid age "verification" now in reaction to GPDR (one click to confirm age 16 or above). I doubt it being sufficient. Facebook moved all user data from Ireland to U.S.A. short time ago.

edit:
Take care when linking to social media. Facebook is tracking non-member data as well in case there is a direct link to "like us".

cu, diri

[Milbo]

Hi,

according GDPR there must be some kind of age verfication as well. Agreement can only be accepted in case customer is 13 at least (14 in Austria, 16 in Germany). In case visitor of site is younger agreement of parent is needed.

In germany it is 13, but only up to 100 euro per sale. Except for some wares.

Buying must be possible as guest without registration at Joomla.

The only information which is additional stored is NOT personal. A nickname is usually either fantasy, or related to the already given data. It depends on the system. The law means something different, which I often encounter, when I explain customers (new vm Users) joomla.
For example a customer thought, that when he creates an account on joomla.org, that he has an account on his webpage. So the law means, it is not allowed that a customer is automatically registered at ANOTHER system. In our case a Joomla account is always used to provide extra services and not for any data mining. So as long a webowner is not installing extra software, the joomla account is just used for obvious, transparent features like customer recognition.

What are the advantages of a registration? A returning customer is recognised, but only IF he uses the account, else he can just checkout as guest. The login just gives a legal history of the user orders. As long you do not connect this data to other data, all is legal, imho. In special if you need it to determine if you give someone support.

[vaskern]

The only information which is additional stored is NOT personal. A nickname is usually either fantasy, or related to the already given data.

So from a legal perspective there is no difference whether the user registers or not, right? From a non technical view maybe it would be logical that if you don't register no data is saved? Or only save information about the products ordered, nothing about the person. Of course this info is needed for the shopowner so VM sends this by email. And add in tos that personal info is deleted when processed (by shopowner deleting mail). AIUI large part of GDPR is communicating to the individual about data stored. Just an idea.
Which brings me to a question, I am getting lots of mails from businesses and organizations regarding GDPR and data they have on me. Is it neccesary to send out an email to all registered customers?
Thanks 

[AH]

My thoughts (for what they are worth) 

If you register - you give over an email - that is considered personal information

So from a legal perspective there is no difference whether the user registers or not, right?

Unless one of us is a data protection lawyer ( in the specific region(s) you and your data subjects are domiciled) - I think it unwise to expect definitive legal answers here.

Storing data required to fulfill an order is all fine if you have a simple privacy notice. If what you collect and store can be reasonably expected as being necessary to fulfill an order and meet your legal requirements for reporting / guarantee validation / or for communication relating to order queries.

Deleting personal information for an order is not required even if the user "demands" it, as long as you have another valid legal reason to keep such data.

Registered users could ask to have their registration details removed.

Regarding communication to existing registered customers - That depends on what data you stored and what you intend to use it for in the future.

[vaskern]

My thoughts (for what they are worth) 

Unless one of us is a data protection lawyer ( in the specific region(s) you and your data subjects are domiciled) - I think it unwise to expect definitive legal answers here.

Yes, and legal matters are often much less black and white than one can think. And I am not educated in the field. But I don't think its about regions, this is about the whole EU.

If you register - you give over an email - that is considered personal information

But the other info (name, address, phone, what you bought) also counts as personal information I would think.

Regarding communication to existing registered customers - That depends on what data you stored and what you intend to use it for in the future.

Just what they entered when registering (emal, name, address) and purchase history. Don't intend to use it other than for letting them login again. What is the verdict? Have to inform users (by sending mail before GDPR) that they are in the system - or not?

[AH]

I am not informing anyone that they registered before GDPR

Nor do I see the requirement to inform those purchasers that there is order data being held.