We have written an FAQ dedicated to the GDPR to answer your questions about this regulation.
What is the GDPR?
May 25, 2018 marked the entry into force of the General Regulation on the Protection of Personal Data (GDPR). The GDPR governs the processing of personal data within the European Union.
The introduction of this European regulation aims to harmonize the rules within the European Union but also to respond to the evolution of technologies and our societies. By strengthening the rights of data subjects, the GDPR aims to allow them to maintain control over their data.
Compliance with the regulation by professionals, in addition to enhancing the management of your data, is a considerable asset in order to strengthen user confidence.
When does the regulation apply?
The GDPR is intended to apply to all processing of personal data, whether automated or not.
Are considered as "treatments" any collection, consultation, preservation, modification, extraction, consultation, use, communication, destruction, etc.
All information relating to a natural person - directly or indirectly - identified or identifiable in particular by reference to an identifier, such as a name, an identification number, IP address, location data, an online identifier, etc. are considered as personal data.
Who is concerned?
Two types of people are likely to process personal data within the meaning of the GDPR: the controller and its potential subcontractors.
The controller is the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing.
The subcontractor, for its part, processes personal data on behalf of the controller, and as such, does not determine the purposes or the essential means of the processing. The qualification helps to determine the applicable liability regime.
From a territorial point of view, the regulation concerns not only any European company, but also any company located outside this territory but processing personal data of European citizens.
What does this mean for end customers?
The GDPR allows each individual to benefit from rights on the processing of their personal data.
First of all, the person concerned by the processing of personal data must be informed. Regardless of the purpose or legal basis for processing, the data subject has a:
- Right of access to his data;
- Right to rectification of his data;
- Right to erasure of his data;
- Right to the limitation of the processing of his data.
If the person concerned has given his consent for the processing of his data, he also has a right to withdraw this consent at any time. However, the withdrawal of consent does not in any way render the processing already carried out on this legal basis unlawful.
If the person concerned has given his consent for the processing of his data or if the processing is based on the execution of the contract, the latter has a right to the portability of his data provided.
Finally, if the processing is based on the legitimate interest of the body, the person concerned has a right of opposition for legitimate reasons in accordance with Article 21 of the GDPR. However, when its data is processed for prospecting purposes, it will not have to justify any grounds.
What does this mean for PrestaShop e-merchants?
E-commerce companies must ensure that their store allows their end customers to exercise all their rights in the processing of personal data. E-commerce companies must therefore allow their customers to:
- Be informed of the collection and purposes of use of their data;
- To be able, when necessary, to give and withdraw their consent to the collection and processing of their personal data;
- To access it, to be able to rectify their data, to be able to obtain their portability and, in some cases, to object to their treatment and obtain their erasure.
E-commerce companies must also:
- Only collect data that is necessary and relevant to the store's business objective;
- Retain the data only for the period necessary in view of the purpose of the collection;
- Inform customers of data collection and their rights;
- Implement all technical and organizational measures to demonstrate that their practices are in compliance with the GDPR.
What does PrestaShop provide to allow e-merchants to be compliant with the GDPR?
PrestaShop has developed a module to help e-commerce merchants and module developers to be compliant with the GDPR. This module aims to manage the personal data collected by the PrestaShop software, by the native modules and the community modules installed on your store (only the modules that are themselves in compliance with the GDPR).
It will allow you to be compliant with the GDPR by meeting the following requirements:
- Right of access of users to their personal data from their customer account;
- Right of users to obtain the portability of their data (copy of their data exportable in CSV and PDF file);
- Right for users to obtain a modification and/or deletion of personal data, subject to merchant validation;
- Right of users to give and withdraw their consent;
- Obligation of e-merchants to keep a register of processing activities (including for access, consent and erasure of personal data).
Do you own a PrestaShop store version 1.7?
Here are the 3 steps to follow to install the GDPR module:
- In the back office, go to the Modules > Modules & Services page.
- In the Selection section, use the search bar by entering the following word (depending on the store's language):
- EN: "GDPR"
- EN: "GDPR"
- ES: "GDPR"
- DE: "DSGVO"
- IT: "GDPR"
- NL: "AVG"
- PL: "GDPR"
- PT: "GDPR"
- RU: "GDPR"
- All other languages: "GDPR"
- WARNING: this exact term must be used otherwise the module cannot be found in the list.
- A module will appear: "Official GDPR compliance" (EN) or "RGPD Officiel" (FR). Click on Install and that's it!
What does this mean for PrestaShop contributors?
You, contributors, have a high chance of being concerned by the GDPR, since the products you sell on Addons are very likely to meet the conditions for applying the GDPR, namely:
- Your products (modules, themes, email templates) collect personal data (any information relating to a natural person and allowing them to be identified directly or indirectly): identity, email address, IP address, telephone number, location data, consumption habits, etc.
- The users of your products are located within the territory of the European Union, in other words if your product is for sale in at least one of the EU countries.
More information on the GDPR FAQ contributors.
Comments
0 comments
Please sign in to leave a comment.