Well prepared for Black Friday, together with the office of Pilch Piotrowski & Partnerzy, on Thursday, November 23, we visited the conference entitled „GDPR in marketing” in order to prepare the e-commerce industry for developing regulations. Att. Marcin Pilch performed as one of the speakers and shared his knowledge on how edrone adapts the marketing automation system to laws.
We will share with you the experience gained during discussions with other lawyers and industry practitioners.
GDPR (General Data Protection Regulation) is not a single act, but a group of regulations on issues related to processing and protection of personal data. We do realize that it is hard to get through all the regulations, so we did it for you and highlighted the most important changes for the e-commerce industry.
Since 23/05/2018, when the GDPR is coming into force, the data controller (mostly your store) will be responsible for collecting and storing customer data. You will also have to justify the necessity to collect specific data (e.g. date of birth).
The GDPR regulations can be divided into four groups:
- These regarding the legal collection of data, first of all related to making sure that the customer knowingly and voluntarily gave consent to dispatch of the relevant content.
- The consent may not be given knowingly when, for example, we check a box next to the consent box. Customers often click „Next” and do not read what is written. It is the responsibility of the store owner to make sure that the customer has read the information. In all activities, the store owner should be guided by the principle of „Privacy by default”, to minimize the amount of data only to these necessary ones.
- Consent can be treated as indefinite if we combine consents for communication via various channels (e.g. email and SMS). The customer should have the choice of the channel by which he wants to receive information – considering a telephone number too intrusive for privacy, but willingly reading e-mails. If we want to communicate with the customer using instant messengers such as Messenger or Whatsapp – we also need a separate consent.
- Consent should be voluntary – it can be withdrawn at any time.
- We should also know at what time we obtained this consent and should be able to prove it, because the customer can forget about such a fact.
2. Notification duty:
We should clearly inform the customer about what we need his data for and for what purpose it will be used and processed.
What should we inform about?
- First of all, we should clearly present ourselves, and therefore give the name of the entity operating the data, the registered office, and preferably should authenticate it with NIP (Tax Identification Number) and KRS (National Court Register) number.
- Inform about the purpose we need customer data for and provide the legal basis.
- Inform about the right to withdraw the consent, to file an objection to the company or to lodge a complaint to the appropriate authority.
- Inform about which entities we obtain data from and which entities we intend to make available to them.
- Inform about the planned period for which data will be stored.
- About whether the provision of data is voluntary or mandatory. Whereas consent for shipping should not be considered as a consent per se. If the customer makes transactions with us, it is clear that he provides the necessary data (e.g. the address), and we only inform him about what we need it for.
To inform about it, together with the office of Pilch Piotrowscy & Partnerzy, we have prepared a webpage about GDPR on which a document with sample consents is available:
4. Data transfer to third countries.
It should be noted that if the entity operating the data or its servers are located outside the European Union, it should have a special permission, i.e. it should be entered in the PrivacyShield list.
edrone as an EU company which stores personal data on servers only in the EU, is completely prepared in this respect for upcoming legislation.
- The right to access data – the capability to request a copy at any time.
- The right to transfer data – in a file of a commonly used format, e.g. csv.
- The right to data removal (right to be forgotten).
- The right to update data.
- The right to limit data processing.
- The right to lodge an objection to data processing to the entity, as well as to make a complaint to the appropriate authority.
- The law related to automation of data processing. If profiling takes place automatically and has legal effects for the customer – he should also be informed about it. He should also have the right to appeal against the consequences of such an automatic decision (e.g. sending or not sending a discount code).
In summary, GDPR is compatible with currently applicable regulations, while the current regulations are not compatible with GDPR.
What does it mean?
We can start preparing our activities in accordance with the new regulations. It will not be inconsistent with the current ones, and it will allow to avoid the shock and unnecessary trials and tribulations associated with introduction of new regulations in the spring.