The GDPR entered into force on May 25, 2016. However, the EU member states have to apply the General Data Protection Regulation (GDPR) only since May 25, 2018. Many sellers and website operators are therefore asking themselves the big question of what exactly they have to do to be protected from the high penalties of the GDPR and not lose the trust of their customers and users.
Even among our Shopify customers, everyone is now asking the questions:
what else do I need to consider?
Does Shopify comply with the GDPR?
can I stay with Shopify or do I have to switch to a German system?
Our answer: You don't have to switch! Shopify continues to adapt to EU laws and offers you the options to use Shopify legally compliant in the EU.
Reading tip: How to use Shopify in Germany in a legally compliant manner.
You don't want to be left alone with Cookie Consent, T&Cs, Imprint and Co. As a Shopify agency, we are happy to support you with your online store. Contact us.
The aim of the General Data Protection Regulation
The aim of the GDPR is to standardize data protection law within the EU.
Data protection law is to become more data protection-friendly for the users concerned. Citizens are to get their data back as far as possible. Together with significantly higher fines, this is intended to ensure that cloud services or social networks from the USA, for example, must also comply with the rules.
What should be protected with the new EU-DSGVO?
The most important connecting factor in the scope of application of the General Data Protection Regulation (GDPR) is personal data, e.g.:
License plate number
Jede Person soll die Kontrolle über ihre Daten haben und jederzeit informiert darüber sein, welche Daten sie preisgeben und wozu diese gespeichert werden.
Die Datenspeicherung unter der DSGVO wird also künftig transparenter. Die EU bezieht damit nicht nur die EU-Mitgliedsstaaten ein, sondern auch Drittländer. Jedes Drittland, also jedes Land außerhalb der EU, muss sich an die Transparenz der Daten ebenso halten, wie Sie als Händler innerhalb der EU.
Reading tip: All important information on the Price Indication Ordinance can be found here.
Prohibition with reservation of permission
The collection, processing and use of personal data is generally prohibited without the consent of the data subject.
This consent or consent to data storage can arise, for example, from the following:
Law, e.g. from the BDSG, TMG, EU-DSGVO
Consent of the data subject
Data economy; only data that is needed and processed may be collected.
Purpose limitation; data may only be processed for the purpose for which it was collected.
The new principles of the General Data Protection Regulation
Data security - Article 32 GDPR
Data security; a level of protection for the data that is commensurate with the risk.
This means that the level of protection you must ensure is based on the need for protection of the personal data. What measures are then "appropriate" is based on the state of the art, the necessary implementation costs, the circumstances, etc.
Thus, a doctor or hospital has different obligations and rights with regard to data protection than, for example, a website operator.
Right to be forgotten (right to erasure) - Article 17 GDPR
Personal data must be deleted or blocked if there is no longer any authorization to use the data.
Users can assert this right not only against search engine operators, such as Google, but also against any entity that processes personal data - including you as a store owner or website operator.
Among other reasons, you are obliged to delete the data for the following reasons:
The personal data are no longer necessary for the purpose for which they were collected (Art. 17 a)
The data subject has withdrawn his/her consent (Art. 17 b, c)
The data processing was/is unlawful (Art. 17 d)
The data processing was/is unlawful (Art. 17 d)
The solution is legally required
Right to data portability - Article 20 GDPR
So the possibility and the right to "take" their data to another provider.
Every person has the right to receive all personal data that you store in a readily processable, commonly used format.
Accountability - Article 5 GDPR
Lawfulness, fair processing, transparency.
This article describes how to demonstrate compliance with the data protection principles.
Personal data must be
are processed in good faith, comprehensibly and transparently
are collected for specified and unambiguous purposes
be limited to the data necessary for the purpose
be up-to-date and correct. data that is no longer up to date and incorrect for the purpose must be deleted
be stored in such a way that the data subject can only be identified for as long as it serves the purpose
be processed in an appropriately secure manner
Obtain consents - Article 7 GDPR
In the future, you must strictly document the consents. If a user signs up for your newsletter, for example, you must be able to prove this. A distinction is made here between voluntary and contractual consent.
For example, the General Data Protection Regulation stipulates with regard to consent:
Consent must be documented.
If the data subject consents to several points (e.g., as part of a contract), the purpose must be formulated clearly and in understandable language.
Consent can be revoked at any time.
Commissioned data processing (ADV), now "commissioned processing"(AV) - Article 28 GDPR
In ADV, the client is the primary contact for data subjects and is responsible for compliance with data protection requirements. However, the contractor (i.e., the processor) is also jointly responsible.
Contract data processors or order processors are among others
external customer center (e.g. call center)
external newsletter provider
cloud computing provider
external marketing company
external data center
external ERP / CRM
store system / hoster (e.g. Shopify)
Social networks (Facebook, Instagram, etc.)
Processors must e.g.
draw up an inventory of all categories of processing activities carried out under contract (Article 30)
Cooperate with a supervisory authority upon request (Article 31)
take technical and organizational data security measures (Article 32(1))
the contract for ADV no longer has to be in writing but can also be concluded in electronic form
The data protection officer - Article 37 GDPR
If these points apply to you (or even just one of them), you must appoint a data protection officer.
Your company consists of at least 10 employees
Your core activity involves "extensive regular and systematic monitoring of data subjects"
You process special categories of data in accordance with Articles 9 and 10 of the GDPR
New data protection obligations for employers
Data processing in the context of employment - Article 88 GDPR
As an employer, you are also subject to the new obligations under the GDPR. However, the new data protection regulations do not only affect the employer itself.
Rather, all entities that process personal data in connection with an employment relationship are affected. This may also include recruiters, works councils, public authorities, tax consultants and many others.
Shopify Cookie-Banner & DSGVO
At the latest since the DSGVO came into force, every online store should have a so-called cookie banner. This informs users about the collection of personal data, usually in the form of a pop-up. The user must agree to this collection of data, also called tracking, or be able to reject it.
With Shopify, such a cookie banner can be added via apps such as usercentrics.
Reading tip: You can read more about legally compliant Shopify cookie banners here.
In the future, the data protection provisions with all necessary information must be precise, transparent, understandable, easily accessible, written in clear and simple language and designate the legal basis for data processing.
Do you need help implementing your General Data Protection Regulation? Then contact us now without obligation and we will support you with our know-how.
Frequently asked questions about the new EU-DSGVO
What does the GDPR regulate?
The General Data Protection Regulation contains provisions that apply to the protection of individuals with regard to the processing and publication of personal data.
To whom does the GDPR apply?
The GDPR helps all persons or organizations that collect personal data from customers or employees.
When do I have to delete data according to the GDPR?
Personal data must be deleted when data subjects revoke their declaration of consent or the purpose of the data processing has been fulfilled.