The Office for Personal Data Protection has announced its annual inspection plan for 2021, which includes e-shop operators. Read on to find out what obligations e-shop operators must fulfill in terms of personal data protection.
1.) Correct legal basis for processing
E-shop operators are classified as personal data processors under the GDPR. Processing includes the mere fact that operators obtain, record or store personal data from customers. It is important that each processing operation has a specific legal basis. When processing customers' personal data, e-shop operators can use the following legal bases:
- pursuant to Article 6(1)(c) of the GDPR, on the basis of which the processing of personal data is necessary for the performance of a legal obligation to which the controller is subject;
- on the basis of Article 6(1)(b) of the GDPR, where processing is necessary for the performance of a contract concluded with the customer;
- on the basis of Article 6(1)(a) of the GDPR, according to which the customer must give their consent prior to the first processing of their data, for example for marketing purposes relating to the sending of newsletters, regular periodic materials, etc.;
- on the basis of Article 6(1)(f) of the GDPR, where processing is necessary for the purposes of the legitimate interests pursued by the controller, which arise, for example, when providing information about the delivery of goods in which the customer has previously expressed an interest and has requested information about their availability.
2.) Data minimization
Some controllers collect personal data on a large scale and often to an unnecessary extent. We can argue that they do so based on a "nice to have" judgment. The controller should only process personal data that is necessary to achieve the specific purpose of the processing. If a customer requests this, i.e. gives their explicit consent to the processing of personal data for the purpose of sending marketing leaflets, they probably do not expect that, in addition to basic data such as name, surname, email address or telephone number, the controller will ask them for information about their clothing size.
3.) Transparency and information obligation
If the controller collects data about customers, they should always be informed of the purpose for which it is collected, the extent to which it is collected, how long it is planned to be stored, and to whom the data will be further provided. This is a matter of transparency and compliance with the information obligation under Articles 13 and 14 of the GDPR. This obligation is considered to be fulfilled, for example, by creating a tab on the controller's website under the name GDPR, Personal Data Protection, or Terms and Conditions of Personal Data Protection, where customers can find relevant and up-to-date information on how their personal data is processed for specific purposes of the e-shop. The information obligation also includes the controller informing their customers of their rights as data subjects, in particular the right to object to processing for direct marketing purposes or the right to withdraw consent to processing.
4.) Retention period for personal data
E-shop operators should ensure that they do not retain customers' personal data for longer than is necessary for the purpose of processing or as required by the law on registries. If a customer withdraws their consent to the processing of personal data for the purpose of sending marketing offers, the operator is obliged to terminate the processing of personal data by withdrawing this consent to send marketing offers. The retention period for personal data is therefore closely related to the specific purpose of processing.
5.) Records of processing activities
Every e-shop operator is obliged to keep records of processing activities in relation to the processing activities it performs. These include, for example, marketing, loyalty programs, regular competitions, orders for goods or services. Records of processing activities may be kept in electronic or paper form. Records of processing activities shall be submitted by the operator to the Office for Personal Data Protection in the event of an inspection. They are therefore not intended for publication.
6.) Responsible person
If the main activities of the e-shop operator are processing operations that require regular and systematic monitoring of data subjects on a large scale, it is necessary that they appoint a responsible person in accordance with Article 37 of the GDPR, who will be responsible for ensuring compliance with the GDPR and national legislation. The role of the responsible person is to take over the personal data protection agenda and thus relieve the operator of its obligations under the GDPR.
7.) Intermediary
If e-shop operators decide to involve a processor in the processing of personal data and entrust them with the processing of customer personal data, for example for the purpose of evaluating a consumer competition or sending regular newsletters, it is important to ensure that the processor is selected appropriately. Operators must conclude a personal data processing agreement with the processor, who must guarantee compliance with the conditions set out in Article 28 of the GDPR.
8.) Security of personal data processing
E-shop operators are required to take appropriate technical and security measures to ensure the protection of the personal data of their customers. Such measures must be implemented before the first processing of personal data, for example by password-protecting computers in accordance with certain minimum security requirements, ensuring the protection of customer data with antivirus software, (where required) appointing a responsible person, ensuring automated and non-automated means, etc.
Sanctions
The Office for Personal Data Protection imposes fines depending on the circumstances of each individual case, which may range up to EUR 10,000,000 or, in the case of an enterprise, up to 2% of the total worldwide annual turnover for the previous financial year, whichever is higher.
Finally, it should be added that e-shop operators are also subject to other specific regulations, such as Act No. 351/2011 Coll. on Electronic Communications and Act No. 22/2004 Coll. on electronic commerce, which must be taken into account when operating e-shops.
Sources:
