The Office for Personal Data Protection has announced its annual inspection plan for 2021, which includes e-commerce operators. Read on to find out what obligations e-commerce operators must fulfill in terms of personal data protection.
1.) The Correct Legal Basis for Processing
Under the GDPR, e-shop operators are classified as personal data processors. The mere fact that operators collect, record, or store customers’ personal data constitutes processing. It is important that every instance of processing be based on a specific legal basis. When e-shop operators process customers’ personal data, the following legal bases may be used:
- pursuant to Article 6(1)(c) of the GDPR, under which the processing of personal data is necessary for compliance with a legal obligation to which the controller is subject;
- pursuant to Article 6(1)(b) of the GDPR, where processing is necessary for the performance of a contract concluded with the customer;
- pursuant to Article 6(1)(a) of the GDPR, under which the customer must give consent prior to the first processing of their data, for example for marketing purposes such as sending newsletters, periodic materials, etc.;
- pursuant to Article 6(1)(f) of the GDPR, where processing is necessary for the purposes of the controller’s legitimate interests, which arise, for example, when providing information about the delivery of goods in which the customer has previously expressed interest and has personally requested information regarding their availability.
2.) Data Minimization
Some controllers collect personal data on a large and often unnecessary scale. We can argue that they do so based on a nice to have judgment. The controller should process only such personal data as is necessary to achieve the specific purpose of the processing. If a customer requests this—that is, gives their explicit consent to the processing of personal data for the purpose of sending marketing flyers—they likely do not expect that, in addition to basic data such as first name, last name, email address, or phone number, the controller will also ask for information about their clothing size.
3.) Transparency and Duty to Inform
If a controller collects data about customers, they should always be informed of the purpose for which it is collected, the scope of the data collected, how long it is intended to be retained, and to whom the data is further disclosed. This concerns transparency and compliance with the duty to provide information pursuant to Articles 13 and 14 of the GDPR.
Fulfilling this obligation includes, for example, creating a section on the controller’s website titled “GDPR,” “Privacy Policy,” or “Terms of Privacy,” where customers can find relevant and up-to-date information on how their personal data is processed for the specific purposes of the e-shop. Part of the information obligation is also for the operator to inform its customers of their rights as data subjects, particularly the right to object to processing for direct marketing purposes or the right to withdraw consent to processing.
4.) Retention Period for Personal Data
E-shop operators should ensure that they do not retain customers’ personal data for longer than is necessary for the purpose of processing or as required by the Records Act. If a customer withdraws their consent to the processing of personal data for the purpose of sending marketing offers, the operator is obligated to cease that specific method of personal data processing upon the withdrawal of such consent. The retention period for personal data is therefore closely linked to the specific purposes of processing.
5.) Records of Processing Activities
Every e-shop operator is required to maintain records of processing activities in relation to the processing activities they perform. These include, for example, marketing, loyalty programs, regular contests, and orders for goods or services. Records of processing activities may be in electronic or paper form. The operator submits records of processing activities to the Office for Personal Data Protection in the event of an inspection. They are therefore not intended for publication.
6.) Data Protection Officer
If the main activities of the e-shop operator -shop are processing operations that require regular and systematic monitoring of data subjects on a large scale, it is necessary to appoint a data protection officer in accordance with Article 37 of the GDPR, who will be responsible for ensuring compliance with the GDPR as well as national legislation. The role of the data protection officer is to take over the management of personal data protection and thus relieve the controller of its obligations under the GDPR.
7.) Processor
If e-shop operators decide to engage a processor in personal data processing activities and entrust them with processing customers’ personal data—for example, to evaluate a consumer contest or send regular newsletters—it is important to ensure the appropriate selection of a processor. Operators must enter into a personal data processing agreement with the processor, and the processor must guarantee compliance with the conditions set forth in Article 28 of the GDPR.
8.) Security of Personal Data Processing
E-shop operators are required to implement appropriate technical and security measures to ensure the protection of customers’ personal data being processed. Such measures must be implemented before the first processing of personal data, for example by password-protecting computers in accordance with certain minimum security standards, ensuring the protection of customer data with antivirus software, (where required) designating a data protection officer, securing automated and non-automated systems, and so on.
Penalties
The Office for Personal Data Protection imposes fines depending on the circumstances of each individual case, with the amount ranging up to EUR 10,000,000, or in the case of a company, up to 2% of the total worldwide annual turnover for the previous fiscal year, whichever amount is higher.
Finally, it should be noted that e-shop operators are also subject to other specific regulations, e.g., Act No. 351/2011 Coll. on Electronic Communications and Act No. 22/2004 Coll. on Electronic Commerce, which must be taken into account when operating e-shops.
Sources:
Slovak Data Protection Authority: Inspection plan for 2021
