How to implement GDPR on the site / blog / online store and what to contain GDPR

Let's see how we implement GDPR on an online store or website following the directive European Union which started to make waves among the owners of websites, blogs and especially among the companies that own magazine online or other platforms that involve the collection, storage and data manipulation cu caracter personal / confidential of users.

What is and how do we implement GDPR (General Data Protection Regulation)?

PLACINGGDPR (General Data Protection Regulation) from May 25, 2018, implies major changes regarding the storage of personal data and their handling by organizations and companies. As everyone understands, the new regulation requires strict rules for companies and natural persons that store personal data of clients, users or business partners, etc. interacting persons. The law applies both online and in “offline”, offering more transparency and control from the people whose data is stored and processed.
With the introduction of the GDPR, any person has the right to know if a company is processing their personal data, the purpose in which they are used and the way in which the security is done these data so as not to reach third parties or entities. At the same time, people are given access to the stored information with the possibility of their modification or even deletion.

GDPR: Consent regarding the storage of data and the purposes for which they will be used

According to the GDPR, people must be well informed when they give their consent for data processing. The processor must inform the person of both the data that will be stored and ask for consent for each scope of data use. A prime example is the consent form sent by Orange Romania to the company's customers. It is required explicit agreement if the personal data can be used in marketing purposes, for sending offers from the company, sending offers from partners and collaborators, market studies, etc.

Before GDPR, things were completely different. A simple tick set by default allowed the processor to use our personal data for whatever purposes he wanted without being held responsible.
If you were put in the situation of being contacted by N companies of medical insurance or other types of insurance after you have opened a bank account, this will no longer happen after the entry into force of the GDPR, unless you expressly specify that you want offers from the bank's collaborators and partners. If you gave your consent and after a while you changed your mind, the processor must provide support by which you can withdraw it very simply at any time.
In the next period, the banks will also have to send notifications to all customers to ask for their consent to store and process personal data.

Same consent must also be obtained from online stores, websites that store personal information, forums or other online platforms that involve storing user data.
If we take the case of online stores, first of all, even if you have an account on that online store or not, you will be informed from the first access about the data that is stored for you. Types of HTTP cookies retained by the website, codes of online behavior tracking of you (Google Analytics, Google AdSense, Facebook, etc.), logs in which your IP is stored and other information about everything related to your online identity.
When you choose to order a product, the company that owns the online store will not ask you more personal data than necessary to process your order and will not use your email address or phone number marketing purposes if we do not obtain your consent for these practices. In case you created an account when placing the order, you have the right to access your personal account data at any time, modify or delete them.
Subscribe to newsletters it will be done only with the explicit consent of the user, who has the option to unsubscribe at any time.
Another important requirement of the GDPR is the period during which personal data can be stored. They will no longer be able to be stored indefinitely as it was until now, but for an exact period of time.

GDPR: Security of personal data

GDPR places great emphasis on security of users' private data. The company must ensure high security standards depending on the sensitivity of the stored data. Pseudonymization, encryption and clear naming of personnel who will have access to personal data. The company will notify the authorities of the persons designated to process and handle personal data. at the same time, pre-dominization involves the processing of personal data in such a way that they can no longer be attributed to a specific person concerned without using additional information, provided that this additional information is stored separately and is subject to technical and organizational measures to ensure that the said personal data is not attributed to an identified or identifiable natural person.
In the case of one security breaches, the company will notify within 72 hours both the competent authorities and the persons affected by this leak of information. An impact report will also be made in which the risks and damages caused to the people whose information was stolen / leaked to third parties will be evaluated.

DPO – Data Protection Officer

As many girls knew by now, “DPO” it doesn't mean anymore “Days Past Ovulation” ci “Data Protection Officer”. The name sounds very pompous, but all companies must designate one DPO which will ensure that the data are correct correctly collected, stored, used for the purposes for which consent was obtained and that they are kept safe. In practice, this DPO must ensure that the organization that contracted him is in agreement with the rules imposed by the GDPR. He will also be the link between the organization and the control authorities of the state.

Who can be DPO? Well, from what we understand, the DPO cannot be a person from within the company, because that would be a conflict of interest. It must be a person from outside the company, possess thorough knowledge of European legislation, internal legislation and IT data storage techniques. It can be a lawyer with IT knowledge or a server administrator to learn legislation.
Regarding the DPO / GDPR, many companies appeared online overnight “specialized” in this legislation. Some with “experience” for years in the implementation of regulations that did not even exist until 2016. It is useful to see how we implement GDPR on a website.
O atentie sporita trebuie sa aiba companiile care primesc astfel de oferte din partea acestor firme sau persoane care sa recomanda drept experti GDPR si DPO. Majoritatea nu sunt create decat sa speculeze aceast nou regulament in scopuri de sporire a veniturilor. Asadar, atentie sporita daca reprezentati o companie si ati primit astfel de oferte.

Sanctions in case of non-compliance with the regulations provided by the GDPR

Daca nu stim cum implementam GDPR pe un website, sanciunile se aplica in mod echivalent pentru toate tarile din spatiul Uniunii Europene de administratiile competente din fiecare tara. Aceste sanctiuni vor fi aplicate gradual in functie de gravitatea si de impactul avut in urma neconformarii regulamentului GDPR. Din cate intelegem, aceste sanciuni pot ajunge pana la 4% din cifra de afaceri of the company targeted by the sanction. Sanctions can be challenged and can be the subject of a legal process.

GDPR pe online – Blogs, Online Stores or other websites

A recent update of WordPress aimed at legalizing all those who use this platform for online presence. Every website that stores personal data must have a page “Terms and conditions” and o “Privacy policy” in which to inform users of the following:

1. Who is the owner of the website or online store
2. What are the personal data collected and why are they collected
3. Cookies – the cookie modules used by the website are listed, including those of social and analysis networks. (Facebook, Google Analytics, Twitter, etc.)
4. Who are the third parties that have access to personal data and for what purposes
5. Company Contact data holding the web site / online store
6. Time period on which personal data is kept
7. Simple methods by which users can delete or export their personal data from the site
8. How to protected personal data stored
9. The rights and the obligations of the users

All these points above should hold each web site in the section “Privacy policy“.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of these data and for repealing Directive 95/46/EC (General Regulation on Data Protection) (text relevant to EEA) – EUR-LEX.EU.

What are personal data?

Any information by which a natural person becomes identifiable, such as: name, telephone number, e-mail address, location, computer / smartphone / tablet address, MAC address of the network plate, physical, physiological, genetic, psychic, economic, social, political and other.

If you have to make completions or concerns about how we implement GDPR, you can leave us comments.