On 25 May 2018, the General Data Protection Regulation (GDPR) and, a few months later, on December 7, the Digital Rights Protection and Guarantee Act (LOPD-GDD); regulations whose main objective is to regulate the correct use of third-party data on the Internet, as well as to ensure its confidentiality.

Since the entry into force, all online stores in the European Union have been required to comply with the GDPR and the LOPD-GDD,in order to ensure the protection of privacy in the online world.

Otherwise, companies that deal with sensitive data and do not comply with regulations will face economic sanctions of between 10 and 20 million euros, or between 2% and 4% of annual turnover depending on the size of the company and the severity of the non-compliance.

Therefore, if you have just set up an e-commerce or e-business, you know that you must comply with both regulations mandatory, and at AYCE Laborytax we will tell you how to adapt your online store to the GDPR and loPD-GDD to avoid million-dollar sanctions. Notes!

Tips to adapt your online store to GDPR and LOPD-GDD

Legal Notice, Privacy Policy and Cookie Policy

The first step in adapting your online store to the GDPR and LOPD-GDD is to include a legal notice, privacy policy and cookie policy,as set out in the Data Protection Act and the LSSI:

  • Disclaimer:

In the legal notice you will have to specify who owns the website, including first and last name, THE VAT number or CIF of the online store, address and email.

  • Privacy Policy:

In the privacy policy you will have to inform the processing of the data, specifying where and how they will be used, the obligation to receive the consent of the users, whether the data will be transferred to third parties, etc.

  • Cookie Policy:

In addition, we will also have to inform you of the cookies that are used in your online store, as well as the duration and purpose of them.

Processing of personal data indispensable for your online store

The GDPR and the LOPD-GDD make it clear that only those personal data indispensable to your activity can be processed,which can be justified. For example, if you have an online sports shoe store, you will only be able to process data that is closely related, but not others such as marital status, health problems, etc.

User consent is indispensable

With the entry into force of both regulations, the user’s consent is indispensable to process their data. A consent that must be clear and unequivocal on the part of the user, so it is no longer possible to use the traditional pre-marked boxes that gave consent unless the customer unchecked it, which were the most common before the GDPR and the LOPD-GDD.

In addition, you must specify the use to be made of each of the data. So if multiple personal data is requested, there must be a box for each of them.

Data retention

You must also keep the data transferred by users,in a manner consistent with their use. In this way, if the user wants to access this data or even request a copy, he will be in total readiness to do so.

You must record the activities

You will also be required to record all activities you carry out in a document,which will be available to the AEPD, must be kept constantly updated and will have to include the following data:

  • Registered data types.
  • Use of the collected data.
  • Location of stored data.
  • Specify whether the data will be transferred or transferred to foreign countries.
  • Means of data processing.

Obligation to report

On the other hand, you must also provide the user with the following information before requesting their details:

  • Contact of the person in charge of the processing of the data.
  • Data Protection Officer’s contact details.
  • Purpose and reason of the requested data.
  • Which people will be able to access this data?
  • Time to store the data.
  • Specify whether the data will be transferred to foreign countries.
  • Rights that correspond to the user.

Also note that all this information should be present in a customer consent document,and provide it to the customer in writing and clearly to avoid confusion.

The Figure of the Data Protection Officer (DPO)

With the entry into force of the GDPR appears the figure of the Data Protection Officer (DPO), who will be a professional whose objective will be to monitor and ensure compliance with data protection,in addition to advising companies, or acting as an intermediary with the AEPD.

For certain companies the presence of the DPO will be mandatory, while for others it will be optional.

Notification of security breaches

Another key point in adapting your online store to GDPR and LOPD-GDD is to report any security breaches to both the AEPD and affected users. The maximum time limit for reporting the security breach will be 72 hours.

You know, if you have an online store, you need to adapt it to the GDPR and the LOPD-GDD to ensure the confidentiality and correct treatment of users’ personal data. Otherwise, you may face penalties of up to 20 million euros or up to 4% of your e-commerce’s annual turnover.