The GDPR is just around the corner: the new regulation comes into force on Friday, May 25, 2018. Experts in the public debate advise companies to take the issue seriously, but at the same time not to panic, as an audit by supervisory authorities is usually announced. So make sure that all personal data is protected.
We explain below how you can use your JTL products in such a way that you are likely to receive a positive customer review in the event of an audit. This is likely because there are no rulings on the new law yet. Instead, it remains to be seen throughout Europe which measures will ultimately be deemed appropriate and which will not.
Measure 1: Agree to the data processing agreement!
If you have already logged into your JTL-Customer Centre in the past week, you will have come across the data processing agreement (DPA). To ensure that JTL can continue to work with you within the framework of the GDPR, it is imperative that you read the contract and agree to it.
Step 1:
Log in to the JTL-Customer Centre. The AV contract is displayed there directly.
Step 2:
Check the pre-filled data. Make sure that neither your accountant nor your system admin, but you as the responsible entrepreneur are entered there. If the data is incorrect, you have the option of changing it in the menu item “My account” under “Company data”.
Step 3:
If available, enter your GDPR authorized representative in the info box at the top. Add a new employee in the “Employees – Contacts for JTL” dialog or select an existing employee. In the following contact window, check the box “This person is an authorized representative within the meaning of the GDPR”.
Step 4:
Save your settings. All changes are automatically transferred to the draft contract.
You have already agreed to the contract? Good. If you would like to read the contract again at a later date, you can find it in the JTL-Customer Centre under the “My account” tab in the “My contracts” section.
Do not forget: Agree to the contract!
In order to avoid a violation of the GDPR in our cooperation, please log in to the JTL-Customer Centre by 25.5. and agree to the DPA. Of course, you can still agree to the contract at any time after this deadline.
AV contract in the JTL-Customer Centre
Measure 2: Stay informed about important updates!
If you would like to continue receiving system-relevant information and / or newsletters from us, please also log in to the JTL-Customer Centre and renew your consent there. Otherwise, we will no longer be able to send you newsletters in the future in accordance with GDPR. You can find the newsletter settings in the menu item “My account” under “Newsletter”.
You can now decide which JTL info channels you would like to register mail for:
- International information
- Products information
- Stationary trade
- Fulfillment Network
- CDD Information
- Event information
- Critical information (only for existing customers)
Please note: You cannot unsubscribe from the “Critical information” channel. In this channel we inform you about important update information & safety instructions for your active products.
If you would like to be informed about new products in the future or receive invitations to our events such as JTL Connect, you can activate and deactivate the associated channels at any time.
Newsletter management in the customer center
Measure 3: Adapt data protection information in the store!
You should also urgently update your online store’s privacy policy by May 25, as this can be easily checked by outsiders.
For this purpose, there are numerous generators for corresponding texts on the Internet, which are also available free of charge. We strongly advise you to update them!
Example search term: Privacy notice generator
GDPR for JTL products
In cooperation with our data protection officer, we have evaluated all data protection issues relating to the use of JTL solutions. The resulting tips, which we present to you below, are for your information only and do not constitute legally binding advice.
For legally binding statements on the EU GDPR, please contact your own legal counsel. JTL cannot take on this role for you.
Measure 4: Update JTL-Wawi
JTL-Wawi has been GDPR-compliant since version 1.3.17.0, and the latest version 1.3.17.1 includes additional functionalities to make it even more compliant.
Right to be forgotten & erasure
You can use the standard “Delete” function in JTL-Wawi to remove customer data that is not relevant to invoices at any time. However, invoice-related customer data may not be deleted, as invoices must be stored for 10 years in Germany. You do not need to update to the latest version of JTL-Wawi for this.
Right to information
Customers can ask you what data you store about them and for what purpose. In the latest version of ERP, there is now a menu item “Customers > Check > Personal data”. A print template is generated here on request, which you can save as a PDF and send to the customer.
What data does JTL-Wawi store?
On our help page in the JTL-Guide you will always find up-to-date information about which personal data is stored in JTL-Wawi:
Measure 5: Check settings in the JTL-Shop
What data does JTL-Shop store?
You can also find detailed information for our store system documented in the JTL-Guide:
Useful explanations & tips
We have also put together a range of useful information that you should be aware of. This includes frequently asked questions about:
- Transport encryption
- Application security
- Privacy by design / default settings
- Being forgotten
- Right to erasure
- Right to information
- Data portability
- Session cookies
- Google Analytics
- Google reCAPTCHA
- Legally compliant contact forms
Measure 6: Secure the database connection
Even though the databases are not based on JTL’s own software but on Microsoft’s SQL servers, we have nevertheless put together some tips. The focus is on the encryption of the SQL server and other adjustments to make the database GDPR-compliant.
With the above tips, you should be able to meet the requirements of the GDPR in some areas. However, we would like to point out once again that these tips are not legally binding. Your legal advisor is the appropriate contact in this case.
Information: Measures taken by JTL
For our hosting customers
For merchants who use one of our hosting services, we have also briefly summarized the most important measures that JTL has taken in-house:
- As it is currently not possible in JTL-Wawi to create the connection either encrypted or unencrypted, we have decided to enforce encryption on the server side. This means that encryption is always active for JTL SQL hosting.
- Data from hosting packages that have been canceled will be completely removed after 21 days at the latest.
- Log files on store access (i.e. IP address, date, time) will be automatically overwritten after 7 days.
- In addition to decentralized backups, we also keep backups directly on the server. These will be deleted after 7 days at the latest.
JTL-OneTimeLink (OTL)
In future, access data can only be transmitted via the “JTL-OneTimeLink” tool. OTL enables you and us to exchange sensitive data online via a one-time link. As soon as the recipient has received their data, it will be irrevocably deleted. So if we need temporarily valid access data for interfaces (e.g. a login for the back end of the JTL-Shop or the login of JTL-Wawi) in the future for troubleshooting, this data will only be requested via OTL.
