General data protection regulation – am I affected as a retailer and what do I have to do? Many online retailers, as well as our partner IT-Recht Kanz lei, have recently been asking themselves how they can or must comply with the requirements of this regulation. In this guest article, IT-Recht Kanzlei therefore answers some of the more general frequently asked questions about the GDPR.
Question: Does the GDPR only apply to online business?
No. The GDPR applies to all bodies (both public authorities and companies) that process personal data in any form. Online business is one use case, but there are countless others. Some examples are: Companies when dealing with employees; the activities of credit agencies; research institutions when dealing with studies; the broadcasting contribution
Question: Does the GDPR also apply to data collected before 25.05.2018?
In principle, yes, but with a few exceptions.
If data processing operations were completed before the GDPR came into force, they may only be carried out again after the GDPR comes into force on the basis of a justification in accordance with the GDPR. However, the practical impact of this principle is limited because the justification grounds of the previous data protection law largely correspond to those of the GDPR and for new data processes after 25.05.2018, which were originally justified, there will also be a justification under the GDPR.
Specifically for data processing based on explicit consent, the privilege also applies that consent obtained before May 25, 2018 remains valid under the GDPR.
Data processing operations that began before the GDPR came into force on 25.05.2018 had to be brought into line with it by this date at the latest. In principle, the GDPR thus at least provides for the possibility of the legality of old data processing operations surviving, subject to the restriction that these processing operations also comply with the provisions of the GDPR from 25/05/2018.
Question: Who is the right "responsible party" in online business?
In principle, the controller is the person who has the main decision-making authority for the processing of personal data. It does not matter whether this is a natural individual or a legal entity (company).
There is therefore a limited right of choice in online trading: the data controller is primarily the online retailer himself as an individual. However, if they run a company (GmbH, GbR, etc.), they can also choose the company as the controller. Alternatively, they can appoint the Managing Director or themselves in their function as the owner of the company as the controller instead of the company.
Detailed information on determining the person responsible can be found in this article.
Question: Are smaller online retailers affected by the general data protection regulation at all?
Yes. The general data protection regulation (GDPR) applies to anyone who processes the personal data of third parties and does so for reasons other than personal or family reasons. The previously applicable German data protection law exempted small retailers from the obligations of larger online companies. Unfortunately, under the future GDPR, small online retailers will also be subject to the extensive requirements of the GDPR.
As a general rule, smaller retailers who sell products online and collect and process customer data are just as bound by the GDPR as wholesalers.
Small businesses are only privileged in that they do not have to appoint a data protection officer.
Question: What are the main obligations under the GDPR that small online retailers have to fulfill?
The two most important duties are:
- It must inform its customers – as well as visitors to its website – about the collection and processing of their personal data and about their rights in a privacy notice.
- He must keep a so-called procedure directory for the supervisory authorities.
Duty no. 1
In which cases is personal data collected and processed?
Here are a few examples:
- During the ordering process, customer data is collected that the online retailer needs to process the order.
- The online retailer may wish to inform its customers about its products by means of a newsletter.
- Data is passed on to third parties, for example the delivery address to the transport company.
- The payment process is left to special service providers.
- The retailer wants to learn more about the preferences of its customers via advertising partners such as Google or others.
What rights do users and customers have?
On the one hand, they have a comprehensive right to information about what happens to their data. On the other hand, they have many rights, such as the right to request a report or deletion. Comprehensive information must be provided about these rights.
Duty no. 2
The procedure directory
In future, small online retailers will also have to keep a written list of procedures relating to their processing of personal data and their data security measures, which they can make available to the supervisory authorities on request.
They can also keep this directory in an electronic format, for example as a Word document. Unfortunately, the requirements of the GDPR in this context are extremely extensive and difficult to read.
As far as data security measures are concerned, the requirements for a small online retailer are definitely lower than for a larger online company.
The NRW data protection authority has now published information and templates for such directories (except for data security measures), which provide online retailers with guidelines on what such a procedure directory should look like.
Question: Does the GDPR also apply to trading on platforms (eBay, Amazon, etc.)?
Yes. Even if contact with customers on platforms is mediated via the platform operator, retailers process customers’ personal data here, for example in the context of orders and their processing (accounting, payment, shipping), but sometimes also in connection with advertising.
However, the necessary privacy notice for platform merchants is less extensive than that for a classic online store because the scope for designing and deciding on data processes on the platform (such as the choice of payment methods, the use of plug-ins and cookies and the use of tracking tools) is significantly limited.
From practice for practice - further questions on the practical implementation of the GDPR in online business
Since the practical implementation of the regulations often presents online retailers with considerable difficulties that legal experts are often unaware of, IT-Recht Kanzlei has asked its readers and clients to send us specific practical questions that have been answered in a comprehensive FAQ. This FAQ provides simple, practicable answers to what online retailers should know in connection with the GDPR.
The complete FAQ can be found here. Do you have any other questions that the FAQ doesn’t answer? Then please let us know so that we can add them to the FAQ.
