Security Social Media eShop ‎eCommerce‬ wordpress General Data Protection Regulation GDPR

The General Data Protection Regulation (GDPR) approved by the European Parliament in April 2016 and will come into effect on 25 May 2018. This regulation is the biggest and most important European legislation regarding privacy and data protection in the last two decades.

GDPR applies to any business or organization that processes or stores the personal data of European citizens, regardless from which country they operate. Τhe aim of the GDPR is to give to all European citizens much greater control over their personal information and to force companies and organizations to take more seriously the handling and the protection of their client’s personal data. The fines for non-compliance can reach up to €20 million or 4% of a company’s turnover, which means GDPR is not to be taken lightly.

An individual’s rights under the GDPR

The General Data Protection Regulation (GDPR) seeks to establish eight rights for individuals regarding the protection of their personal data.

Persons have the right to know who is processing and storing their personal data. They also have the right to know how you collect their data, for what purposes and for how long.
Data subjects have the right to access their personal information that are save in an organization’s systems.
An individual has the right to edit any stored personal information about them.
Also known as "the right to be forgotten". Persons have the right to request the permanent deletion of their personal data.
Individuals in certain circumstances can restrict organizations from processing their information and only allow them to store it.
Individuals have the right to request their information in a commonly used format, like a csv file, in order to transfer it to different services for their own purposes.
Persons have the right to object to their information being used for purposes of direct marketing, research or statistics.
The GDPR specifies when profiling and automated decision making can be used. There are requirements that must be met, one of which is the individual’s explicit consent.

GDPR and our Customers

We are committed to protecting your data. If you have a website or eshop, our Privacy Policy explains how we use and store your data, including what we share with marketplace developers.

How can website owners prepare for the GDPR?

One of the most important issues that GDPR attempts to address is that of consent. A user’s consent can no longer be implied or inferred from her activity or even inactivity.

The language used while trying to get consent has to be simple and clear. GDPR forbids long and hard to understand texts. You must clearly state the purpose you need the individual’s data for, as well as the approximate time period you will be storing it.

The fact that a user has given her consent to a website does not mean that it cannot be revoked. The user has the right to revoke her consent at any given time with ease.

For example you need to go through all the forms your website uses and make sure that the personal information you request from your users is absolutely necessary. Remove any fields that request information that is not necessary for your specific purposes. This will have the added benefit of improving your user’s overall experience on your website.

You should also avoid any pre-selected checkboxes in your forms. Selection boxes for newsletters or marketing purposes should not be pre-selected but freely and consciously chosen by users.

Make sure you have procedures in place that will allow you to easily amend or completely delete a person’s data should they request it. You must also be able to export user data upon their request in a commonly used file format (i.e. CSV file). Remember that you are required to provide all of these services completely free of charge.
Having a Privacy Policy on your website was always a legal requirement, but under the GDPR, you will need to update it to inform your visitors of their new rights and let them know what types of information you collect, how you use it and for how long.
If you use a Content Management System like WordPress and Joomla to run your website, then you need to make sure that any extensions or plugins you use are also GDPR compliant. Many plugins in order to provide their functionality might make use of personal data. You need to verify with the creators of these plugins that they are GDPR compliant.
Google Analytics is the most widely used service for gathering visitor data to study their audience behavior and flow on their pages in order to improve their services. Since the data collected through Google Analytics is anonymous and cannot be used to identify individuals then it’s OK to use it.
You can also read what Google has to say here
Do not forget though, that according to Google’s own policy, if you use Google Analytics on your website you must have a Privacy Policy posted on your site that makes this clear to your visitors and you must have also their approval for using cookies
About Social Media platforms

Initially, it is necessary to clarify at this point and before any approach, the two key concepts of the General Data Protection Regulation (GDPR).

Controller: a natural or legal person who determines the purposes and the manner in which personal data are processed.

Processing: a natural or legal person, a public authority, a service or other entity processing personal data on behalf of the "controller".

Social Media platforms are accountable for the processing of personal data in relation to natural persons, as defined as "controllers".

But there is a peculiarity or "exception" in this relationship.

When an advertiser feeds data directly to the platform for targeted marketing purposes and for that purpose uses its own personal data file such as email addresses, telephones, and names, then the platform takes on the role of "processor". This implies that the advertiser himself, who in this case is the "controller", must ensure compliance with GDPR and is accountable for the personal data he actually uses for advertising and promotional purposes.

Companies that manage Social Media for third-party companies have a double role and should now be legally covered for the data the customer feed them.

New terms of use and privacy policies from platforms

Does your websites/eshops store data?

Website or eshop store itself does not receive or store usage data, unless you opted in to our Usage Tracker.
Website or eshop store include updates and tools for the GDPR that make it easier to handle Right to Access and Right to Erasure requests from customers.

Do extensions store data?

When it comes to services and extensions, including those built by third parties, things get a little more nuanced.
Learn how specific extensions, including payment and shipping gateways, store data.
If you build and sell extensions on our (or another) marketplace, review our checklist on how to make an extension GDPR-ready.

May the GDPR force be with you!

We trust these resources will be helpful as you navigate eCommerce in this brave new world of the GDPR and protected data. If you have any questions about personal data storage, please reach out to us

Do you have questions; Contact Us!

You can find an infographic page from EU here


This article contains general suggestions and recommendations regarding the GDPR, by no means is a legal advice. If you want to be sure that your business or website is fully compliant with the GDPR, you need to get proper legal advice for your own particular case.