All Collections
Legal & GDPR
Be RODO compliant by implementing BOK customer service tools
Be RODO compliant by implementing BOK customer service tools

Implement Chat in accordance with the current law

Wioleta Jednaka avatar
Written by Wioleta Jednaka
Updated over a week ago


Although it has been 4 years since the beginning of RODO law in Europe, its application still causes considerable controversy. Therefore, as edrone, to meet your expectations, we are starting a series of recommendations that will help you not only to recall the most important issues, but to implement the changes in accordance with current standards and applicable law.

From this document you'll learn:

  1. What is a Privacy Policy, why is it important, and why should you update it urgently?

  2. When using Chat and INBOX, have you correctly described with yourself the basis for processing personal data?

  3. What specific changes should be made to be in compliance with the law?


Let's begin!

What is the Privacy Policy?

In the simplest terms: it's an instruction in which you describe in simple language what data you make available, for what purpose, for how long, and to whom, when a user uses your online store. It's important that everything is described in simple terms, and if you can, use infographics. More simple means better.

There is no single template for a Privacy Policy. A very common mistake is that we simply copy Privacy Policies from other stores or buy "ready-made" documents. Wrong - there is no one model of privacy policy that we will apply to every store the same way. However there are standard issues that appear in the privacy policies of most websites. Each really should be tailored to the technology behind the site. After all, we use different tools, and stores are built on different platforms. So let's take a moment to show users what happens to their data when they use our services.

Let's get down to business.

First of all, indicate in your privacy policy on what basis you process personal data. The basics are different , for example, consent given by the user, to a contract with the user, a legal obligation or your legitimate interests. But we will discuss the topic of grounds another time. Based on our observations and experience, most likely in your service it looks like the basis is, among others:

  1. Performance of the contract by you (e.g. sale of a product or provision of an electronic service such as setting up an account on your website);

  2. The consent that was given by customer, e.g. sending your own commercial information to potential customers, i.e. those with whom you have nothing in common. Remember that the consent you have given can always be revoked and you must inform them about it!

  3. Your legitimate interest (e.g. to analyze user traffic on your site, but also to market your own services to acquired customers, i.e. those who have, for example, created an account in your store or already bought a product).

How might that sound?

First example:

What are the legal bases for data processing?

  1. Firstly, the legal basis for our processing of your personal data is the contract concluded between us and the legitimate interests related to our business. We process your data only to the extent that it is necessary to properly perform the service we provide to you. In this case, we will process your data for as long as you use our services, and until the statute of limitations for any claims arising therefrom;

  2. Our legitimate interest will also be the legal basis for our processing of your personal data, e.g. for statistical purposes like analyzing user traffic on our site. Your data such as the content of your inquiries for offerings, bugs you report, or evaluation of our systems will allow us to improve tools such as chat, as well as marketing our own services/products to current customers/users. In order to best respond to your inquiries or reported issues, we also process information you may have provided during your chat with us, e.g. this may include personal information such as your email address, first and last name. This will allow us to improve the chat so that we can handle your inquiries more efficiently. In this case, we will process your data until you object, which you can do by contacting us.

  3. For marketing purposes, i.e. sending you - if you are not already our customer - our own commercial information, the basis for processing your data will be the consent you have given. All you have to do is check the appropriate box on the form during registration. You can revoke such consent at any time by clicking on the deactivation link included in every marketing message we send you. In this case, we will process your data until you withdraw your consent.

In addition to the basis for processing personal data, it's also useful to enter who (other than your employees) has access to your data. Such entities are called "processors" or simply processors. Such an entity is, for example, a payment processing company, courier companies, and companies like edrone that provide you with tools to support the sales process. Simply identify them in your Privacy Policy. You may or may not have to by name. It is enough if you specify their roles.

Second example:

Who has access to your personal information ?

We provide your personal information to third parties only to manage purchases made by you online. They receive them exclusively:

  1. Companies that process your address;

  2. Communication agencies that send order confirmations;

  3. Warehouses and courier companies that deliver orders;

  4. Companies that process payments;

  5. Banks that verify your identity and creditworthiness when you buy on installments;

  6. Debt collection companies;

  7. Companies that provide tools to support the sales process within the online store (marketing automation), e.g. recommendation frames, chat functionality, newsletters.

You'll find out what else should be in the privacy policy in future posts. We'll be coming back to it more than once in the near future, especially in the context of the planned changes in 2022 related to what the providers of popular web browsers are preparing for us in terms of third-party cookies, such as Google Privacy Sandbox.

Stay tuned!

Chat and InBox

Responding quickly and efficiently to customer inquiries is absolutely fundamental to building credibility in their eyes, but also the easiest way to gain their trust and loyalty. We have these values in mind as we add more functionality to the edrone system. Responsiveness, however, must go hand in hand with compliance with current standards, including data protection laws. Therefore, we recommend to you that if you use our chat (but also if you use other proprietary solutions), that you allow data subjects (i.e. your customers) to decide and consent whether they want to use the chat and allow you - and consequently us - to develop it, and thus provide an even better level of service to inquiries. If you use a third-party chat service from a third-party provider, make sure it supports the legislator's current guidelines! This is especially important if you use chatbot solutions that learn and improve based on the content of user queries.

What should such an agreement sound like?

Third example


⌧ I consent to the processing of personal data for the purpose of improving the automated system for handling inquiries by XXX (e.g. the owner of the store) under the terms of the Privacy Policy [link to example 1]:

Pełna treść klauzuli:

Start chat 💬

We are in favour of that there should be as little content as possible when we need to ask someone for permission to process personal data. One, that this is indirectly required of us by the RODO, and two, that it is then clearer for users. Such an action is called layered implementation of the information obligation. In other words, the idea is that the basic information is available from the moment the data subject decides whether to entrust someone with their data. The rest of the information
is placed in the privacy policy. That's why this document is so important.

If you don't know how to do it yourself, don't hesitate to get back to us. We will be happy to help your organization better fulfill its statutory obligation.


Today you learned about why a privacy policy document is important, what issues you should pay attention to, and what the consent text should be if you collect it (and in our opinion you should) when using a chat/inbox. Next time we'll tell you what else should be in your privacy policy, we'll describe the changes related to the new electronic communications law.

If you have any questions about RODO, write boldly to our Support Department :

Did this answer your question?