When starting your adventure with edrone, you need to complete a few simple formalities. This includes measures related to data privacy compliance. GDPR has been formally applied throughout the European Union since 2018, and indirectly wherever the addressees of the services are EU citizens, which is why it also applies to you. First of all, remember that you, as the Personal Data Administrator, are responsible for the storage and proper processing of the personal data of your clients.
Make sure that you have verified and adjusted the following issues to the current standards in the field of personal data protection:
MARKETING CONSENT
Each store should be considered individually here. The key, however, is the need to inform the customer at the time of entrusting the data about the purposes of data processing. That is, the reason for sending marketing content and receiving commercial information, e.g. when providing an email address, registering an account, subscribing to a newsletter via a checkbox or by active action, e.g. via Pop up (e-mail).
To make sure that the customer subscribes to a newsletter in a conscious, voluntary and unambiguous manner, we recommend, apart from introducing the Double Opt-In model, adding the following checkboxes with consents and brief information next to the subscription forms to the newsletter:
During account registration
Example:
⬜ I declare that I am over 16 years old and that I understand and accept the provisions of the Regulations (link) and the Privacy Policy (link) ("mandatory field")
⬜ I consent to the processing of my personal data for marketing purposes and to receive commercial information from [shop_name] using telecommunications terminal devices voluntarily entered by me (for example, telephone) and electronic communication means (SMS, e-mail). ("Optional field")
In the Privacy Policy, we suggest adding something like:
On the basis of this consent, we will be able to contact you via, for example, telephone, SMS or email (depending on what data you provide us during registration) in order to promote services or goods [shop_name], including presenting information about current promotions or marketing campaigns. You can unsubscribe from receiving commercial information from [shop_name] at any time by withdrawing your consent.
Newsletter signup
Example:
⬜ I consent to the processing of my personal data by XYZ in order to receive marketing information about products and services by means of electronic communication (e-mail).
Learn more about the rules of processing your data in our Privacy Policy
(LINK)
The amount of data protection and online marketing regulations in place can make your head spin. That is why it is important to update your privacy policy accordingly when building your mailing database. You can then consider offering subscriptions to a newsletter even without formally marking consent (especially if you use double opt-in and have fulfilled information obligations towards your clients). However, we recommend that at least one consent (to receive marketing information) be given. Consent will be consciously given if someone has the opportunity to find out why, who and for what purpose their personal data is processed before confirming the subscription to the newsletter.
Remember! Use the Double Opt-In model (where the user confirms his consent to a subscription by clicking a link confirming it). Thanks to such consent, you can be sure that the user has consciously and voluntarily joined your subscription database.
Sample email content (double opt-in)
Confirmation message:
Great! You've almost finished signing up for our newsletter.
Before clicking the activation link, read this information
(link to the Privacy Policy).
Remember that the administrator of your data is: XYZ based in K. You can always correct or change your data, withdraw your consent at any time,
and even request the transfer or deletion of data. The list of entities to whom we entrust your data is available here. We do this in order to provide our services as well as possible. Your data will be kept for as long as it is necessary to protect your rights (e.g. warranty or limitation period when you buy a product). If you have any questions or concerns, please write to us at gdpr@xyz.com. Your safety and trust are of the utmost importance to us!
P.S. Remember that you can always lodge a complaint at XXXX
PRIVACY POLICY UPDATES
If you start cooperation with a personal data subprocessor, e.g. a shipping company, marketing agency or just edrone, it usually involves entrusting personal data and it is necessary to inform your customers about this fact.
The place where the customer can learn which entities are provided with his personal data, what is the purpose of their processing and on what basis is the Privacy Policy on your store's website. Here, in simple language, you can describe what data, for what purpose, for how long and with whom you share it when the user engages with your online store.
There is no single privacy policy template. A very common mistake is that we simply copy the privacy policies of other stores 1: 1 or buy "ready-made" documents. Don’t do this!
A privacy policy should contain:
1. Information about the basis for the storage of personal data.
The grounds vary from, for example, the consent given by the user to the contract concluded with the user and legal obligations. Typical reasons include:
performance of the contract (e.g. sale of a product or provision of an electronic service, such as setting up an account on your website);
consent given by the user, e.g. sending your own commercial information to potential customers. Remember that granted consent can always be revoked and you must make users aware of this.
Your legitimate interests (e.g. to analyze user traffic on your website, but also marketing your own services for acquired customers, i.e. those who have, for example, set up an account in your store or have already bought a product).
What could it sound like?
Example 1:
What are the legal grounds for data processing?
First of all, the legal basis for the processing of your personal data is the contract concluded between us and the legitimate interests related to our business. We process your data only to the extent that is needed to properly provide the service we provide you. In this case, we will process your data for the entire time you use our services, and until any claims arising from it are expired.
Our legitimate interests will also be the legal basis for the processing of your personal data by us, e.g. for statistical purposes, such as the analysis of user traffic on our website. Your data, such as the content of your inquiries for an offer, errors reported by you or the evaluation of our systems will allow for the improvement of tools such as chat, as well as self-marketing of our services / products for current customers / users. In order to best answer your questions or reported problems, we also process information that you may have provided during a conversation with us via chat, for example, that may also be personal data, such as an email address, name and surname. This will allow us to improve communication, thanks to which we will handle your inquiries more efficiently. In this case, we will process the data until you object, which you can do by contacting us.
For marketing purposes, the basis for the processing of your data will be your consent. All you have to do is check the appropriate field in the form during registration. You can revoke such consent at any time by clicking on the deactivation link included in each marketing message we send you. In this case, we will process your data until you withdraw your consent
2. Who has access to your personal data
In addition to the basis for the processing of personal data, it is also worth entering who (apart from your employees) has access to your data. We refer to these entities as "processors". Such an entity is, for example, a payment company, courier companies, as well as companies such as edrone, which provide you with tools to support the sales process. It’s enough to indicate them in the Privacy Policy. You can, but you don't have to by name. It is enough if you define their roles.
Example
We only share your personal data with third parties to manage your online purchases. They are only received by companies that process your address,
communication agencies that send order confirmations, warehouses and courier companies that deliver orders, companies that make payments,
banks that check your identity and creditworthiness when you buy in installments, debt collection companies, companies providing tools supporting the sales process as part of the online store (marketing automation), e.g. recommendation frames, chat functionality, newsletters, etc.
Add information to the policy if you use Chat and the functionalities of the Customer Service Center.
If you use our chat (but also if you use other proprietary solutions), we recommend that you allow data subjects (i.e. your clients) to make a decision about whether they want to use the chat and allow you - and consequently us - to process it, and thus provide an even better level of query handling.
An example of such consent:
I consent to the processing of personal data in order to improve the automatic query handling system by XXX on the terms set out in the Privacy Policy [link to example 1]
3. Information about profiling
Profiling is a topic that is sometimes controversial. Some believe that profiling always requires the user's consent, others that it is enough to inform the data subject (i.e. the customer of your store) about the possibility of objecting. It all depends, of course, on what we mean by profiling. In our opinion, customer segmentation, edrone's recommendation frames (A bought product B, so having the appropriate features, statistically speaking he may be interested in purchasing product C) do not constitute profiling referred to in Art. 22 GDPR, because despite the fact that it is an automatic processing of personal data, the effect of this processing is not the same as the fact that a decision was made automatically against the data subject (e.g. automatic refusal to grant a loan) or it significantly affects the data subject ( no access to certain products).
Therefore, in the light of the applicable law, it will be sufficient to inform users in the privacy policy or in any other appropriate way that personal data is subject to profiling and about the possibility of objecting to such activities. There is no need for the data subject to give prior consent before such profiling.
Example:
"Personal data will be processed in an automated manner, including profiling, for which information about purchases, activities in the Service Provider's sales channels (computer IP, cookies, preferred methods of purchase) are used, sociodemographic data (e.g. gender, age, income, place of residence) )), in order to adjust marketing information to individual preferences. In any case, the User object to further profiling.”
VERIFICATION OF PREVIOUSLY GATHERED CONSENT
When you verify your customer data collection forms and those used for subscribing to your newsletter, and you have doubts as to whether they have been obtained correctly and legally, remember that deleting the databases should be a last resort! If, before a client gave consent and made the data available, you informed him who his personal data administrator was, for what purpose you needed consent to the processing of his data, and that he had the right to withdraw consent, then you should rest easy.
If you used the double opt-in mechanism and you have a privacy policy, that's really great, but if you bought data from a data broker that may be of dubious origin, or you have not informed the client in any way about the basis for processing his data, you must ensure that the data processing is legal.
Our blog provides answers to the following questions:
Do I need to delete customer databases before applying GDPR?
Can I still process my clients' data?
How can I check if I process data on the basis of consent?
I have very serious doubts about the legality of my database. What should I do?
In what case can I still send the newsletter to the previously collected database?
Go to 👉 https://blog.edrone.me/pl/rodo-czy-po-wejsciu-rozporzadzenia-musze-skasowac-swoja-baze-newsletter/
SUMMARY
If you have updated your privacy policy, provide correct consents when building a subscriber base and inform clients about collecting data on their behavior on the website, you can go ahead and use the automation system to increase revenues from your e-commerce. In any case, we encourage you to consult a privacy policy specialist about changes in your privacy policy :)
Common questions:
Can I combine consents for email and text messages?
No, we recommend the separation of consents. This practice is indicated as recommended in the jurisprudence of European States.
2. Should I inform my clients about this after making changes to the privacy policy? In what form?
A newsletter for the entire customer base is enough, where you mention changes to the privacy policy and add a link to the relevant policy. Here is an example of how edrone clients do it: https://edrone.myportfolio.com/ekobieca