When starting your adventure with edrone, you need to complete a few simple formalities. This includes measures related to data privacy compliance. GDPR has been formally applied throughout the European Union since 2018, and indirectly wherever the addressees of the services are EU citizens, which is why it also applies to you. First of all, remember that you, as the Personal Data Administrator, are responsible for the storage and proper processing of the personal data of your clients.
Make sure that you have verified and adjusted the following issues to the current standards in the field of personal data protection:
Each store should be considered individually here. The key, however, is the need to inform the customer at the time of entrusting the data about the purposes of data processing. That is, the reason for sending marketing content and receiving commercial information, e.g. when providing an email address, registering an account, subscribing to a newsletter via a checkbox or by active action, e.g. via Pop up (e-mail).
To make sure that the customer subscribes to a newsletter in a conscious, voluntary and unambiguous manner, we recommend, apart from introducing the Double Opt-In model, adding the following checkboxes with consents and brief information next to the subscription forms to the newsletter:
During account registration
⬜ I consent to the processing of my personal data for marketing purposes and to receive commercial information from [shop_name] using telecommunications terminal devices voluntarily entered by me (for example, telephone) and electronic communication means (SMS, e-mail). ("Optional field")
On the basis of this consent, we will be able to contact you via, for example, telephone, SMS or email (depending on what data you provide us during registration) in order to promote services or goods [shop_name], including presenting information about current promotions or marketing campaigns. You can unsubscribe from receiving commercial information from [shop_name] at any time by withdrawing your consent.
⬜ I consent to the processing of my personal data by XYZ in order to receive marketing information about products and services by means of electronic communication (e-mail).
Remember! Use the Double Opt-In model (where the user confirms his consent to a subscription by clicking a link confirming it). Thanks to such consent, you can be sure that the user has consciously and voluntarily joined your subscription database.
Sample email content (double opt-in)
Great! You've almost finished signing up for our newsletter.
Before clicking the activation link, read this information
Remember that the administrator of your data is: XYZ based in K. You can always correct or change your data, withdraw your consent at any time,
and even request the transfer or deletion of data. The list of entities to whom we entrust your data is available here. We do this in order to provide our services as well as possible. Your data will be kept for as long as it is necessary to protect your rights (e.g. warranty or limitation period when you buy a product). If you have any questions or concerns, please write to us at firstname.lastname@example.org. Your safety and trust are of the utmost importance to us!
P.S. Remember that you can always lodge a complaint at XXXX
If you start cooperation with a personal data subprocessor, e.g. a shipping company, marketing agency or just edrone, it usually involves entrusting personal data and it is necessary to inform your customers about this fact.
1. Information about the basis for the storage of personal data.
The grounds vary from, for example, the consent given by the user to the contract concluded with the user and legal obligations. Typical reasons include:
performance of the contract (e.g. sale of a product or provision of an electronic service, such as setting up an account on your website);
consent given by the user, e.g. sending your own commercial information to potential customers. Remember that granted consent can always be revoked and you must make users aware of this.
Your legitimate interests (e.g. to analyze user traffic on your website, but also marketing your own services for acquired customers, i.e. those who have, for example, set up an account in your store or have already bought a product).
What could it sound like?
What are the legal grounds for data processing?
First of all, the legal basis for the processing of your personal data is the contract concluded between us and the legitimate interests related to our business. We process your data only to the extent that is needed to properly provide the service we provide you. In this case, we will process your data for the entire time you use our services, and until any claims arising from it are expired.
Our legitimate interests will also be the legal basis for the processing of your personal data by us, e.g. for statistical purposes, such as the analysis of user traffic on our website. Your data, such as the content of your inquiries for an offer, errors reported by you or the evaluation of our systems will allow for the improvement of tools such as chat, as well as self-marketing of our services / products for current customers / users. In order to best answer your questions or reported problems, we also process information that you may have provided during a conversation with us via chat, for example, that may also be personal data, such as an email address, name and surname. This will allow us to improve communication, thanks to which we will handle your inquiries more efficiently. In this case, we will process the data until you object, which you can do by contacting us.
For marketing purposes, the basis for the processing of your data will be your consent. All you have to do is check the appropriate field in the form during registration. You can revoke such consent at any time by clicking on the deactivation link included in each marketing message we send you. In this case, we will process your data until you withdraw your consent
2. Who has access to your personal data
We only share your personal data with third parties to manage your online purchases. They are only received by companies that process your address,
communication agencies that send order confirmations, warehouses and courier companies that deliver orders, companies that make payments,
banks that check your identity and creditworthiness when you buy in installments, debt collection companies, companies providing tools supporting the sales process as part of the online store (marketing automation), e.g. recommendation frames, chat functionality, newsletters, etc.
Add information to the policy if you use Chat and the functionalities of the Customer Service Center.
If you use our chat (but also if you use other proprietary solutions), we recommend that you allow data subjects (i.e. your clients) to make a decision about whether they want to use the chat and allow you - and consequently us - to process it, and thus provide an even better level of query handling.
An example of such consent:
3. Information about profiling
Profiling is a topic that is sometimes controversial. Some believe that profiling always requires the user's consent, others that it is enough to inform the data subject (i.e. the customer of your store) about the possibility of objecting. It all depends, of course, on what we mean by profiling. In our opinion, customer segmentation, edrone's recommendation frames (A bought product B, so having the appropriate features, statistically speaking he may be interested in purchasing product C) do not constitute profiling referred to in Art. 22 GDPR, because despite the fact that it is an automatic processing of personal data, the effect of this processing is not the same as the fact that a decision was made automatically against the data subject (e.g. automatic refusal to grant a loan) or it significantly affects the data subject ( no access to certain products).
"Personal data will be processed in an automated manner, including profiling, for which information about purchases, activities in the Service Provider's sales channels (computer IP, cookies, preferred methods of purchase) are used, sociodemographic data (e.g. gender, age, income, place of residence) )), in order to adjust marketing information to individual preferences. In any case, the User object to further profiling.”
VERIFICATION OF PREVIOUSLY GATHERED CONSENT
When you verify your customer data collection forms and those used for subscribing to your newsletter, and you have doubts as to whether they have been obtained correctly and legally, remember that deleting the databases should be a last resort! If, before a client gave consent and made the data available, you informed him who his personal data administrator was, for what purpose you needed consent to the processing of his data, and that he had the right to withdraw consent, then you should rest easy.
Our blog provides answers to the following questions:
Do I need to delete customer databases before applying GDPR?
Can I still process my clients' data?
How can I check if I process data on the basis of consent?
I have very serious doubts about the legality of my database. What should I do?
In what case can I still send the newsletter to the previously collected database?
Go to 👉 https://blog.edrone.me/pl/rodo-czy-po-wejsciu-rozporzadzenia-musze-skasowac-swoja-baze-newsletter/
Can I combine consents for email and text messages?
No, we recommend the separation of consents. This practice is indicated as recommended in the jurisprudence of European States.