to send 4-digit-amount Bills to those, using copyrighted images, content, or now
do not apply to latest Cookie-Reg's. It's called 'Abmahnungsgebühr', and they earn
millions every Year, so enabling the german Automakers, to then send their Checks
to the elected Party Members, in charge of such Laws. It's big Business already, and
probably one of those reasons, why 'populist power' is suddenly spreading so fast
again, everywhere ... (somebody needs to stop 'em, somehow - some day ...)
But I don't plan to get political, it just needs to be understud, they have no chance,
but to follow the rules, or they can get punished badly, the Dogs are waiting already
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
I need to know three things:
1. As a dropshipper in EU do I need some kind of GDPR agreement between me as webshop and a distributor? Because they need to be GDPR compliant as well. I won't risk my company name if they don&t give me written consent of storing data under EU law.
2. I am running the website through cloudflare. How does this concerns me? Do I need to put this under privacy policy. Where are the servers of Cloudflare located?
3. I am the owner of the webshop, therefore I am the only one who sees the information of my costumers (name, last name, country, address, phone number). Do I still need DPO?
In general the GDPR is primary for the Rights of customers.ideep13 wrote: ↑Mon May 21, 2018 6:55 pmHI,
I need to know three things:
1. As a dropshipper in EU do I need some kind of GDPR agreement between me as webshop and a distributor? Because they need to be GDPR compliant as well. I won't risk my company name if they don&t give me written consent of storing data under EU law.
2. I am running the website through cloudflare. How does this concerns me? Do I need to put this under privacy policy. Where are the servers of Cloudflare located?
3. I am the owner of the webshop, therefore I am the only one who sees the information of my costumers (name, last name, country, address, phone number). Do I still need DPO?
1.
Which means, as long as you are not giving away customer data to others, no contract is needed.
If the distributor acts on your behalf, he has to be GDPR complient - he is the processor - and therefore you need a contract.
If he do now want to give you one (while I cannot imagine why), you should stop business with them.
2. Cloudflare collect several data, you need a contract with them (they should already offer some), see https://www.cloudflare.com/security-policy/
Also if you store data in the 'Cloud', a contract is needed.
3. Not true, because your provide/hoster has also some data (e.g. IP-Address).
Beside this, the moment you are handling with data on a 'regular basis' (a Webshop does that), you have to name a DPO.
You have to display inside your Privacy (text) the DPO - and even it is you.
There you have to display also where you are storing data, which companies are processing data - and which.
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Of course the data goes to the distributor, because they send the items directly to costumers.OSWorX wrote: ↑Mon May 21, 2018 7:31 pm
In general the GDPR is primary for the Rights of customers.
1.
Which means, as long as you are not giving away customer data to others, no contract is needed.
If the distributor acts on your behalf, he has to be GDPR complient - he is the processor - and therefore you need a contract.
If he do now want to give you one (while I cannot imagine why), you should stop business with them.
I read this link about Cloudflare - https://www.cloudflare.com/gdpr/introduction/OSWorX wrote: ↑Mon May 21, 2018 7:31 pm2. Cloudflare collect several data, you need a contract with them (they should already offer some), see https://www.cloudflare.com/security-policy/
Also if you store data in the 'Cloud', a contract is needed.
But I am confused I am not DATA processor. Only data processors (third party) should have a contract with cloudflare. I am the only one who has access to my OC, cloudflare and hosting account. English is not my native language, therefore I don't understand the whole text fully.
Do I still need a contract? https://www.cloudflare.com/media/pdf/cl ... 180402.pdf
Aren't IP's masked ?OSWorX wrote: ↑Mon May 21, 2018 7:31 pm3. Not true, because your provide/hoster has also some data (e.g. IP-Address).
Beside this, the moment you are handling with data on a 'regular basis' (a Webshop does that), you have to name a DPO.
You have to display inside your Privacy (text) the DPO - and even it is you.
There you have to display also where you are storing data, which companies are processing data - and which.
I was told that for DPO I need to name the third party.
https://www.cloudflare.com/gdpr/subprocessors
IP's are masked - if the setting regarding IP is made.
But - your hoster/provider - will store them further in plain (I do still not know a way to mask IP-Addresses in the serverlog).
Important is this fact:
For example:the moment you are handling with data on a 'regular basis'
you have a website for your company. Visitors are coming, but will leave no data (maybe except you have a Newsletter and they subscribe).
This is a case of 'rare usage'.
Means: no DPO.
But moment you have a Webshop, you are handling data on 'regular basis'.
Therefore you need a DPO.
Sorry, but that is not from me - it is how the GDPR is constructed.
And if you say english is not your mother language, then please search for GDPR documents in your language.
Here you will find the Law (the EC Original) in many languages: http://eur-lex.europa.eu/eli/reg/2016/679/2016-05-04
And maybe contact a Laywer.
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
https://ec.europa.eu/info/law/law-topic ... cer-dpo_enDPO mandatory
A DPO is mandatory for example when your company/organisation is:
a hospital processing large sets of sensitive data
a security company responsible for monitoring shopping centres and public spaces
a small head-hunting company that profiles individuals
DPO not mandatory
A DPO isn’t mandatory if:
you’re a local community doctor and you process personal data of your patients
you have a small law firm and you process personal data of your clients
I consider myself as a small firm owning data of less than 1000 costumers in my webshop.
Can you please send me a link to a google contract? Those link you posted above, are not real contracts.
Do not misunderstand such paragraphs!ideep13 wrote: ↑Mon May 21, 2018 9:29 pmhttps://ec.europa.eu/info/law/law-topic ... cer-dpo_enDPO mandatory
A DPO is mandatory for example when your company/organisation is:
a hospital processing large sets of sensitive data
a security company responsible for monitoring shopping centres and public spaces
a small head-hunting company that profiles individuals
DPO not mandatory
A DPO isn’t mandatory if:
you’re a local community doctor and you process personal data of your patients
you have a small law firm and you process personal data of your clients
You re talking about regulations for Medical Doctors and Patients.
Unless you are a Doctor with an Online Business or a Tax Consultant - you have to follow other rules.
Anyay, if 10, 100 or 1.000 customers - to repeat it again: the moment you have to deal with data on a 'regular basis' you need a DPO.
Regular can also mean: each week 1
Do not know what you mean by 'Google Contract'?
Something like this: https://static.googleusercontent.com/me ... rms/de.pdf (e.g. in german for German Companies - they have to sign this contract until 25.5.2018, after that date the can do it also Online).
Here are the terms for Google Analytics: https://www.google.de/analytics/terms/
Here for Google Tag Manager: https://www.google.de/analytics/terms/tag-manager/
Currently I do not know which Countries can sign the Contract Online (like Austria).
You have to check by yourself by simply visiting your GA or GTM account where you should see a banner (if contract can be signed online is not until today).
Other Contracts - e.g. for your Provider - are available at each (or at least should be !).
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
After contacting our hosting provider, he can not provide the contract, (he says it's immpossible to give contracts to more than 1000 of users) and he said we must apply his privacy policy in ours.
Also I am confused. I have data stored on hosting provider in Europe, but I have a cloudflare to speed up the site.
So do I still need contract with both of them?
Regarding contract with suppliers - this is some f-- up s-- - One of our suppliers are closing down the business because of GDPR.
I only received one statement from one of the supplier that they comply with GDPR. What about others? They are giving me silent treatment on this.
Very bad - they have to provide.ideep13 wrote: ↑Tue May 22, 2018 6:11 pmDoes hosting provider must give us a contract? I was reading your post and you told we must have to.
After contacting our hosting provider, he can not provide the contract, (he says it's immpossible to give contracts to more than 1000 of users) and he said we must apply his privacy policy in ours.
Yes, because you will have data from European Customers - and this is the only important.
No silent, only signed contracts.ideep13 wrote: ↑Tue May 22, 2018 6:11 pmRegarding contract with suppliers - this is some f-- up s-- - One of our suppliers are closing down the business because of GDPR.
I only received one statement from one of the supplier that they comply with GDPR. What about others? They are giving me silent treatment on this.
Imagine some of the Privacy Department (or how this will be called) is contacting/visitng you.
Then you must be able to show them the contract(s).
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Both parties should understand what's in the contract.
And it should be in a language the controller (data authority) speaks.
So, if you located e.g. in Spain and have an english Contract, I doubt that he will understand that.
The more, contracts have to be always in the language your business is located.
Because nobody wants to translate legal language wording - or do you understand each word in case there are troubles?
Otherwise you have to pay a Lawyer for translating.
That would be the same if you see/have a contract in Chinese - do you speak Chinese?
But I am sure when you look a bit around and search for, you will find a (sample) contract in your Language.
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Also, I contacted a hosting provider and they said they can not give the contract because of the shared hosting. I need to have VPS.
That means I need to migrate the site. Is there any VPS hosting that is compliant with GDPR on opencart marketplace? Does opencart provides such hosting?
Below a summary of many German vendors.
Not all are offering until today a contract, but see yourself:
https://www.audatis.de/ratgeber/busines ... ebhosting/
About provider in other countries please use the search - or maybe other users here know some.
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
So they build an API to allow us to check acceptance, the reason they need to do it, their cookie acceptance could come from another site or their own (and often will do) but you need to be able to check acceptance, set acceptance, set denial too because that would have to be updated with them not just you.
Now at this point check or set you are going to store locally too because you need to stpre their preference on your own system, otherwise you are doing an api call on every page load/cookie check.
So we have a denial (in an ideal world only our php cookies would be set at this point but we know its not an ideal world and other cookies have been set) we need to delete all "extra cookies" this means we need to know the name of all cookies set and then delete all that dont match a list of our system required cookies and delete them. The problem with this is this would have to occur on every single page load too. the names change so we have to get a list every time, check it every time and delete the denied cookies... every time.
So much for a simple system hey. Anyway, it can be done but its not a simple process.
It is likely that the responsible analytics companies are going to do something to change it where by they require you to check before they set, this would be the best way all around, but still requires some work and still requires at least a periodic API check to their system even if your own acceptance status never changes.
By the way iSenseLabs have already built what you just described, I have it installed and working - https://isenselabs.com/products/view/gd ... r-opencartChris_UK wrote: ↑Wed May 23, 2018 11:15 pmSo we have a denial (in an ideal world only our php cookies would be set at this point but we know its not an ideal world and other cookies have been set) we need to delete all "extra cookies" this means we need to know the name of all cookies set and then delete all that dont match a list of our system required cookies and delete them. The problem with this is this would have to occur on every single page load too. the names change so we have to get a list every time, check it every time and delete the denied cookies... every time.
So much for a simple system hey. Anyway, it can be done but its not a simple process.
It is likely that the responsible analytics companies are going to do something to change it where by they require you to check before they set, this would be the best way all around, but still requires some work and still requires at least a periodic API check to their system even if your own acceptance status never changes.
With the current architecture of OpenCart, Cookies can be blocked - without knowing which have to be blocked.
That can be done, and is what I am doing.
Setting Cookeis without any Visitor acceptence will lead to troubles for the Webshop owner.
Whatever those companies may do, the Responsibilty for proper setting cookies is at your site.Chris_UK wrote: ↑Wed May 23, 2018 11:15 pmSo they build an API to allow us to check acceptance, the reason they need to do it, their cookie acceptance could come from another site or their own (and often will do) but you need to be able to check acceptance, set acceptance, set denial too because that would have to be updated with them not just you.
Now at this point check or set you are going to store locally too because you need to stpre their preference on your own system, otherwise you are doing an api call on every page load/cookie check.
So we have a denial (in an ideal world only our php cookies would be set at this point but we know its not an ideal world and other cookies have been set) we need to delete all "extra cookies" this means we need to know the name of all cookies set and then delete all that dont match a list of our system required cookies and delete them. The problem with this is this would have to occur on every single page load too. the names change so we have to get a list every time, check it every time and delete the denied cookies... every time.
So much for a simple system hey. Anyway, it can be done but its not a simple process.
It is likely that the responsible analytics companies are going to do something to change it where by they require you to check before they set, this would be the best way all around, but still requires some work and still requires at least a periodic API check to their system even if your own acceptance status never changes.
You will recieve the Fine.
It should be in their interest to follow guide lines and regulations - but money does not smell!
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Can't they be considered legitimate interest?
Sorry, but this is not correct.ADD Creative wrote: ↑Thu May 24, 2018 9:02 pmAlso, don't forget if you are using consent as the basis for using a cookie (or browser storage) that stores of links to personal data that is covered by the GDPR, then you need to record when and how consent was given and what the user was told at the time.
The moment a visitor of a Website clicks inside the Cookiebanner (or other solution) and accept herewith that storage of Cookies (and I and Lawyers don not speack of 'storage' - an open issue inside these Regulation on which we can see the technical background of these Burokrats [or was it Lobying of the big(ger) Companies), you do not need any other stored information (e.g. in the database).
While this is not explicite stated in the GDPR, it is also required to store.
This is the conclusion of many studied IT Lawyers at the moment.
But, as the GDPR currently is published - and valid, we will see many Court Decisions the next months/years.
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Users browsing this forum: No registered users and 148 guests