Post by davidbfranks » Tue May 15, 2018 7:14 pm

OSWorX wrote:
Thu Apr 26, 2018 9:50 pm
JNeuhoff wrote:
Thu Apr 26, 2018 8:56 pm
@OSWorX:

So is there any comprehensive OpenCart extension covering all the aspects of the GDPR for OpenCart?
Will be published soon.
Do you have a date in mind for when this will be published, and what versions for OpenCart it will be compatible for?

Active Member

Posts

Joined
Mon Mar 04, 2013 10:31 pm
Location - London

Post by davidbfranks » Tue May 15, 2018 7:15 pm

willows wrote:
Mon Apr 30, 2018 5:13 pm
JNeuhoff wrote:
Thu Apr 26, 2018 8:56 pm
@OSWorX:

So is there any comprehensive OpenCart extension covering all the aspects of the GDPR for OpenCart?

Yes we have a GDPR addon on the market place. See it here. https://www.opencart.com/index.php?rout ... load_id=17

We also have a video about it here too.
[youtube]mboR7L1Z1yA[/youtube]
Your extension doesn't allow users to opt-out of advertising cookies (such as Google Analytics)

Active Member

Posts

Joined
Mon Mar 04, 2013 10:31 pm
Location - London

Post by OSWorX » Wed May 16, 2018 5:46 am

Just to answer all in one:

Beside the standard features like:
* Right to be informed
* Right to access
* Right of rectification
* Right to delete
* Right to restrict data processing
* Right to data portability

Publishing: this week around 19./20. May 2018 (should be early enough for all to fill in required data) e.g.
A 'Who is responsible for data' - Data Controller
B 'Which contracts are existing' - e.g. Cloud Services, Google Analytics, etc. - who else has access to the data
C 'What will be done with the data' - what decisions made with this data, what will you use that data for
D 'How long is the data be stored'

A-D (and a few more) should be already done - if not, hurry up, until the 25th you have to know and have to undersigned all contracts.

Options: visitor can choose which cookies are allowed (he allows) beside the 3 standard (Language, Currency & Session which are allowed by te GDPR) - no more are set at first visit

Versions: basically 2.x, 3.x will follow (same time or a bit later), 1.5.x at least

Beside this, the extension will have much more, but want not announce that now and here (interested, PM me).

Image


User avatar
Expert Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by JNeuhoff » Wed May 16, 2018 5:21 pm

A-D (and a few more) should be already done - if not, hurry up, until the 25th you have to know and have to undersigned all contracts.
What exact contracts are to be signed, with whom?

MHC Web Design
Override Engine * Integrated VQMod * Multilingual SEO * Instant Option Price Calculator * TrustPilot Reviews * Download Options * Free Download Buttons * Export/Import Tool * Template Switcher PHP/Twig


User avatar
Expert Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by ADD Creative » Wed May 16, 2018 7:03 pm

Any data processors. Which is any supplier with who you share your data with. Examples for an OpenCart store I would guess would likely include, hosting company, web developer (if have access to the database), payment processor, courier you use to deliver items, any supplier that directly shipps to the customer and any service that tracks users on your site (where personal data is sent to them).

https://ico.org.uk/for-organisations/gu ... contracts/

ADD Creative - Web development and e-commerce development, Milton Keynes or Christchurch, UK
ADD Filtration - HVAC Panel Filters, Bag Filters and HEPA Filters


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am

Post by OSWorX » Wed May 16, 2018 7:27 pm

JNeuhoff wrote:
Wed May 16, 2018 5:21 pm
A-D (and a few more) should be already done - if not, hurry up, until the 25th you have to know and have to undersigned all contracts.
What exact contracts are to be signed, with whom?
The best sample is ... Google
If you embedd the Google Analytics code in our website, you have to sign a contract with Google.
See:
https://www.google.com/about/company/co ... aging.html
https://www.google.com/about/company/co ... aging.html
https://www.google.de/analytics/terms/ (select your language)

Download the contract, sign it and send both copies to Google Ireland.

Note: customer of GA in Austria can sign this contract already Online, German customers can do that after the 25th May 2018 (until then they have to sign it on paper).
Other countries I do not know right now ..

>> A contract has to be signed with erveryone (e.g. a Developer, a Supporter) who has access to your data.
>> A contract has to signed with every company (see above Google) which recieve (personal, sensitive) data from you (the store owner), e.g. cart data, customer data

If these contracts are not existing, not signed after the 25th of May, Fines maybe the result!

After that date, in theory whenever a developer or supporter will have access to your shop (data), he has to sign such a contract.

Image


User avatar
Expert Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by OSWorX » Wed May 16, 2018 7:30 pm

ADD Creative wrote:
Wed May 16, 2018 7:03 pm
Any data processors. Which is any supplier with who you share your data with. Examples for an OpenCart store I would guess would likely include, hosting company, web developer (if have access to the database), payment processor, courier you use to deliver items, any supplier that directly shipps to the customer and any service that tracks users on your site (where personal data is sent to them).

https://ico.org.uk/for-organisations/gu ... contracts/
Not correct - sorry.
Except Payment Processor and Courier > the are only fullfilment 'partner' and act on your behalf.
As long as they only fullfil la payment > e.g. PayPal < or send goods > e.g. UPS, DHL, Post < no contract has to be signed.

While correct about hosting company, developer etc. because they will have access to all of your data!

Important is the fact: can/will the reciever do anything else than the agreed target (e.g. shipping, delivery, payment).

Short summary:

Controller vs. Processor
A data controller handles personal data.
A data processor processes personal data for other data controllers.

Odds are, your business only falls into bucket A. Facebook and Google?
They’re both A and B, depending on the day of the week.

The GDPR treats the data controller as the responsible party for things like collecting consent, managing consent-revoking, and enabling right to access.
If a prospect wants to escape from your funnel, they simply contact you and you initiate their request (even if their data lives elsewhere like, say, Facebook); it’s your job to ensure that the request is met, even if that means reaching out to your data processor to do so.

See now how your business need contracts.

Just to go a bit further ..

In plain English, this means that if you’re using a Google product to track the on-site action of prospects in order to serve personalized ads down the line, you must acquire their consent to do so.

Exceptions: Customer Match and Store Sales

There are two instances—Customer Match and uploaded Store Sales data—in which Google acts as both a controller and a processor of personal data, meaning that they simultaneously determine the purposes of data while processing data you control.

The exact language they use is as follows (note that you are “the customer”):
“When we handle end user personal data, the customer and Google will each act as independent controllers under the GDPR, except for the Customer Match and Store sales (direct upload) features, where Google will act as the customer’s processor for customer-provided personal data.”
As such, in these situations you are responsible for ensuring that the data Google is processing complies with the GDPR.
Customer Match is a tool that allows you to upload a CSV file loaded with customer data to target specific groups within AdWords.

A second Answer (to not asked Question):

GDPR AND THE CLOUD
While we’re on the topic of whether you need to hire a Data Protection Officer to comply with the GDPR, it’s worth mentioning that companies that rely upon cloud-based storage providers will not be exempt from the GDPR.

Which will also mean: if you have your store in the OpenCart Cloud, you need a contract with Daniel (or his Company).

Another topic: Facebook Pixel

Will the Facebook Pixel be impacted?
Per Facebook, anyone using a Facebook Pixel “will have obligations under the GDPR.”

Which means: no contract, but the vistitor has to give his permission to display (while it is hidden, but technically it is displayed) such thing.
Same goes for Google Analytics (and other): the visitor has to agree explicite to use such tools = Consent.
If not, you are not allowed to use it.

Acquiring Consent

Your responsibility is…
To do exactly what Google and Facebook are doing!

You need to inform your prospects of the kinds of data you’re collecting, what you’re doing with it, who else will see it, and ensure “a relevant legal basis (for example, consent, contractual necessity or legitimate interests)” for your use of consumer data.

Affirmative consent
In the simplest terms possible, compliance with the GDPR means you have to switch from an “opt-out” approach to an “opt-in” approach. Phrased differently, this opt-in principle is called “affirmative consent,” meaning every prospect must give their express permission to you before you can add that person to a mailing list or serve personalized ads across Google and Facebook’s respective products.

Summary
If a visitor/user/customer agree to one (1) point (e.g. subscribing a Newsletter) you (the store owner or operator) are allowed to send this visitor/user/customer only Newsletters!
Nothing else.

Same goes for that 'nice' follow up emails to ask for a Rating.
If the customer did not agree to recieve such emails, you are not allowed to send such!

Basically quite easy to follow - but may mean that some stores have to change their business model.

Image


User avatar
Expert Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by davidbfranks » Wed May 16, 2018 11:58 pm

OSWorX wrote:
Wed May 16, 2018 5:46 am
Just to answer all in one:

Beside the standard features like:
* Right to be informed
* Right to access
* Right of rectification
* Right to delete
* Right to restrict data processing
* Right to data portability

Publishing: this week around 19./20. May 2018 (should be early enough for all to fill in required data) e.g.
A 'Who is responsible for data' - Data Controller
B 'Which contracts are existing' - e.g. Cloud Services, Google Analytics, etc. - who else has access to the data
C 'What will be done with the data' - what decisions made with this data, what will you use that data for
D 'How long is the data be stored'

A-D (and a few more) should be already done - if not, hurry up, until the 25th you have to know and have to undersigned all contracts.

Options: visitor can choose which cookies are allowed (he allows) beside the 3 standard (Language, Currency & Session which are allowed by te GDPR) - no more are set at first visit

Versions: basically 2.x, 3.x will follow (same time or a bit later), 1.5.x at least

Beside this, the extension will have much more, but want not announce that now and here (interested, PM me).
Will your extension offer this functionality - https://www.civicuk.com/cookie-control

Active Member

Posts

Joined
Mon Mar 04, 2013 10:31 pm
Location - London

Post by lovol3 » Thu May 17, 2018 4:10 am

You don't have to allow people to opt out.
My understanding is it says where reasonable effort.

You DO have to let people know what data is collected/stored and where it goes, when it gets deleted etc.

I've just been going through the whole DB to make a compliant statement, i've found 53 fields that contain personal data out of over 900.

The thing is, you have to tell people where you send the data, e.g. your shipping companies etc.

it's a total nightmare, but to be fair, quite a good thing, there is data here I didn't know i had!

Newbie

Posts

Joined
Thu May 17, 2018 4:05 am

Post by OSWorX » Thu May 17, 2018 5:01 am

davidbfranks wrote:
Wed May 16, 2018 11:58 pm
Will your extension offer this functionality - https://www.civicuk.com/cookie-control
It will nearby - but all on your own site, no external API required.

Image


User avatar
Expert Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by davidbfranks » Thu May 17, 2018 5:55 am

lovol3 wrote:
Thu May 17, 2018 4:10 am
You don't have to allow people to opt out.
My understanding is it says where reasonable effort.

You DO have to let people know what data is collected/stored and where it goes, when it gets deleted etc.

I've just been going through the whole DB to make a compliant statement, i've found 53 fields that contain personal data out of over 900.

The thing is, you have to tell people where you send the data, e.g. your shipping companies etc.

it's a total nightmare, but to be fair, quite a good thing, there is data here I didn't know i had!
From what I've read you clearly DO have to allow users to opt out!

Active Member

Posts

Joined
Mon Mar 04, 2013 10:31 pm
Location - London

Post by OSWorX » Thu May 17, 2018 6:15 am

lovol3 wrote:
Thu May 17, 2018 4:10 am
You don't have to allow people to opt out.
My understanding is it says where reasonable effort.
What about you are talking??
Everybody can leave (= optout) when HE wants - not YOU!
Especially when subscribed to your newsletter!
lovol3 wrote:
Thu May 17, 2018 4:10 am
You DO have to let people know what data is collected/stored and where it goes, when it gets deleted etc.
Correct.

What speaks against something like that in your privacy statement:
We are collecting following data (at Registration):
* IP-Address (masked)
* First-, Lastname
* Invoice Address
* Shipping Address
* Country
* Newsletter Subscription (if any)
* Wishlist (if made)
* Date when ordered and visited
Following data will be stored if you make an order:
* Date of purchase
* Products (type, module, price)
* Payment Method
* Shipping Method (if)
Depending on the payment method, this could be added:
* Your data will be used to verify who you are and if you can pay (or something like that - at Payments like PayPal, Sofortüberweisung or Instalment Payments like Klara)
Next section could be the companies for payment.
And finally the shipping couriers.
And which data you are sharing (e.g. for delivery and payment).

That basically - is it.

After that sections you have to state yow long you keept hat data - depending on your locale financial rules and maybe other regulations (between 7 and 30 years).

Next section will be what / which rights the customer have:

-- see my previous post about that --

And final section - and here comes for example my extension - if the customer can send a request to inform him about all these stored data.

And the very last: that he has the right to delete himself.

And here we are: because this can be a bit tricky.
Why?
Because you are not allowed to delete all customer data - see financial regulations above!
You have to keep such data for some years - customer can do nothing against.
But you should inform him ..

All other data can be deleted (e.g. newsletter subscription) or anonymized.

That's it.
Further questions?

n.b.: request for information and deleting data is not the subject for instantly action!
You have the right to send the answer withn a reasonable timeframe - this can be 1 month, or 6 weeks.

And - you have the right to send him a bill for your effort.
Additionally you can block further requests if that customer send every day, every week a letter/request.
lovol3 wrote:
Thu May 17, 2018 4:10 am
I've just been going through the whole DB to make a compliant statement, i've found 53 fields that contain personal data out of over 900.

The thing is, you have to tell people where you send the data, e.g. your shipping companies etc.
Partly correct, but at the end - you have to be transparent.

But all of this goes much further than the subject of this thread!

Image


User avatar
Expert Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by Tasia » Fri May 18, 2018 4:24 pm

Hi, has OSWorX completed this extension? Where/when can I view this to compare with Willows extension. Does anyone know which is the right solution? There appears to be quite a lot of disagreement here.

Thanks

Newbie

Posts

Joined
Tue Oct 17, 2017 6:32 pm

Post by Tasia » Fri May 18, 2018 4:27 pm

Hi, has OSWorX completed this extension? Where/when can I view this to compare with Willows extension. Does anyone know which is the right solution? There appears to be quite a lot of disagreement here.

Thanks

Newbie

Posts

Joined
Tue Oct 17, 2017 6:32 pm

Post by OSWorX » Fri May 18, 2018 5:44 pm

Tasia wrote:
Fri May 18, 2018 4:27 pm
Hi, has OSWorX completed this extension? Where/when can I view this to compare with Willows extension. Does anyone know which is the right solution? There appears to be quite a lot of disagreement here.

Thanks
You can ask me direct ;)
As per today: not ready the extension, as written will be published around 19./20. May 2018 available in the OC Marketplace and on my own website.
And then you can test it there: https://osworx.net

Image


User avatar
Expert Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by JNeuhoff » Fri May 18, 2018 11:32 pm

@OSWorX: I know you are quite busy, but if you or any other has a spare moment, I'd like to know how to handle the various page and sales tracking. E.g. on our OpenCart site we have these active tracking extensions:
  • Bing Custom Event Tracking for sale
  • Bing Universal Event Tracking (page tracking)
  • Facebook Pixel Events Tracking for:
    Initiate checkout
    Add payment info
    Make purchase
    Lead - Contact Us form submitted
    Complete registration
  • Google Adwords Conversion Tracking
  • Share Your Purchase on Checkout Success
  • iDev Affiliates Sales Tracking
  • Trustpilot (BCC EMail for order alerts)
Some of it is general page tracking, but others involves customer data being shared with other sites.
How is it to be handled, on how much your upcoming extension cover?

MHC Web Design
Override Engine * Integrated VQMod * Multilingual SEO * Instant Option Price Calculator * TrustPilot Reviews * Download Options * Free Download Buttons * Export/Import Tool * Template Switcher PHP/Twig


User avatar
Expert Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by OSWorX » Sat May 19, 2018 12:05 am

JNeuhoff wrote:
Fri May 18, 2018 11:32 pm
@OSWorX: I know you are quite busy, but if you or any other has a spare moment, I'd like to know how to handle the various page and sales tracking. E.g. on our OpenCart site we have these active tracking extensions:
  • Bing Custom Event Tracking for sale
  • Bing Universal Event Tracking (page tracking)
  • Facebook Pixel Events Tracking for:
    Initiate checkout
    Add payment info
    Make purchase
    Lead - Contact Us form submitted
    Complete registration
  • Google Adwords Conversion Tracking
  • Share Your Purchase on Checkout Success
  • iDev Affiliates Sales Tracking
  • Trustpilot (BCC EMail for order alerts)
Some of it is general page tracking, but others involves customer data being shared with other sites.
How is it to be handled, on how much your upcoming extension cover?
To be short: currently most of them (more see PM).

Image


User avatar
Expert Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by IP_CAM » Sat May 19, 2018 1:54 am

Switzerland (@IP_CAM): also not true - or partly!
If you sell only in Switzerland, you can do what you want (following Swiss Regulations).
But the moment you sell outside Switzerland, you have to follow the rules ...
---
Well, we are much to expensive for foreign Buyers anyway, to enable small Shops, to export Stuff,
and those, who can, would sure not be looking for hopefully near-to-free free Mods on such :laugh:
But it's good to be a Swiss, we don't have to follow every crazy EG Decision, at least not immediately.
And some day, if it get's to be required here too, some free knowledge on this will exist! :D
This does make sense ... ;)
Ernie

Ernie's OpenCart v.1.5.6.5 LIGHT + V-Pro + OpenShop Admin v.1.75 Test Sites
http://www.bigmax.ch - http://www.opencart.li/shop/ - http://www.velomech.ch/cart/
Image


User avatar
Guru Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by OSWorX » Sat May 19, 2018 5:15 am

IP_CAM wrote:
Sat May 19, 2018 1:54 am
But it's good to be a Swiss, we don't have to follow every crazy EG Decision, at least not immediately.
Only funny that Switzerland has then so many contracts with the EC - why this?
But you do not want to follow .. no.
Better not to talk about the History of Switzerland in relationship to other countries.

Image


User avatar
Expert Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by thekrotek » Sat May 19, 2018 6:08 am

IP_CAM wrote:
Sat May 19, 2018 1:54 am
But it's good to be a Swiss, we don't have to follow every crazy EG Decision, at least not immediately.
I'd say, it's is good to have brains, understand, how stupid GDRP law is, and never follow it. Number of conformists (slaves) following the new crazy law amuses me A LOT. Billions of people follow the direction set by a few. Sheep follows the shepherd. Nice....

Professional OpenCart extensions, support and custom work.
Contact me via email or Skype by support@thekrotek.com


User avatar
Active Member

Posts

Joined
Sun Jul 03, 2016 12:24 am

Who is online

Users browsing this forum: No registered users and 9 guests