Page 3 of 3

Re: OpenCart GDPR Code update

Posted: Wed May 30, 2018 6:20 am
by OSWorX
ADD Creative wrote:
Wed May 30, 2018 5:58 am
There is lots of information on using Google's services at this link. https://cloud.google.com/security/gdpr/

They do seem to meet all the standards required. However this only seems to apply to the paid for business G Suite version of Gmail. Using the free personal version of Gmail would probably not be compatible with the GDPR. There is no way to agree a processing contract for one. There is in G Suite I believe.
Correct, free services from Google are - currently - not covered by the GDPR.
Which will mean, using services like GMail, GDoc, GDrive etc. should be avoided.

Re: OpenCart GDPR Code update

Posted: Wed May 30, 2018 6:41 am
by ADD Creative
OSWorX wrote:
Wed May 30, 2018 5:53 am
ADD Creative wrote:
Wed May 30, 2018 5:17 am
That is not true in the United Kingdom.
As written, every shopowner has to know his business and the Laws in his country by himself.
Asking here questions how long to keep records, is a bit late ..

He has also to know which specific regulations he has to look for.

Fact is, that an Invoice has to be a non-editable document and is non-revokeable - it is an official document.

All OpenCart is not and has not per default.
It is then the question how your local tax office will trust the data(tables) in OpenCart/Database - I guess not (as it was at my last company audit!) because they can be edited at any time in any way.
Yes, the laws will be completely different depending which EU country your business is based in. For example in the UK you don't even need to issue a invoice if the sale is to consumer. Which is why you need to keep all the supporting evidence of a sale.

Re: OpenCart GDPR Code update

Posted: Wed May 30, 2018 6:54 am
by thomash2
If using Gsuite, what might be the possible text to add in the privacy policy regarding third party sharing and transfer out of EU?

I was looking at some policies from different websites. Some are extremely detailed listing all the third parties, purpose, basis, and their addresses. Others were very short, saying they share with partners without naming them, purpose basis, which are international organizations that may be located outside the EEA.

Would you also disclose your web hosting provider? As they are also one of your processors?

Edit: I read comments on this page that generally you have to name all of the processors, except when it is fair not to, but fairness is ambiguous.
https://seqlegal.com/questions/privacy- ... under-gdpr

It links to Working Party Transparency Guideline, although an outdated version. The newer version here:
http://ec.europa.eu/newsroom/article29/ ... _id=622227
The last 6 pages have a table of what is required to disclose to the person you're collecting data from, and examples of generic scenarios.

Re: OpenCart GDPR Code update

Posted: Sun Jun 03, 2018 9:56 am
by IP_CAM
.... Now the customer wants to make use of his right to be deleted.
So the store owner can delete his account, no problem ...
But why make it so complicated ? Better allow the Customer to delete
his/her own Account Information directly, since It will not have an influence,
or delete Data, required to be kept, to apply with legal (Tax) Regulations.
Ernie
---
download/file.php?mode=view&id=34847

Re: OpenCart GDPR Code update

Posted: Fri Jul 06, 2018 6:54 pm
by xseon
And how do you proove that the concent has been given from the customer? Every site owner can modify himself the "concent" given, who can proove he has done that? So, you can always have all the concents you need to send what you want to send somebody, which makes the whole idea about protecting privacy and personal data absolutely wrong.

Re: OpenCart GDPR Code update

Posted: Fri Jul 06, 2018 8:16 pm
by ADD Creative
Some advice for recording consent below.
Section 5.1.Demonstrate consent of http://ec.europa.eu/newsroom/article29/ ... _id=623051
How should we record consent? section of https://ico.org.uk/for-organisations/gu ... e-consent/

An audit system for the consent database could be implemented. So if there was a legal challenge if could be proved that consent was correctly recorded at the time and not modified. Although I suppose even this could be modified if someone really wanted to.

Gaining and recording consent can get completed under the GDPR. However most cases consent is not even needed, apart for maybe marketing, "contract" and "legitimate interests" are probably the correct lawful bases for processing a customer's data.