Post by IP_CAM » Sun May 20, 2018 2:51 am

Well, as I mentioned somewhere before, in Germany, Masses of Lawyers just wait,
to send 4-digit-amount Bills to those, using copyrighted images, content, or now
do not apply to latest Cookie-Reg's. It's called 'Abmahnungsgebühr', and they earn
millions every Year, so enabling the german Automakers, to then send their Checks
to the elected Party Members, in charge of such Laws. It's big Business already, and
probably one of those reasons, why 'populist power' is suddenly spreading so fast
again, everywhere ... 8) (somebody needs to stop 'em, somehow - some day ...) ::)
But I don't plan to get political, it just needs to be understud, they have no chance,
but to follow the rules, or they can get punished badly, the Dogs are waiting already
Ernie

I'm rarely active at the OC Forum lately. To reach me, contact: jti@jacob.ch
A Demoversion of my free OpenCart LIGHT v.1.5.6.5 Software Edition
can be seen in real Action here: http://www.jti.li/shop/
---
1'100+ FREE OC Extension-Repositories - from OC v.1.5.x up,
on the world's largest OC-related Github Site: https://github.com/IP-CAM
---
Image


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by iSenseLabs » Sun May 20, 2018 7:38 pm

We released our GDPR module on Thursday and it is doing pretty good so far :). Our clients are quite happy and besides that as far as I am concerned we have it all covered. There is a feature which we will release on Monday and will allow you to see which cookies they allow to be saved on their computers which would mean we have to upgrade the cookie pop up, so yeah, here is a link: https://www.opencart.com/index.php?rout ... n_id=34092

Premium OpenCart Extensions and Custom Development


User avatar
Active Member

Posts

Joined
Sat May 19, 2012 7:41 pm

Post by ideep13 » Mon May 21, 2018 6:55 pm

HI,

I need to know three things:

1. As a dropshipper in EU do I need some kind of GDPR agreement between me as webshop and a distributor? Because they need to be GDPR compliant as well. I won't risk my company name if they don&t give me written consent of storing data under EU law.

2. I am running the website through cloudflare. How does this concerns me? Do I need to put this under privacy policy. Where are the servers of Cloudflare located?

3. I am the owner of the webshop, therefore I am the only one who sees the information of my costumers (name, last name, country, address, phone number). Do I still need DPO?

User avatar
Active Member

Posts

Joined
Mon Jun 18, 2012 2:47 am

Post by OSWorX » Mon May 21, 2018 7:31 pm

ideep13 wrote:
Mon May 21, 2018 6:55 pm
HI,

I need to know three things:

1. As a dropshipper in EU do I need some kind of GDPR agreement between me as webshop and a distributor? Because they need to be GDPR compliant as well. I won't risk my company name if they don&t give me written consent of storing data under EU law.

2. I am running the website through cloudflare. How does this concerns me? Do I need to put this under privacy policy. Where are the servers of Cloudflare located?

3. I am the owner of the webshop, therefore I am the only one who sees the information of my costumers (name, last name, country, address, phone number). Do I still need DPO?
In general the GDPR is primary for the Rights of customers.

1.
Which means, as long as you are not giving away customer data to others, no contract is needed.
If the distributor acts on your behalf, he has to be GDPR complient - he is the processor - and therefore you need a contract.
If he do now want to give you one (while I cannot imagine why), you should stop business with them.

2. Cloudflare collect several data, you need a contract with them (they should already offer some), see https://www.cloudflare.com/security-policy/
Also if you store data in the 'Cloud', a contract is needed.

3. Not true, because your provide/hoster has also some data (e.g. IP-Address).
Beside this, the moment you are handling with data on a 'regular basis' (a Webshop does that), you have to name a DPO.

You have to display inside your Privacy (text) the DPO - and even it is you.
There you have to display also where you are storing data, which companies are processing data - and which.

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by ideep13 » Mon May 21, 2018 8:19 pm

HI there. Thank you so much for your reply.
OSWorX wrote:
Mon May 21, 2018 7:31 pm

In general the GDPR is primary for the Rights of customers.

1.
Which means, as long as you are not giving away customer data to others, no contract is needed.
If the distributor acts on your behalf, he has to be GDPR complient - he is the processor - and therefore you need a contract.
If he do now want to give you one (while I cannot imagine why), you should stop business with them.
Of course the data goes to the distributor, because they send the items directly to costumers.
OSWorX wrote:
Mon May 21, 2018 7:31 pm
2. Cloudflare collect several data, you need a contract with them (they should already offer some), see https://www.cloudflare.com/security-policy/
Also if you store data in the 'Cloud', a contract is needed.
I read this link about Cloudflare - https://www.cloudflare.com/gdpr/introduction/
But I am confused I am not DATA processor. Only data processors (third party) should have a contract with cloudflare. I am the only one who has access to my OC, cloudflare and hosting account. English is not my native language, therefore I don't understand the whole text fully.
Do I still need a contract? https://www.cloudflare.com/media/pdf/cl ... 180402.pdf
OSWorX wrote:
Mon May 21, 2018 7:31 pm
3. Not true, because your provide/hoster has also some data (e.g. IP-Address).
Beside this, the moment you are handling with data on a 'regular basis' (a Webshop does that), you have to name a DPO.

You have to display inside your Privacy (text) the DPO - and even it is you.
There you have to display also where you are storing data, which companies are processing data - and which.
Aren't IP's masked ?

I was told that for DPO I need to name the third party.

User avatar
Active Member

Posts

Joined
Mon Jun 18, 2012 2:47 am

Post by OSWorX » Mon May 21, 2018 8:48 pm

See also this here (Cloudflare is sharing data with them):
https://www.cloudflare.com/gdpr/subprocessors

IP's are masked - if the setting regarding IP is made.
But - your hoster/provider - will store them further in plain (I do still not know a way to mask IP-Addresses in the serverlog).

Important is this fact:
the moment you are handling with data on a 'regular basis'
For example:
you have a website for your company. Visitors are coming, but will leave no data (maybe except you have a Newsletter and they subscribe).
This is a case of 'rare usage'.
Means: no DPO.

But moment you have a Webshop, you are handling data on 'regular basis'.
Therefore you need a DPO.

Sorry, but that is not from me - it is how the GDPR is constructed.

And if you say english is not your mother language, then please search for GDPR documents in your language.
Here you will find the Law (the EC Original) in many languages: http://eur-lex.europa.eu/eli/reg/2016/679/2016-05-04
And maybe contact a Laywer.

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by ideep13 » Mon May 21, 2018 9:29 pm

DPO mandatory
A DPO is mandatory for example when your company/organisation is:

a hospital processing large sets of sensitive data
a security company responsible for monitoring shopping centres and public spaces
a small head-hunting company that profiles individuals
DPO not mandatory

A DPO isn’t mandatory if:

you’re a local community doctor and you process personal data of your patients
you have a small law firm and you process personal data of your clients
https://ec.europa.eu/info/law/law-topic ... cer-dpo_en

I consider myself as a small firm owning data of less than 1000 costumers in my webshop.

Can you please send me a link to a google contract? Those link you posted above, are not real contracts.

User avatar
Active Member

Posts

Joined
Mon Jun 18, 2012 2:47 am

Post by OSWorX » Mon May 21, 2018 9:54 pm

ideep13 wrote:
Mon May 21, 2018 9:29 pm
DPO mandatory
A DPO is mandatory for example when your company/organisation is:

a hospital processing large sets of sensitive data
a security company responsible for monitoring shopping centres and public spaces
a small head-hunting company that profiles individuals
DPO not mandatory

A DPO isn’t mandatory if:

you’re a local community doctor and you process personal data of your patients
you have a small law firm and you process personal data of your clients
https://ec.europa.eu/info/law/law-topic ... cer-dpo_en
Do not misunderstand such paragraphs!
You re talking about regulations for Medical Doctors and Patients.
Unless you are a Doctor with an Online Business or a Tax Consultant - you have to follow other rules.

ideep13 wrote:
Mon May 21, 2018 9:29 pm
I consider myself as a small firm owning data of less than 1000 costumers in my webshop.
Anyay, if 10, 100 or 1.000 customers - to repeat it again: the moment you have to deal with data on a 'regular basis' you need a DPO.
Regular can also mean: each week 1

ideep13 wrote:
Mon May 21, 2018 9:29 pm
Can you please send me a link to a google contract? Those link you posted above, are not real contracts.
Do not know what you mean by 'Google Contract'?
Something like this: https://static.googleusercontent.com/me ... rms/de.pdf (e.g. in german for German Companies - they have to sign this contract until 25.5.2018, after that date the can do it also Online).
Here are the terms for Google Analytics: https://www.google.de/analytics/terms/
Here for Google Tag Manager: https://www.google.de/analytics/terms/tag-manager/

Currently I do not know which Countries can sign the Contract Online (like Austria).
You have to check by yourself by simply visiting your GA or GTM account where you should see a banner (if contract can be signed online is not until today).

Other Contracts - e.g. for your Provider - are available at each (or at least should be !).

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by ideep13 » Tue May 22, 2018 6:11 pm

Does hosting provider must give us a contract? I was reading your post and you told we must have to.

After contacting our hosting provider, he can not provide the contract, (he says it's immpossible to give contracts to more than 1000 of users) and he said we must apply his privacy policy in ours.

Also I am confused. I have data stored on hosting provider in Europe, but I have a cloudflare to speed up the site.

So do I still need contract with both of them?

Regarding contract with suppliers - this is some f-- up s-- - One of our suppliers are closing down the business because of GDPR.

I only received one statement from one of the supplier that they comply with GDPR. What about others? :o :o :o :o They are giving me silent treatment on this.

User avatar
Active Member

Posts

Joined
Mon Jun 18, 2012 2:47 am

Post by OSWorX » Tue May 22, 2018 7:12 pm

ideep13 wrote:
Tue May 22, 2018 6:11 pm
Does hosting provider must give us a contract? I was reading your post and you told we must have to.

After contacting our hosting provider, he can not provide the contract, (he says it's immpossible to give contracts to more than 1000 of users) and he said we must apply his privacy policy in ours.
Very bad - they have to provide.
ideep13 wrote:
Tue May 22, 2018 6:11 pm
Also I am confused. I have data stored on hosting provider in Europe, but I have a cloudflare to speed up the site.

So do I still need contract with both of them?
Yes, because you will have data from European Customers - and this is the only important.
ideep13 wrote:
Tue May 22, 2018 6:11 pm
Regarding contract with suppliers - this is some f-- up s-- - One of our suppliers are closing down the business because of GDPR.

I only received one statement from one of the supplier that they comply with GDPR. What about others? :o :o :o :o They are giving me silent treatment on this.
No silent, only signed contracts.
Imagine some of the Privacy Department (or how this will be called) is contacting/visitng you.
Then you must be able to show them the contract(s).

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by ideep13 » Tue May 22, 2018 8:49 pm

Does anyone has a GDPR compliant data processing agreement for dropshippers to share? Can an agreement be in english, even though I have a company based in other country?

User avatar
Active Member

Posts

Joined
Mon Jun 18, 2012 2:47 am

Post by OSWorX » Tue May 22, 2018 9:20 pm

ideep13 wrote:
Tue May 22, 2018 8:49 pm
Does anyone has a GDPR compliant data processing agreement for dropshippers to share? Can an agreement be in english, even though I have a company based in other country?
Both parties should understand what's in the contract.
And it should be in a language the controller (data authority) speaks.
So, if you located e.g. in Spain and have an english Contract, I doubt that he will understand that.

The more, contracts have to be always in the language your business is located.
Because nobody wants to translate legal language wording - or do you understand each word in case there are troubles?
Otherwise you have to pay a Lawyer for translating.

That would be the same if you see/have a contract in Chinese - do you speak Chinese?

But I am sure when you look a bit around and search for, you will find a (sample) contract in your Language.

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by ideep13 » Tue May 22, 2018 9:27 pm

There is no contract available in slovenian. ???

Also, I contacted a hosting provider and they said they can not give the contract because of the shared hosting. I need to have VPS.
That means I need to migrate the site. Is there any VPS hosting that is compliant with GDPR on opencart marketplace? Does opencart provides such hosting?

User avatar
Active Member

Posts

Joined
Mon Jun 18, 2012 2:47 am

Post by OSWorX » Wed May 23, 2018 10:20 am

If a provider is telling you such nonsens, you should move quickly, because they do not understand the principles of Data Protection and so on!

Below a summary of many German vendors.
Not all are offering until today a contract, but see yourself:
https://www.audatis.de/ratgeber/busines ... ebhosting/
About provider in other countries please use the search - or maybe other users here know some.

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by Chris_UK » Wed May 23, 2018 11:15 pm

If this is a matter of which cookies are permitted to be set then it comes down to the developer knowing which cookies are to be blocked, forget acceptance for the time being. The reason it would be this way is that 3rd party cookies would have to be deleted because they are already created. Until 3rd parties start requiring acceptance before setting then we are immediately on the back foot.

So they build an API to allow us to check acceptance, the reason they need to do it, their cookie acceptance could come from another site or their own (and often will do) but you need to be able to check acceptance, set acceptance, set denial too because that would have to be updated with them not just you.

Now at this point check or set you are going to store locally too because you need to stpre their preference on your own system, otherwise you are doing an api call on every page load/cookie check.

So we have a denial (in an ideal world only our php cookies would be set at this point but we know its not an ideal world and other cookies have been set) we need to delete all "extra cookies" this means we need to know the name of all cookies set and then delete all that dont match a list of our system required cookies and delete them. The problem with this is this would have to occur on every single page load too. the names change so we have to get a list every time, check it every time and delete the denied cookies... every time.

So much for a simple system hey. Anyway, it can be done but its not a simple process.

It is likely that the responsible analytics companies are going to do something to change it where by they require you to check before they set, this would be the best way all around, but still requires some work and still requires at least a periodic API check to their system even if your own acceptance status never changes.

New member

Posts

Joined
Wed Jan 20, 2016 4:39 am

Post by davidbfranks » Thu May 24, 2018 5:39 am

Chris_UK wrote:
Wed May 23, 2018 11:15 pm
So we have a denial (in an ideal world only our php cookies would be set at this point but we know its not an ideal world and other cookies have been set) we need to delete all "extra cookies" this means we need to know the name of all cookies set and then delete all that dont match a list of our system required cookies and delete them. The problem with this is this would have to occur on every single page load too. the names change so we have to get a list every time, check it every time and delete the denied cookies... every time.

So much for a simple system hey. Anyway, it can be done but its not a simple process.

It is likely that the responsible analytics companies are going to do something to change it where by they require you to check before they set, this would be the best way all around, but still requires some work and still requires at least a periodic API check to their system even if your own acceptance status never changes.
By the way iSenseLabs have already built what you just described, I have it installed and working - https://isenselabs.com/products/view/gd ... r-opencart

Active Member

Posts

Joined
Mon Mar 04, 2013 10:31 pm
Location - London

Post by OSWorX » Thu May 24, 2018 6:20 am

Chris_UK wrote:
Wed May 23, 2018 11:15 pm
If this is a matter of which cookies are permitted to be set then it comes down to the developer knowing which cookies are to be blocked, forget acceptance for the time being.
With the current architecture of OpenCart, Cookies can be blocked - without knowing which have to be blocked.
That can be done, and is what I am doing.
Chris_UK wrote:
Wed May 23, 2018 11:15 pm
The reason it would be this way is that 3rd party cookies would have to be deleted because they are already created. Until 3rd parties start requiring acceptance before setting then we are immediately on the back foot.
Setting Cookeis without any Visitor acceptence will lead to troubles for the Webshop owner.
Chris_UK wrote:
Wed May 23, 2018 11:15 pm
So they build an API to allow us to check acceptance, the reason they need to do it, their cookie acceptance could come from another site or their own (and often will do) but you need to be able to check acceptance, set acceptance, set denial too because that would have to be updated with them not just you.

Now at this point check or set you are going to store locally too because you need to stpre their preference on your own system, otherwise you are doing an api call on every page load/cookie check.

So we have a denial (in an ideal world only our php cookies would be set at this point but we know its not an ideal world and other cookies have been set) we need to delete all "extra cookies" this means we need to know the name of all cookies set and then delete all that dont match a list of our system required cookies and delete them. The problem with this is this would have to occur on every single page load too. the names change so we have to get a list every time, check it every time and delete the denied cookies... every time.

So much for a simple system hey. Anyway, it can be done but its not a simple process.

It is likely that the responsible analytics companies are going to do something to change it where by they require you to check before they set, this would be the best way all around, but still requires some work and still requires at least a periodic API check to their system even if your own acceptance status never changes.
Whatever those companies may do, the Responsibilty for proper setting cookies is at your site.
You will recieve the Fine.
It should be in their interest to follow guide lines and regulations - but money does not smell!

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by ADD Creative » Thu May 24, 2018 9:02 pm

Also, don't forget if you are using consent as the basis for using a cookie (or browser storage) that stores of links to personal data that is covered by the GDPR, then you need to record when and how consent was given and what the user was told at the time.

www.add-creative.co.uk


Active Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by florinsith » Fri May 25, 2018 1:15 am

But should you go with consent for this? If you do, then you must have a really annoying consent popup or something, and even then, who's going to turn things on? (you would need multiple checkboxes if you use more than 1 3rd party service).
Can't they be considered legitimate interest?

Image
My Extensions - SuperTheme - Opencart templates - Opencart modules


User avatar
Expert Member

Posts

Joined
Fri May 14, 2010 2:36 am


Post by OSWorX » Fri May 25, 2018 2:03 am

ADD Creative wrote:
Thu May 24, 2018 9:02 pm
Also, don't forget if you are using consent as the basis for using a cookie (or browser storage) that stores of links to personal data that is covered by the GDPR, then you need to record when and how consent was given and what the user was told at the time.
Sorry, but this is not correct.
The moment a visitor of a Website clicks inside the Cookiebanner (or other solution) and accept herewith that storage of Cookies (and I and Lawyers don not speack of 'storage' - an open issue inside these Regulation on which we can see the technical background of these Burokrats [or was it Lobying of the big(ger) Companies), you do not need any other stored information (e.g. in the database).
While this is not explicite stated in the GDPR, it is also required to store.

This is the conclusion of many studied IT Lawyers at the moment.
But, as the GDPR currently is published - and valid, we will see many Court Decisions the next months/years.

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria
Who is online

Users browsing this forum: No registered users and 11 guests