Post by OSWorX » Fri May 25, 2018 2:08 am

florinsith wrote:
Fri May 25, 2018 1:15 am
But should you go with consent for this?
Yes.
florinsith wrote:
Fri May 25, 2018 1:15 am
If you do, then you must have a really annoying consent popup or something, and even then, who's going to turn things on? (you would need multiple checkboxes if you use more than 1 3rd party service).
No.
Because you can offer an option for a group - as the GDPR is defining:

1. System
2. Marketing (and Advertising)
3. Social

Therefore the Visitor can chose between 2 nd 3, because 1 are 'required' for proper website operation.
While people with some further knowledge will now, that aslso Cookies from Group #1 are not requried when a new visitor comes to your website.
This is only for 2. and 3. to target their interests.

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by ideep13 » Fri May 25, 2018 3:07 pm

I was told this is the only cookie bar - Civic Cookie that is compliant with GDPR.

I don't understand how to install this: Nothing is showing up on my site. I put it in header.tpl

<script src="cookieControl.min.js" type="text/javascript"></script>
<script type="text/javascript">//<![CDATA[

cookieControl({
apiKey: '93a4b2dfe0c2d0b8c2b91ccb25f23c879f14c204',
product: CookieControl.PROD_PAID,
consentModel: CookieControl.MODEL_INFO
});

//]]></script>

User avatar
Active Member

Posts

Joined
Mon Jun 18, 2012 2:47 am

Post by ADD Creative » Fri May 25, 2018 6:07 pm

OSWorX wrote:
Fri May 25, 2018 2:03 am
ADD Creative wrote:
Thu May 24, 2018 9:02 pm
Also, don't forget if you are using consent as the basis for using a cookie (or browser storage) that stores of links to personal data that is covered by the GDPR, then you need to record when and how consent was given and what the user was told at the time.
Sorry, but this is not correct.
The moment a visitor of a Website clicks inside the Cookiebanner (or other solution) and accept herewith that storage of Cookies (and I and Lawyers don not speack of 'storage' - an open issue inside these Regulation on which we can see the technical background of these Burokrats [or was it Lobying of the big(ger) Companies), you do not need any other stored information (e.g. in the database).
While this is not explicite stated in the GDPR, it is also required to store.

This is the conclusion of many studied IT Lawyers at the moment.
But, as the GDPR currently is published - and valid, we will see many Court Decisions the next months/years.
Sorry I don't understand which bit you are saying is wrong.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by artgarcia » Sun May 27, 2018 1:04 am

willows wrote:
Wed Feb 28, 2018 5:55 pm


BTW we are looking for translations into other languages in exchange for the addon for free.
I can help with Spanish it's my native lenguaje

Newbie

Posts

Joined
Mon Dec 05, 2011 8:59 am

Post by OSWorX » Sun May 27, 2018 7:52 am

ADD Creative wrote:
Fri May 25, 2018 6:07 pm
OSWorX wrote:
Fri May 25, 2018 2:03 am
ADD Creative wrote:
Thu May 24, 2018 9:02 pm
Also, don't forget if you are using consent as the basis for using a cookie (or browser storage) that stores of links to personal data that is covered by the GDPR, then you need to record when and how consent was given and what the user was told at the time.
Sorry, but this is not correct.
The moment a visitor of a Website clicks inside the Cookiebanner (or other solution) and accept herewith that storage of Cookies (and I and Lawyers don not speack of 'storage' - an open issue inside these Regulation on which we can see the technical background of these Burokrats [or was it Lobying of the big(ger) Companies), you do not need any other stored information (e.g. in the database).
While this is not explicite stated in the GDPR, it is also required to store.

This is the conclusion of many studied IT Lawyers at the moment.
But, as the GDPR currently is published - and valid, we will see many Court Decisions the next months/years.
Sorry I don't understand which bit you are saying is wrong.
Recording when and how consent is given when a cookie is used (or as/the result of the consent).
That would be the same (stupid discussion as can be found at many places) when someone use the contact form.
A lot of people mentioned to store also this as a decision (as a result of ??which?? consent).

But when I am wrong, please show me the Article in the GDPR (or any other regulation).

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by Burt65 » Sun May 27, 2018 3:41 pm

I had the feeling that this GDPR new rule was coming down a bit too strong and this morning I got the confirmation...
Since on day one this has already happened,

https://www.theverge.com/2018/5/25/1739 ... ems-europe

there are website now where if your IP is from the EU, this is what you get instead of the actual page:
"We're sorry. This site is temporarily unavailable. We recognise you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore cannot grant you access at this time."
I sincerely hope that this trend doesn't continue otherwise we may end up with two Internet version as well...

Over 95% of all computer problems can be traced back to the interface between the keyboard and the chair...


User avatar
Active Member

Posts

Joined
Mon Nov 18, 2013 3:23 pm
Location - Oz

Post by OSWorX » Sun May 27, 2018 6:43 pm

Burt65 wrote:
Sun May 27, 2018 3:41 pm
I had the feeling that this GDPR new rule was coming down a bit too strong and this morning I got the confirmation...
Since on day one this has already happened,

https://www.theverge.com/2018/5/25/1739 ... ems-europe

there are website now where if your IP is from the EU, this is what you get instead of the actual page:
"We're sorry. This site is temporarily unavailable. We recognise you are attempting to access this website from a country belonging to the European Economic Area (EEA) including the EU which enforces the General Data Protection Regulation (GDPR) and therefore cannot grant you access at this time."
I sincerely hope that this trend doesn't continue otherwise we may end up with two Internet version as well...
Well i would say, that many did not and do not understand what Privacy and personal data means:
This is Mine, not Yours

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by ADD Creative » Mon May 28, 2018 5:03 am

OSWorX wrote:
Sun May 27, 2018 7:52 am
Recording when and how consent is given when a cookie is used (or as/the result of the consent).
That would be the same (stupid discussion as can be found at many places) when someone use the contact form.
A lot of people mentioned to store also this as a decision (as a result of ??which?? consent).

But when I am wrong, please show me the Article in the GDPR (or any other regulation).
My first thoughts were similar. However, it was one of your posts that made me think otherwise. viewtopic.php?f=10&t=201183&start=20#p723686

The first link in your post to the Google EU user consent policy. Which states.
You must obtain end users’ legally valid consent to:
  • the use of cookies or other local storage where legally required; and
  • the collection, sharing, and use of personal data for personalization of ads.
When seeking consent you must:
  • retain records of consent given by end users; and
  • provide end users with clear instructions for revocation of consent.
Looking into this more I found that Article 7 of the GDPR states.
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
From the Article 29 Working Party Guidelines on Consent.
Section 5.1. Demonstrate consent
http://ec.europa.eu/newsroom/article29/ ... _id=623051
For example, in an online context, a controller could retain information on the session in which consent was expressed, together with documentation of the consent workflow at the time of the session, and a copy of the information that was presented to the data subject at that time. It would not be sufficient to merely refer to a correct configuration of the respective website.
I interpret all that to mean that if a cookie is not-essential to providing a service and contains personal data or contains an ID that can be linked to personal data (I'm think of third party tracking cookies, etc.). You must ask for consent before allowing that cookie to be set and make a record of that consent.

I would be genuinely interested to hear your interpretation of the above and how it applies to cookies. Maybe I have it all wrong. As you say their is so much poor information out there.

I agree that you wouldn't need consent contact from as they are asking you to do something. So performance of a contract would be the lawful basis for processing a contact form.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by ideep13 » Thu Jun 14, 2018 8:57 pm

I just want to let you know that only two of our suppliers signed a data processor agreements.

Anyone else don't want to sign it. I informed our informational commissioner and she insists they must sign an agreement according to 28th of Article.
All suppliers are in EU.

How to get them to sign the contract?

User avatar
Active Member

Posts

Joined
Mon Jun 18, 2012 2:47 am

Post by OSWorX » Fri Jun 15, 2018 2:47 am

ideep13 wrote:
Thu Jun 14, 2018 8:57 pm
I just want to let you know that only two of our suppliers signed a data processor agreements.

Anyone else don't want to sign it. I informed our informational commissioner and she insists they must sign an agreement according to 28th of Article.
All suppliers are in EU.

How to get them to sign the contract?
Well, if they do not want to sign the contract, I recommend to use another supplier (if possible).
On the other hand, if you really need them, I would ask a Lawyer - sorry, but I cannot give you a better advice at the moment because there are no court decisions made on such cases.

Article 28 clearly defines who is what and who has to sign.

Another way could be, that you contact your national data / privacy organisation (every country has one) and ask them what possibillities you have (if you really want and are in the need to work further with them).

Doubt me that these companes are not willing to sign, looks like to have to hide something .. so you are sure you want to work with them in future?
I would publish the name of such companies to set them under more pressure - if they will loose customers, it would make me wonder if the react further this way.

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by OSWorX » Fri Jun 15, 2018 3:14 am

ADD Creative wrote:
Mon May 28, 2018 5:03 am
I interpret all that to mean that if a cookie is not-essential to providing a service and contains personal data or contains an ID that can be linked to personal data (I'm think of third party tracking cookies, etc.). You must ask for consent before allowing that cookie to be set and make a record of that consent.
Basically we have currently 29 different scenarios ..
The EU (with 28, next year 27) and the rest of the world (1, then 2).
Which leads finally to 25 possible solutions.

These figures may confuse, but the reality is, that we (the EC) have one (1) rule für all (the GDPR), the rest of the world another.

But now comes into play the ePrivacy regulation which will be defined new next year (or not later than 2020).
In the meantime this new ePrivacy regulation will give all EC-Contries clear advices, many of the current 28 countries have their own national regulations.
Some stronger (like Germany and Great Britain), many less.

And this is exactly the point: as long as the new ePrivacy regulation does not come in effect, I would recommend to find the smallest, common ground.
To fullfill the strongest regulation, but also make weak regulations happy.
And to offer all customers (site visitors) a unique and the same feeling how the site handles cookies.

Means also for the website owner / operator that he should
1. ask for consent > not only to display a useless button 'I agree'
2. store the consent
3. ask for consent for all cookies not beeing from group one (1): system relevant
4. act on that decision and use only those cookies the visitor has agreed to recieve

Technically there is not one reason why a website has to place any cookie on the first visit!
E.g. OpenCart stores (wether visitor wants that or not) 4 cookies immediately!
But what for?
These cookies can be also stored after the consent.
And even a question to get consent about these cookeis is not given, the Store itself (except some rare basket functions) would work (sometimes a bit heavy, but it will).

Finally it is the visitors choice not to accept any cookie - or only a few.
Not that of the website (or the person / developer behind it).
So why we are infantilize our customers that way?

To answer your question with one line:
Yes, each and every cookie which has to do with personalized data or may lead to a physical person, may only be set after given consent (which has to be stored).
The earlier we accept this (as) fact, the earlier we can fullfill the new ePrivacy which will handle exactly that way.

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by ideep13 » Mon Jun 18, 2018 8:49 pm

OSWorX wrote:
Fri Jun 15, 2018 2:47 am

Well, if they do not want to sign the contract, I recommend to use another supplier (if possible).
On the other hand, if you really need them, I would ask a Lawyer - sorry, but I cannot give you a better advice at the moment because there are no court decisions made on such cases.

Article 28 clearly defines who is what and who has to sign.

Another way could be, that you contact your national data / privacy organisation (every country has one) and ask them what possibillities you have (if you really want and are in the need to work further with them).

Doubt me that these companies are not willing to sign, looks like to have to hide something .. so you are sure you want to work with them in future?
I would publish the name of such companies to set them under more pressure - if they will loose customers, it would make me wonder if the react further this way.
They are the only supplier on the european market. Today they closed our account, because they didn't want to sign. On friday I already contacted the informational commissioner. This is a big loss to my firm. I already reported them to manufacturer, and they don't want hear about it.

The supplier told us this:
From our point of view with over 1,000 customers we cannot make ad hoc agreements with each or incur the cost of legal checks on each one (though you are the only customer to request this to date) in order to ensure there is nothing untoward mentioned or that is outside of our normal routine. However, we do have our own policy which we adhere to and clearly outlines our operations and we are happy to print this off and provide it to you in the format of a contract. Therefore, if there is something in our policy which does not suit you then I suggest you advise what that is and then we can look into that practise and see if we can accommodate updating it and then providing you with a copy in a more formal way.
They just don't understand at all that they are in violation.

User avatar
Active Member

Posts

Joined
Mon Jun 18, 2012 2:47 am

Post by ADD Creative » Mon Jun 18, 2018 10:50 pm

You may not need a data processing agreement with them if they are acting as a data controller in their own right. If they determine the data require and what to do with it. For example they ask for a name and address to deliver goods to to fulfill a contract for you.

What is your relationship with them? Who determines what data they need to process? You should work this out and get advice, maybe from your Data Protection Authority. http://ec.europa.eu/justice/article-29/ ... dex_en.htm

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by ideep13 » Tue Jun 19, 2018 1:20 pm

What is my a relationship with them? We are a company who works mostly based on dropshipping services. They are the supplier. They receieve the data of our costumers, they create invoices to us including their name on where they shipped the item.. they also ship the item..

We were told by our commissioner that we need data processor agreement.

User avatar
Active Member

Posts

Joined
Mon Jun 18, 2012 2:47 am

Post by ideep13 » Tue Jun 19, 2018 1:22 pm

ADD Creative wrote:
Mon Jun 18, 2018 10:50 pm
You may not need a data processing agreement with them if they are acting as a data controller in their own right. If they determine the data require and what to do with it. For example they ask for a name and address to deliver goods to to fulfill a contract for you.
But they offer dropship services.. if that is so, we as a controller need to make a contract with them.

User avatar
Active Member

Posts

Joined
Mon Jun 18, 2012 2:47 am

Post by ADD Creative » Wed Jun 20, 2018 12:47 am

I was advised differently by the ICO in the UK. Their advice was that as a supplier was processing it for the purposes of arranging the delivery. They would be acting as a joint data controller and therefore no contract would be needed. I would assume this is because they have their own legal basis for processing the name and address. How to send the goods and the need to keep all records of the contract for VAT record keeping laws.

What we can conclude is that nobody really knows at the moment.

For example delivery companies.
Royal Mail state that they are a data controller. See: https://www.royalmail.com/gdpr/
Whereas DPD (UK) state they are a data processor. See: http://www.dpd.co.uk/terms-and-conditions.jsp#19

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by ideep13 » Mon Jun 25, 2018 11:21 pm

I made a complaint to our ICO in Slovenia. When I hear anything I will post it, but dropshipper process data differently than carrier providers.. he still process data of our clients and stores the data.. it's logical to me.

User avatar
Active Member

Posts

Joined
Mon Jun 18, 2012 2:47 am

Post by Chris_UK » Wed Aug 28, 2019 7:04 pm

This might be useful to you.

https://www.dporganizer.com/gdpr-data-c ... processor/

This is how I see this in action.
A user is the primary data controller and has ultimate control over any and all data supplied to you (except where the law requires you hold certain data - accounting for instance).

A store owner is data controller that can only process the data as permitted by the user which is stated in and determined by your acceptance of terms and conditions.

A courier in this case is a data processor
Its your responsibility to ensure the courier processes any data that you supply to them in accordance with the usage your user has authorised/agreed to.

In the end its actually very easy to do.
While you are unable to dictate that a third party processes data in a certain way, you can ensure that any processing they do need to undertake has been covered by your own GDPR statement. You also need to ensure that acceptance of your terms and conditions includes acceptance of your GDPR statement.

In the event of a GDPR request coming in from the user, as a controller its your responsibility to ensure that all processors comply with the request, so you pass on the GDPR to each third party. How you handle a GDPR is determined by the type of data, you can remove the data entirely if the data is not critical to your business. However in a case where you must keep certain data for instance sales transactions, you can anonymise the data, so you remove only the data that identifies a user. These would be the users account and things on the sale record like name, email, address, ipaddress.

New member

Posts

Joined
Wed Jan 20, 2016 4:39 am

Post by ADD Creative » Mon Sep 02, 2019 8:56 pm

I see what you are trying to say regarding a user, but 'primary data controller' is not the correct term and might get confused with an actual data controller. The GDPR uses the term 'data subject'.

You will find some official information that states couriers should really be a joint data controller and not a data processors. I contacted the ICO and they did state a delivery company would be a joint data controller. Here is the Royal Mail's information on the subject. https://www.royalmail.com/gdpr

However, you will find some couriers will insist that they are data processors. If so, you must make sure you have a signed data processing agreement in place with them. Or that all the relevant clauses are in your current contract. More at. https://ico.org.uk/for-organisations/gu ... contracts/

A data subject does not need to agree to anything for you to process their data. You can (and probably should for anything except marketing and tracking) use 'contract', 'legal obligation' and/or 'legitimate interests' as your lawful basis. The term 'privacy notice' now seems to be preferred over 'privacy policy' to make this clear.

To imply that a customer consents to their data being used for you to process their order is likely to be wrong. If you do a web search you will find articles on this like this one. https://privacylawblog.fieldfisher.com/ ... acy-policy

If you are keeping sales transactions due to a legal requirement, such as VAT record keeping. https://www.gov.uk/vat-record-keeping/vat-records I don't thing you should anonymise the data until after the minimum record keeping time. HMRC for example will likely want to see all the details of who your are selling to, especially if you zero rate VAT any sales.

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: imdevlper18 and 47 guests