Post by OSWorX » Wed May 30, 2018 6:20 am

ADD Creative wrote:
Wed May 30, 2018 5:58 am
There is lots of information on using Google's services at this link.

They do seem to meet all the standards required. However this only seems to apply to the paid for business G Suite version of Gmail. Using the free personal version of Gmail would probably not be compatible with the GDPR. There is no way to agree a processing contract for one. There is in G Suite I believe.
Correct, free services from Google are - currently - not covered by the GDPR.
Which will mean, using services like GMail, GDoc, GDrive etc. should be avoided.

Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.

User avatar
Guru Member


Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by ADD Creative » Wed May 30, 2018 6:41 am

OSWorX wrote:
Wed May 30, 2018 5:53 am
ADD Creative wrote:
Wed May 30, 2018 5:17 am
That is not true in the United Kingdom.
As written, every shopowner has to know his business and the Laws in his country by himself.
Asking here questions how long to keep records, is a bit late ..

He has also to know which specific regulations he has to look for.

Fact is, that an Invoice has to be a non-editable document and is non-revokeable - it is an official document.

All OpenCart is not and has not per default.
It is then the question how your local tax office will trust the data(tables) in OpenCart/Database - I guess not (as it was at my last company audit!) because they can be edited at any time in any way.
Yes, the laws will be completely different depending which EU country your business is based in. For example in the UK you don't even need to issue a invoice if the sale is to consumer. Which is why you need to keep all the supporting evidence of a sale.

Active Member


Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by thomash2 » Wed May 30, 2018 6:54 am

If using Gsuite, what might be the possible text to add in the privacy policy regarding third party sharing and transfer out of EU?

I was looking at some policies from different websites. Some are extremely detailed listing all the third parties, purpose, basis, and their addresses. Others were very short, saying they share with partners without naming them, purpose basis, which are international organizations that may be located outside the EEA.

Would you also disclose your web hosting provider? As they are also one of your processors?

Edit: I read comments on this page that generally you have to name all of the processors, except when it is fair not to, but fairness is ambiguous. ... under-gdpr

It links to Working Party Transparency Guideline, although an outdated version. The newer version here: ... _id=622227
The last 6 pages have a table of what is required to disclose to the person you're collecting data from, and examples of generic scenarios.

New member


Tue Jul 30, 2013 12:44 am

Post by IP_CAM » Sun Jun 03, 2018 9:56 am

.... Now the customer wants to make use of his right to be deleted.
So the store owner can delete his account, no problem ...
But why make it so complicated ? Better allow the Customer to delete
his/her own Account Information directly, since It will not have an influence,
or delete Data, required to be kept, to apply with legal (Tax) Regulations.

I am no longer active at the Forum. Please do NOT send me Personal Mails,
they will no longer be replied to.
My Github OC Site:
3'765 + FREE OC Extensions, on the World's largest Github OC Repository Archive Site.

User avatar
Legendary Member


Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by xseon » Fri Jul 06, 2018 6:54 pm

And how do you proove that the concent has been given from the customer? Every site owner can modify himself the "concent" given, who can proove he has done that? So, you can always have all the concents you need to send what you want to send somebody, which makes the whole idea about protecting privacy and personal data absolutely wrong.

Deeper and Better Category Module
Mass Product Price Change

User avatar
New member


Thu Dec 01, 2011 3:04 pm
Location - Bulgaria

Post by ADD Creative » Fri Jul 06, 2018 8:16 pm

Some advice for recording consent below.
Section 5.1.Demonstrate consent of ... _id=623051
How should we record consent? section of ... e-consent/

An audit system for the consent database could be implemented. So if there was a legal challenge if could be proved that consent was correctly recorded at the time and not modified. Although I suppose even this could be modified if someone really wanted to.

Gaining and recording consent can get completed under the GDPR. However most cases consent is not even needed, apart for maybe marketing, "contract" and "legitimate interests" are probably the correct lawful bases for processing a customer's data.

Active Member


Sat Jan 14, 2012 1:02 am
Location - United Kingdom
Who is online

Users browsing this forum: No registered users and 7 guests