See all the questions concerning the General Data Protection Regulation in the European Union and our answers which will enable you to comply with this regulation.

 

What is GDPR?

On 25 May 2018, the General Data Protection Regulation (GDPR) came into force. The GDPR provides a legal framework for the processing of personal data within the European Union.

The introduction of this European regulation aims to harmonize the rules in the European Union, but also to respond to changes in technology and in our societies. By reinforcing the rights of the data subjects, the GDPR aspires to enable them to keep control of their data.

Compliance with the regulation by professionals, in addition to enhancing the value of your data management, is a considerable asset to increasing data subjects’ confidence.

We have written a GDPR white paper detailing the content of this regulation and the reasons for its entry into force. Learn more, download it!

 

When does the GDPR apply?

The GDPR is intended to apply to any processing of personal data, whether automated or not.

Any collection, consultation, storage, alteration, retrieval, consultation, use, disclosure, destruction, etc. is considered as processing.

Personal data is any information relating to a natural person who is directly or indirectly identified or identifiable, in particular by reference to an identifier, such as a name, an identification number, an IP address, location data, an online identifier, etc.

 

Who is concerned?

Two types of persons are likely to process personal data within the meaning of the GDPR: the data controller and its possible processors.

The controller is the natural or legal person, public authority, department, or other body that, alone or jointly with others, determines the purposes and means of the processing.

The processor, on the other hand, processes personal data on behalf of the controller and as such does not determine either the purposes or the essential means of the processing. The qualification makes it possible to determine the applicable liability regime.

From a territorial point of view, the regulation concerns not only any European company but also any company located outside this territory but processing the personal data of European citizens.

 

What does this mean for end clients?

The GDPR provides every individual with rights regarding the processing of their personal data.

First of all, the data subject must be informed about the processing of personal data. Irrespective of the purpose or legal basis of the processing, the data subject has the following rights:

• Right of access to his data;
• Right of rectification of his data;
• Right to have his data deleted;
• Right to limit the processing of his data.

If the data subject has given your consent to the processing of his data, he also has the right to withdraw this consent at any time. However, the withdrawal of consent does not in any way render unlawful the processing already carried out on this legal basis.

If the data subject has given his consent to the processing or the processing is based on contractual performance, he has a right to the portability of the data provided.

Finally, if the processing is based on the legitimate interest of the organism, the data subject has a right to object on legitimate grounds in accordance with Article 21 of the GDPR. However, where the data is processed for the purpose of canvassing, the data subject will not be required to give reasons.

 

What does this mean for PrestaShop e-sellers?

E-sellers must make sure that their store allows end clients to exercise all their rights concerning the processing of personal data. Therefore, e-sellers must allow their clients to:

• Be informed of the collection and end uses of their data;
• Be able, where necessary, to give and withdraw their consent to the collection and processing of their personal data;
• Have access to it, to be able to rectify their data, obtain a copy in a portable format, as well as refuse processing in some instances and have it erased.

In addition, e-sellers must:

• Only collect data that is relevant and necessary for the store’s business objective;
• Inform clients of the collection of their data and their rights;
• Retain data only for as long as necessary for the purpose of the collection;
• Put in place all the technical and organizational measures that can show their practices comply with the GDPR.

 

What has PrestaShop planned to allow e-sellers to comply with the regulation?

PrestaShop has developed a module to help e-sellers and module developers to comply with the regulation by respecting the following requirements. The purpose of this module is to manage personal data collected by the PrestaShop software, native modules, and community modules installed on your store (only modules that are GDPR-compatible themselves).

It will bring you into compliance by respecting the following requirements:

• Users’ access rights to their personal data in their customer account;
• Users’ right to data portability (a copy of their data in an exploitable CSV or PDF format);
• Users’ right to edit or delete their personal data, subject to seller approval;
• Users’ right to give and withdraw their consent;
• E-sellers’ obligation to maintain a log of processing activities (in particular for the access, consent, and erasure of personal data).

 

Do you have a store in PrestaShop version 1.7?

Here are the 3 steps to installing the GDPR module:

1. In the back office, go to the Modules > Modules & Services page.
2. In the Selection section, use the search bar to enter the following word (depending on the language of the store):
   1. EN: “GDPR”
   2. FR: “RGPD”
   3. ES: “RGPD”
   4. DE: “DSGVO”
   5. IT: “RGPD”
   6. NL: “AVG”
   7. PL: “GDPR”
   8. PT: “RGPD”
   9. RU: “GDPR”
   10. All other languages: “GDPR”
3. WARNING: it is this exact term that must be used, otherwise the module cannot be found on the list.
4. A module will appear: “Official GDPR Compliance” (EN) or “RGPD Officiel” (FR). Click “Install” and you’re done!