GDPR Compliance

Thanks for the great components.

What are the plans for Hikashop components to follow the new EU General Data Protection Regulations (GDPR)?

Thanks
Dave

Thanks for your reply.
I was looking more at the encryption of user identifiable information and the 'right to be forgotten' aspect of GDPR.

Regards
Dave

If still of interest there is a new plugin for Joomla to be compliant with GDPR.

It looks even capable to integrate with Hikashop.

storejextensions.org/extensions/gdpr.html

Hi Nicolas,

From what I see the confusion continues. This law seems designed for the purpose of entrapment rather than clarification. Every business is obliged to keep records of it's customers for tax reasons and where more so than in the EU with our byzantine VAT regulations.

Would be interested to know if you or anyone else on this forum has any further information / guidance on this topic.


Conrad

@Conrad:
Hi Conrad. I think that the answer is provided at the beginning of Article 17 of the GDPR, which states:
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

One of the purposes that these data were collected is taxation. The law requires that we keep these records for a number of years. So, my interpretation is that as long as these data (name, address, IP, etc) are still needed, they must not be deleted.

@Nicolas:
Nicolas, are there any news about the option to stop IP tracking for those users who add items to the cart without having logged in?
Also, is there a guide about the cookies used by Hikashop (if any)?

Thank you.

Thanks! I had come to a similar conclusion after reading up about the legal basis for data processing. It seems there are four cases allowed:

1) with consent of the user for a specific purpose

2) as part of a contract with the user or as steps towards entering into a contract with the user

3) where it is a legal obligation to process such data e.g. for taxation

4) where the vital interests of the user or other person are at stake.

Although there is a fair amount of trouble in it for us, I've come to believe that this is a good law. The process of complying with it has make me think about what I'm doing with personal data at a deeper level and examine the justifications for it. The only thing I wish is that the lawmakers would themselves put their laws in the same plain language that they demand from us in our privacy statements!

Anyway we are having a valuable discussion here

Conrad

cpreen wrote:
Although there is a fair amount of trouble in it for us, I've come to believe that this is a good law. The process of complying with it has make me think about what I'm doing with personal data at a deeper level and examine the justifications for it. The only thing I wish is that the lawmakers would themselves put their laws in the same plain language that they demand from us in our privacy statements!

Anyway we are having a valuable discussion here

Conrad

nicolas wrote: Yes, this option was added in HikaShop 3..4.0:
We've added an option to remove the logging of the IP address of the customer in the cart (for the RGPD).

Yes, EU Directive 2008/8/EC was quite interesting too. We adapted but not without cost. It forced us into premature VAT registration and also into appointing distributors in EU countries. @Nicolas: that's why we need support for distributor sales in HS

The issue with that was proving where an online customer is located. In the UK HMRC are reasonably happy if you collect two non-conflicting pieces of evidence of the customer location in order to decide the correct VAT rate. So declared address and IP geo-location is what we use. But hey, here comes the EU again saying we shouldn't be tracking IP addresses. The situation is Kafka-esque to say the least.

Happy to share whatever I find out.

Conrad

cpreen wrote: In the UK HMRC are reasonably happy if you collect two non-conflicting pieces of evidence of the customer location in order to decide the correct VAT rate. So declared address and IP geo-location is what we use. But hey, here comes the EU again saying we shouldn't be tracking IP addresses. The situation is Kafka-esque to say the least.

Information collected when you place an order:
To complete an order, you must submit your billing information along with your email address. This information is collected to comply with the requirements of the EU Directives 2006/112/EC and 2008/8/EC, regarding the VAT tax and the place of supply of services, respectively. Your Internet Protocol address is also collected when you add items to the shopping cart, to comply with the EU directive 2008/8/EC regarding the collection of two non-conflicting pieces of evidence of the customer location, in order to calculate the correct VAT tax rate.

Conrad, one more thing. You are absolutely right about the Kafka-esque situation, when we think about IP logging in server logs. This is how the vast majority of website servers work: IP logging may occur from the very first moment a user visits our sites. So, if we think strictly about the GDPR provisions, we should not allow the user to visit any page unless they first give clear consent that they accept IP logging. Insane.

Merci Nicolas.
So, to be 100% sure on what I am doing here:
If we set Configuration > Cart > Log IP address to "No", the IP address will not be collected when a user adds a product to the cart, but it will be collected when the user completes the order.
Is this correct?

Update: I just make a trial purchase, having set the "Log IP address" to "No". It works great. My IP was logged only when I completed the purchase on my site, before I was transferred to PayPal.
Thanks!

Is it possible to add a botton in the frontend so that each user can download the data included in the address?

is to fulfill the data portability that the gdpr requests

Thanks!