GDPR Compliance

  • Posts: 2
  • Thank you received: 0
7 years 3 months ago #276127

Thanks for the great components.

What are the plans for Hikashop components to follow the new EU General Data Protection Regulations (GDPR)?

Thanks
Dave

Please Log in or Create an account to join the conversation.

  • Posts: 82823
  • Thank you received: 13370
  • MODERATOR
7 years 3 months ago #276131

Hi,

Reading about it online, I don't see anything which requires modifications in HikaShop.
For example, www.statementagency.com/blog/2017/07/wha...r-ecommerce-business mentions that you need stricter opt-in for marketing with the private data collected. But all that is mentioned there is already possible.

Do you have something specific in mind ?

Please Log in or Create an account to join the conversation.

  • Posts: 2
  • Thank you received: 0
7 years 3 months ago #276365

Thanks for your reply.
I was looking more at the encryption of user identifiable information and the 'right to be forgotten' aspect of GDPR.

Regards
Dave

Please Log in or Create an account to join the conversation.

  • Posts: 82823
  • Thank you received: 13370
  • MODERATOR
7 years 3 months ago #276494

Hi,

Regarding the right to be forgotten, that's something that you have to setup on your end, as far as I can see.

Regarding the encryption of the user data, it might be something necessary. It's a bit early yet to say what should be done and what would be best. Encrypting and anonymizing the user data is great, but if you can't see the name, email or address of the customers when you edit an order in the backend because it is encrypted/anonymized, then how can you manage your shop and answer to customers when they contact you ?
So far I see a lot of people linked to privacy, politic, and judicial systems talking about how it is important to reinforce the encryption of user data, but I couldn't find any practical information on what needs to be done ? It is the encryption of the data while it's moving between the customer and your website ? In which case, a SSL certificate already does that for you. Is if at the database level ?
But then, you can still see the unencrypted data in the backend of the website. Is it in the backend of the website ? But in that case, how can you manage your shop ?
Also, I didn't hear of any other ecommerce solution encrypting the user data in the database or anonymizing the data in the interface.
So I'm not even sure it's something we should do.
Most of the things I saw regarding that and ecommerce solutions was about using usernames for comments (which is already done in HikaShop), right to be forgotten, and such things and it seems that no one is planning on encrypting the user data in the database for now.
We'll see how it goes until May of next year. We have plenty of time to tacle that if necessary.

Please Log in or Create an account to join the conversation.

  • Posts: 1
  • Thank you received: 1
6 years 7 months ago #291173

If still of interest there is a new plugin for Joomla to be compliant with GDPR.

It looks even capable to integrate with Hikashop.

storejextensions.org/extensions/gdpr.html

The following user(s) said Thank You: nicolas

Please Log in or Create an account to join the conversation.

  • Posts: 98
  • Thank you received: 3
6 years 7 months ago #291323

Hi Nicolas,

From what I see the confusion continues. This law seems designed for the purpose of entrapment rather than clarification. Every business is obliged to keep records of it's customers for tax reasons and where more so than in the EU with our byzantine VAT regulations.

Would be interested to know if you or anyone else on this forum has any further information / guidance on this topic.


Conrad

Please Log in or Create an account to join the conversation.

  • Posts: 82823
  • Thank you received: 13370
  • MODERATOR
6 years 7 months ago #291326

Hi,

I also do believe that for ecommerce websites, you have to keep records of the customers and sales, etc for tax reasons in case of control.
So even if someone who purchased something on your website asks you to delete their information on your website, while you can delete their user account, you still have to keep their orders and all the information in the orders.
That's actually what already happens with HikaShop and if you really want to delete the orders, you still can in the backend of HikaShop.
Now regarding the export of all the user information is already provided by the extension mentioned above and it is already integrated with HikaShop so I guess that we won't have to do anything regarding that.
And the other points mentioned by that extension don't really concern HikaShop but the whole website in general.
So I guess that if you setup that extension on your website and properly manage your customers data, you've already done way more than most websites out there regarding the GDPR.
Now, of course, IANAL (I am not a lawyer) :)

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 7 months ago #291396

@Conrad:
Hi Conrad. I think that the answer is provided at the beginning of Article 17 of the GDPR, which states:
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;


One of the purposes that these data were collected is taxation. The law requires that we keep these records for a number of years. So, my interpretation is that as long as these data (name, address, IP, etc) are still needed, they must not be deleted.

@Nicolas:
Nicolas, are there any news about the option to stop IP tracking for those users who add items to the cart without having logged in?
Also, is there a guide about the cookies used by Hikashop (if any)?

Thank you.

Please Log in or Create an account to join the conversation.

  • Posts: 98
  • Thank you received: 3
6 years 7 months ago #291397

Thanks! I had come to a similar conclusion after reading up about the legal basis for data processing. It seems there are four cases allowed:

1) with consent of the user for a specific purpose

2) as part of a contract with the user or as steps towards entering into a contract with the user

3) where it is a legal obligation to process such data e.g. for taxation

4) where the vital interests of the user or other person are at stake.

Although there is a fair amount of trouble in it for us, I've come to believe that this is a good law. The process of complying with it has make me think about what I'm doing with personal data at a deeper level and examine the justifications for it. The only thing I wish is that the lawmakers would themselves put their laws in the same plain language that they demand from us in our privacy statements!

Anyway we are having a valuable discussion here :-)

Conrad

Please Log in or Create an account to join the conversation.

  • Posts: 82823
  • Thank you received: 13370
  • MODERATOR
6 years 7 months ago #291404

Hi,

@panefs :
Yes, this option was added in HikaShop 3..4.0:

We've added an option to remove the logging of the IP address of the customer in the cart (for the RGPD).

www.hikashop.com/support/documentation/5...ashop-changelog.html

Regarding cookies, the only one added is for the affiliate program if someone uses an affiliation link.
It's just a way for HikaShop to know from which partner the user came from.
Otherwise, HikaShop doesn't add any cookies.

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 7 months ago #291440

cpreen wrote:
Although there is a fair amount of trouble in it for us, I've come to believe that this is a good law. The process of complying with it has make me think about what I'm doing with personal data at a deeper level and examine the justifications for it. The only thing I wish is that the lawmakers would themselves put their laws in the same plain language that they demand from us in our privacy statements!

Anyway we are having a valuable discussion here :-)

Conrad


I agree Conrad. I feel the same. My main issue is that it is more difficult for a small company to cope with the requirements of this regulation. It reminds me of the period prior to January 1, 2015, when the EU Directive 2008/8/EC was enforced (the one that regulated the VAT for digital products and services). A large number of small companies were unable to adapt.

Last edit: 6 years 7 months ago by panefs.

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 7 months ago #291441

nicolas wrote: Yes, this option was added in HikaShop 3..4.0:
We've added an option to remove the logging of the IP address of the customer in the cart (for the RGPD).


Thanks Nicolas.
If we turn off this setting, will it also stop logging the IP addresses of registered users when they place an order?

Please Log in or Create an account to join the conversation.

  • Posts: 98
  • Thank you received: 3
6 years 7 months ago #291443

Yes, EU Directive 2008/8/EC was quite interesting too. We adapted but not without cost. It forced us into premature VAT registration and also into appointing distributors in EU countries. @Nicolas: that's why we need support for distributor sales in HS :-)

The issue with that was proving where an online customer is located. In the UK HMRC are reasonably happy if you collect two non-conflicting pieces of evidence of the customer location in order to decide the correct VAT rate. So declared address and IP geo-location is what we use. But hey, here comes the EU again saying we shouldn't be tracking IP addresses. The situation is Kafka-esque to say the least.

Happy to share whatever I find out.

Conrad

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 7 months ago #291449

cpreen wrote: In the UK HMRC are reasonably happy if you collect two non-conflicting pieces of evidence of the customer location in order to decide the correct VAT rate. So declared address and IP geo-location is what we use. But hey, here comes the EU again saying we shouldn't be tracking IP addresses. The situation is Kafka-esque to say the least.


Hi Conrad.
To my understanding, the GDPR doesn't stop us from collecting IPs. That would be insane, because IPs are logged in server logs anyway. The EU now considers IPs as personal information: in order to collect any kind of personal information (including IPs), we must get the user's clear consent first. From what I understand, consent is given when the user / customer clicks on the "I agree with the Terms and Conditions" button, when they register, or when they complete an order. The button should be unchecked by default.
We must publish two different documents on our sites: the first is the "Terms and Conditions" (it should be there already). The second is called "Privacy Policy". It explains what data is collected, why it is collected and how it is used/stored. This document should include a statement saying that it forms a part of the overall "Terms and Conditions". So, when a user clicks the "I agree" button, he/she agrees with the terms in both documents.
Here's an excerpt from the revised "Privacy Policy" document that I am preparing here. It's the part referring to the IPs:
Information collected when you place an order:
To complete an order, you must submit your billing information along with your email address. This information is collected to comply with the requirements of the EU Directives 2006/112/EC and 2008/8/EC, regarding the VAT tax and the place of supply of services, respectively. Your Internet Protocol address is also collected when you add items to the shopping cart, to comply with the EU directive 2008/8/EC regarding the collection of two non-conflicting pieces of evidence of the customer location, in order to calculate the correct VAT tax rate.
Again, this is my own interpretation. Please correct me if it is wrong, and of course pardon my language errors.

Last edit: 6 years 7 months ago by panefs.

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 7 months ago #291450

Conrad, one more thing. You are absolutely right about the Kafka-esque situation, when we think about IP logging in server logs. This is how the vast majority of website servers work: IP logging may occur from the very first moment a user visits our sites. So, if we think strictly about the GDPR provisions, we should not allow the user to visit any page unless they first give clear consent that they accept IP logging. Insane.

Please Log in or Create an account to join the conversation.

  • Posts: 82823
  • Thank you received: 13370
  • MODERATOR
6 years 7 months ago #291461

Hi,

Regarding HikaShop, the option to not log the IP address is only for the carts.
For the orders, you generally want to log the IP address. As cpreen said, you want to log the IP address for the VAT regulations.
The GDPR tells you that you should log something if you don't need it. But for the IP address in the orders, you need it for the VAT regulations, so I don't see a problem with always logging it, even without the fact that your server logs the IP address in its logs anyways.

The following user(s) said Thank You: PolishedGeek

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 7 months ago #291464

Merci Nicolas.
So, to be 100% sure on what I am doing here:
If we set Configuration > Cart > Log IP address to "No", the IP address will not be collected when a user adds a product to the cart, but it will be collected when the user completes the order.
Is this correct?

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 7 months ago #291476

Update: I just make a trial purchase, having set the "Log IP address" to "No". It works great. My IP was logged only when I completed the purchase on my site, before I was transferred to PayPal.
Thanks!

The following user(s) said Thank You: nicolas

Please Log in or Create an account to join the conversation.

  • Posts: 267
  • Thank you received: 5
6 years 6 months ago #292334

Is it possible to add a botton in the frontend so that each user can download the data included in the address?

is to fulfill the data portability that the gdpr requests

Thanks!

Please Log in or Create an account to join the conversation.

  • Posts: 82823
  • Thank you received: 13370
  • MODERATOR
6 years 6 months ago #292354

Hi,

We could. But what format should it be ?

Please Log in or Create an account to join the conversation.

Time to create page: 0.130 seconds
Powered by Kunena Forum