GDPR Compliance

Hi Nicolas,

On the rest of the forms I am putting two buttons. One button for xls format and one for csv.

Thnaks!

thanks Nicolas, while this add-on appears, it would not be possible to perform this action?

Having spent endless hours trying to figure out the best path to GDPR compliance,
I totally agree with Nicolas: there has to be one single, integrated solution for the end-user who wishes to view, edit, delete, or download ALL their personal data, which was submitted voluntarily, or collected automatically in our sites (such as the user profile, forum posts, comments, Hikashop profile, IPs, and so on). Unfortunately Joomla is not ready yet. It should have been ready, but GDPR was probably neglected or underestimated.

Nevertheless May 25 is approaching and we must comply with GDPR's requirements. Please correct me if (or where) you think I am wrong:
The GDPR sets the rights of the data subjects (right to erasure, portability, rectification, etc) and requires us to provide the means to the data subjects to perform all these rights. Until the Joomla team comes up with a solution, we must provide one. One way is to look for such software (Joomla components) from 3rd parties, which deal with GDPR. Some of these software solutions are very good, yet they don't fully comply with all requirements.

Another solution (which is perfectly acceptable in my opinion) is the following:
You can create a new email account dedicated to privacy issues (e.g. privacy @ yoursitename.com). Then you must add a section to your Privacy Policy page (called e.g. 'Your Access to and Control over your personal information'), where you inform visitors about all their rights to their personal information, and tell them that they can reach you in this email address if they wish to perform any of these rights. As an additional step, you may create a dedicated contact form e.g. on your site footer, which includes various checkboxes corresponding to the users' rights to information.
Of course this means more work for us. I don't think there will be so many request of this kind to keep us very busy. Or so I hope.

Nicolas, any ideas regarding the Joomla 3.9 release date?
In their announcement, the developers mentioned 'the short timeline for this release'. From your experience, could this translate into days, weeks? GDPR is 2 weeks from now.

it's good news

Just to be sure to have understood what you mean.
in the dedicated contact form the users can ask to delete their data or they can ask to know data that we stored. It is correct??
Moreover if users can buy products as a guest, technically how can they have access to their data if they dont have an account to log in??

Thanks
Frank

Another solution (which is perfectly acceptable in my opinion) is the following:
You can create a new email account dedicated to privacy issues (e.g. privacy @ yoursitename.com). Then you must add a section to your Privacy Policy page (called e.g. 'Your Access to and Control over your personal information'), where you inform visitors about all their rights to their personal information, and tell them that they can reach you in this email address if they wish to perform any of these rights. As an additional step, you may create a dedicated contact form e.g. on your site footer, which includes various checkboxes corresponding to the users' rights to information.
Of course this means more work for us. I don't think there will be so many request of this kind to keep us very busy. Or so I hope.

Hello Frank,
The end-users have the right to know what personal data we've stored, the right to ask for their personal data to be erased, the right to get a copy of their data in a machine readable format, the right to make changes to any of their data that are inaccurate. If you plan to create a dedicated contact form, make sure it include all these options.
I am not a lawyer, but I think that you must begin with stating these user rights in your privacy policy and also state the means that the data subject can use to perform their rights (contact you via email or via a dedicated contact form, direct involvement, etc).
The very same rights apply to guest purchases. The customer can contact you to exercise any of these rights. There is an issue here regarding the right to erasure. We are obliged to keep the orders data for X years. The Hikashop team can help us here: if we delete the Hikashop user profile, will this affect the stored orders data (e.g. name, address, etc)?

nicolas wrote: I don't think that you'll see it in two weeks.
Even if the features were finished right now (which is not the case at all), between the beta period, the release candidate, and the final release two weeks would be short.
I'd wager you need to count in months.

At the moment, when you delete a Joomla user account, the HikaShop user and the associated orders/addresses are not deleted. Only the user account is and thus the user becomes a "guest checkout" user in HikaShop.
And if you try to delete a user from the HikaShop interface, it will only be accepted if the user doesn't already have orders.

Thank you very much, Nicolas!
Frank, now we have a more complete picture about guest purchases: a guest customer may contact you (directly via email, or via a contact form) and ask to perform any of their GDPR rights, except for the right to erasure.

Sorry but i dont understand how to handle with guest custmers
Can explain me please??


Thanks

You need provide your customers (guest or regular, it doesn't matter) a means to communicate with you regarding their GDPR rights.

1. Begin with creating a dedicated email address (e.g. privacy @ yoursitename.extension) where people can reach you about data privacy issues. You need to include this email address in your Privacy Policy page, in the section that explains the users' rights to their personal data. If you accomplish this step, you' ll have done a major step forward to the safe side.

2. The next step is optional. You may create a contact form, using a Joomla component that creates forms with radio buttons and check boxes. You need to add different radio buttons that correspond to different user rights (e.g. 'I would like to have my personal data erased from this site', 'I would like to download a copy of all my personal data stored on this site', and so on). The user will check the appropriate options and send you the form.
Mind that if you store the messages sent with this form then you should ask the user's consent at the end of the form (another GDPR requirement, since you are collecting the user's name and email address).

Thank you for your clarificaion...If I need again your help I will bother you again here
HOwever I am followinf this discussion if there will be some developing.

francota wrote: Thank you for your clarificaion...If I need again your help I will bother you again here .

You don' t bother me at all. I am also trying to sort through this mess. I'd like to say (again) that this is my own interpretation of what can be done to align with the GDPR requirements regarding the rights of data subjects.

Panefs I was thinking about your possible solution in the case of guest useres.
I wonder if I know your email I could ask to delete your data user ...what do you think about that?
If I insert in the GDPR text that data user will be deleted from the web site when the product is delivered, how is this solution? in this case do you think I still have to give the choise to delete the user data??

Frank

Frank, I am not sure I completely understood the question. Retention (and deletion) of orders data is a topic that you must discuss with your accountant / financial advisor, taking into account the GDPR & local legal framework.
You'll find some answers in these pages:
ico.org.uk/for-organisations/guide-to-da...inciple-5-retention/
and
www.mycustomer.com/marketing/data/gdpr-a...requests-for-erasure

Is there an easy way to delete user accounts of a certain age that have never placed an order from both the Hikashop user database and the Joomla user database at the same time?
For VAT purposes I am supposed to save order details for 7 years, but for users who only made an account but never placed an order this period can be a lot shorter. However, I don't know how to delete those accounts specifically and easily.