GDPR issues

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 10 months ago #288593

-- HikaShop version -- : HikaShop Business: 3.3.0
-- Joomla version -- : 3.8.5
-- PHP version -- : 7

Hi.
The GDPR will be enforced in 3 months from now and most of us who reside in the EU are trying to sort through the mess and get prepared.

I'd like to share 2 thoughts that came into my mind today and ask for assistance:

1. When a user completes an order, Hikashop sends an email about the creation of the order to both the buyer and the seller. Then, when the buyer completes the payment (e.g. on PayPal), another email about the completion of the order is sent to both parties.
Here's the GDPR-related issue: these unencrypted emails display the buyer's billing address. Some customers may get angry about it. My question is: is there a way to stop Hikashop from displaying the billing address in these emails?

2. The second concern is about the collection of the IP of non-registered users. When a user who hasn't logged in adds a product to the cart, Hikashop stores the user's IP. This is very different from collecting a buyer's IP: registered users or guest buyers have already agreed to our terms and conditions, which inform them about the collection and storage of the buyer IPs when they place their orders. But casual visitors who browse our product pages and try our shopping carts, have not given their consent about it. Is there a setting to turn off this feature?

Thank you.

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 10 months ago #288606

Is it safe to remove this code from the order creation & order notification emails, to have the billing address removed from these emails?

<table class="w550" border="0" cellspacing="0" cellpadding="0" width="550" style="margin-top:10px;font-family: Arial, Helvetica, sans-serif;font-size:12px;line-height:18px;">
<tr>
<!--{IF:BILLING_ADDRESS}--><td style="color:#1c8faf !important;font-size:12px;font-weight:bold;">{TXT:BILLING_ADDRESS}</td><!--{ENDIF:BILLING_ADDRESS}-->
<!--{IF:SHIPPING}--><!--{IF:SHIPPING_ADDRESS}--><td style="color:#1c8faf !important;font-size:12px;font-weight:bold;">{TXT:SHIPPING_ADDRESS}</td><!--{ENDIF:SHIPPING_ADDRESS}--><!--{ENDIF:SHIPPING}-->
</tr>
<tr>
<!--{IF:BILLING_ADDRESS}--><td>{VAR:BILLING_ADDRESS}</td><!--{ENDIF:BILLING_ADDRESS}-->
<!--{IF:SHIPPING}--><!--{IF:SHIPPING_ADDRESS}--><td>{VAR:SHIPPING_ADDRESS}</td><!--{ENDIF:SHIPPING_ADDRESS}--><!--{ENDIF:SHIPPING}-->
</tr>
</table>

Please Log in or Create an account to join the conversation.

  • Posts: 83024
  • Thank you received: 13403
  • MODERATOR
6 years 10 months ago #288609

Hi,

1. Yes, you can remove these to remove the billing and shipping addresses from the notification emails.

2. There is no setting. But we could easily add such setting.
Note though that even if HikaShop doesn't log the IP, the IP is still logged in the "access log" of your web server. So I'm not sure that it would change anything ?

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 10 months ago #288642

Thank you very much.

It's think it's worth adding a setting that stops Hikashop from logging the IPs of casual visitors.
I am quoting a section from this analysis: www.ctrl.blog/entry/gdpr-web-server-logs

You can’t collect and store any personal data without having obtained, and being able to document that you obtained, consent from the persons you’re collecting data from. You can, however, collect and store personal data as part of web servers logs for the purposes of detecting and preventing fraud and unauthorized access and maintaining the security of your systems.


Based on this analysis, it appears that access logs and server logs could, under certain circumstances, be considered legitimate.

If we disabled access logs (and error logs) on our servers, what would be the impact on Hikashop? Would Hikashop still be able to store the buyer's IP (which is a requirement in the EU Directive 2008/8/EC to those who sell digital goods)?

Similarly to the 2015 VAT changes, GDPR is a nightmare for small businesses, only in a much grander scale. Large corporations have the means to deal with the new requirements. Smaller fishes (like most of us who use Joomla and Hikashop) are going to have a tough time, while trying to adapt.

The following user(s) said Thank You: fengel

Please Log in or Create an account to join the conversation.

  • Posts: 83024
  • Thank you received: 13403
  • MODERATOR
6 years 9 months ago #288646

Hi,

Thanks for your input.
Adding a setting could be worth it yes.

The following user(s) said Thank You: fengel

Please Log in or Create an account to join the conversation.

Time to create page: 0.040 seconds
Powered by Kunena Forum