GDPR Regulation 25.05.2018 - Personal Data Protection Act on website and online store

The long-awaited "Personal Data Protection Act" is not only in force since May 25, 2018, but is already in its heyday, and warnings about upcoming fines have begun to fly to the giants in online circles.

With GDPR in force, comes the problem of all Bulgarian online retailers with existing websites and those that are about to creat a brand new website design and the changes they have to go through.

 What changes must be made to the website to comply with the GDPR? 

Let's take a general look at what the new regulation is, in terms of logic.

 Every user should know the following at all times: 

  • What personal data will be stored or is already being stored for it;
  • How they are taken;
  • Why they are stored and for what purpose;
  • How and how a user can disable tracking from different tracking codes
  • How and in what way a user can be asked what data the site/store stores for him. Who administers the data and how it is stored.

Cookie Policy

As soon as the website is entered, each website must have a notification in which it signals that the site uses cookies and the customer must explicitly agree to this, using the "I understand" button or "Accept". In case the site uses such.

This "notification bar" should contain a link to the "Cookie Policy", which he can read more about cookies, which will take data about visitors.

Cookies are grouped into four categories in total:

Important cookies - fully related to website functionality, account identification, language, currencies, user session, etc.

Effective cookies - these are used to remember personal settings for the site. For example, an online store to save your data when placing an order. Enter a phone number, etc.

Analytics and Advertising Cookies - Most commonly, all tracking codes from Facebook, AdWords, and other sources that offer site crawl statistics are included here. Their purpose is to give more information to the "analyzer" of the website so that more work can be done on the convenience of the experience while browsing the site

Advertising Cookies - Here are the cookies that are used & nbsp; and provide to third parties, for example, for email marketing, Google Adwords, Google AdSense advertisers and other companies offering "outdoor advertising". Interestingly, the regulation states that the site has an obligation to verify that the service used by third parties also complies with the regulation. That is, if Google AdSense violates the regulations and the site provides us with personal information taken from our website, then we are also in violation of the regulation.

The Cookie Policy page should describe all of this information, along with the "what is a cookie" help and how it can be removed from different browsers.

All cookies should be mentioned, how they are said, what type they are, what purpose they have, what duration they have, and who has access to them.

A useful example of this could be Cookie policy of eMag.

Privacy Policy

The page where all necessary methods of personal data processing are to be mentioned. In short, this is the full version of the Cookie Policy page. The page must indicate who processes this personal data - the legal entity and company data are indicated. More on the topic, you can find here.

In case you do not have an automatic way of reference on the website, an individual form can be added, in which each user can request the contact e-mail. Each user has the right to request to be forgotten, deleted, or simply to inquire about the data stored about him

The customer enters personal data in a field of the site

Personal Information means any information relating to an identified or identifiable living natural person. Individual data which, when aggregated together, may lead to the identification of a specific person, is also personal data.

This definition also includes the data that the client fills in when using a contact form such as:

First Name, Last Name, Email, Phone, and IP Address

This means that any website, even if it uses only the contact form on the website, is again referred to as a "Personal Data Administrator". Even if emails are not stored and deleted, the customer has already sent their data digitally.

Before sending an e-mail, the customer must agree by ticking the agreement with the Privacy Policy of the respective website or online store.

From this, we should conclude that each field in which the user enters the above data must be accompanied by a tick and text that he/she agrees with the provision of personal data.

In the admin panel of the site or the e-mail sent by the client, there must be in writing, the date and time and conditions current at that time, with which the user has agreed. That is the "log (history)" of individuals who have agreed to the privacy policy.

The same checkbox must appear on the "Account Registration", "Game Participation Pages", "Online Store Order Page", "Newsletter Subscription Window" and other fields in which enter a similar type of personal data.

If you need advice or consultation, feel free to contact us.