1. Awareness and Transparency
a. Information Obligation: E-shops must inform their customers about what personal data they collect, for what purposes, how long they will retain it, and who has access to this data. This information must be provided clearly, understandably, and easily accessible.
b. Consent for Data Processing: If an e-shop processes personal data based on consent, this consent must meet GDPR requirements for clear and specific consent. Consent must be given voluntarily and can be withdrawn at any time.
2. Right to Access and Rectification
Customers have the right to obtain confirmation of whether their personal data is being processed and, if so, to access this data. They also have the right to request the correction of inaccurate data.
3. Right to Be Forgotten
Under certain circumstances, individuals have the right to request that an e-shop erase their personal data. This includes situations where the data is no longer necessary for the purposes for which it was collected or if the data subject withdraws consent for processing.
4. Data Security
E-shops must ensure that the personal data they process is adequately protected against unauthorized access, loss, or damage. This requires the implementation of appropriate technical and organizational measures, such as encryption, regular security audits, and the establishment of processes for addressing security incidents.
5. Data Protection Officer (DPO)
Large e-shops that conduct extensive processing of personal data may be required to appoint a DPO (Data Protection Officer). The DPO oversees GDPR compliance and serves as the point of contact for supervisory authorities and data subjects.
6. Data Protection Impact Assessment (DPIA)
For projects that pose a high risk to the rights and freedoms of individuals, e-shops must conduct a DPIA. A DPIA helps identify and mitigate risks associated with data processing.
7. Notification of Personal Data Breaches
In the event of a personal data breach, the breach must be reported to the relevant supervisory authority no later than 72 hours after becoming aware of the breach, if it is likely to result in a risk to the rights and freedoms of individuals.
GDPR represents a significant change in the approach to personal data protection and requires considerable effort from e-shops to comply with its requirements. Implementing GDPR is not just about compliance with legal regulations but also about building trust between e-shops and their customers by giving them control over their personal data.