GDPR in e-commerce

GDPR and online sales

Online sales are currently among the most popular commercial and consumer transactions. Of course, their scale depends on the type of goods and business activity, but in some industries web stores achieve a considerably higher turnover than brick-and-mortar stores. Intensive growth of e-commerce has forced the Polish legislator to regulate transactions in this business sector. Currently, online sales are mainly governed by the Electronic Services Act and various separate laws, including the Consumer Rights Act. Those acts are closely linked to GDPR provisions regulating the obligations of store owners as data controllers and the rights of purchasers relating to the processing of personal data they have disclosed.

From the legal perspective, the most relevant are two documents governing the operations of web stores, namely the web store terms and conditions and the privacy policy. Obviously, those documents may have different names, but they must include the legally required content.

What must be in the web store terms and conditions

The web store terms and conditions must include standard provisions regarding sales contracts, e.g. the terms of payment and shipping, the right to withdraw from the contract, or the terms of filing and handling complaints. Any and all provisions of a sales contract must take into account the interests and rights of consumers. The Polish Office of Competition and Consumer Protection (UOKiK) keeps a register of prohibited contractual clauses.

The web store terms and conditions should also preferably cover the processing and protection of personal data and should include information about the data controller and the legal grounds for the processing of personal data. In the case of web stores it is first of all the contract and the data controller's legitimate interest in defending itself in case of claims (or, as the case may be, the customer's consent granted to the web store for sending him information by email or by phone). It should be noted, however, that such section in the web store terms and conditions may not replace a comprehensive privacy policy which should specify in detail, among other things, the scope of processed data, the data recipients and important reminders regarding the rights of data subjects. Before drafting a privacy policy you should analyse in detail what data your web store has access to and where those data are exactly located.

Sensitive data on the Internet

The scope of data being collected varies depending on the goods and services offered by a web store. Web store owners often do not realise that they have access to data regarded as sensitive. This is the case if, for example, a web store offers medical services that require customers to disclose data concerning their health. In addition to the obligation to obtain explicit consent for the processing of such data (and to highlight the information on the processing of those data in the web store's privacy policy) the web store owner should implement special safeguards to protect himself and the data subjects from any breach of special categories of data which are subject to increased protection.

Also, web store owners who use external services, such as hosting services, to process personal data disclosed to them are often unaware that such data may be transferred outside the European Union. Such a data transfer does not mean that GDPR provision no longer apply to personal data in question. In fact, quite the contrary, the web store owner should include the information about data transfers in his privacy policy as well.

If the web store owner is not sure what exactly happens to the data to which he has access, it is reasonable to carry out a detailed organisational and technical audit. Personal data protection experts will accurately assess the risks associated with the processing of data by the enterprise and will prepare a relevant report. A recommended solution is also to have a GDPR compliant data protection policy implemented in the company.  Once such a policy is implemented, a web store has in place comprehensive documentation and can use technical measures necessary to ensure personal data protection.

Privacy policy easily accessible to users

Apart from including the required content (as specified in Article 13 GDPR) in the privacy policy, web stores should also pay attention to the style and layout of the policy text and the location of the policy on the website. First of all, customers should always have easy access to information about their personal data. It is advisable to add a tab on the website clearly showing that it contains information about data processing (its title should be, for example, "Personal data protection", "Processing of personal data" or "Privacy"). The privacy policy should be also written in plain language that is free of legalese terms which are often incomprehensible to consumers. Having read the privacy policy, customers must be sure that the data they have disclosed are processed in a secure manner.  If a web store uses incomprehensible and complicated language, it may be accused of violating one of the GDPR's basic principles, namely, the transparency principle. Transparency also means that when creating the privacy policy one should take care of the visual appearance of the policy text. It is recommended to divide the policy into paragraphs and points and to put a table of contents at the beginning rather than to present it in the form of a continuous text.

Marketing in e-commerce

E-commerce also involves marketing activities. It is hard to imagine that web stores would make no efforts to win new customers. Obviously enough, marketing activities involve the processing of personal data. In this context, it is important to remember that customer data obtained through signing a sales contract may not be automatically used to promote further products e.g. by email or by phone. The use of personal data is governed in this case not only by GDPR, but also by the Polish Electronic Services Act and the Telecommunications Act, under which businesses are obliged to obtain consent from customers to whom they want to market their goods or services.

Web store partners

As mentioned earlier, when deciding to start an e-commerce business, web store owners must often partner with external service providers e.g. courier, hosting or e-payment service providers. This may require disclosure of personal data of customers to such entities. However, this does not automatically mean that an external service provider will thus become a processor with whom a web store owner must sign a personal data processing agreement. Such an entity may often be a separate controller or a joint controller with the web store. The relevant guidelines of the supervisory authorities are not conclusive as to the roles of individual entities in the processing of personal data. The responsibilities of each entity as regards data processing could be clearly determined only through a detailed analysis and audit of relations among the involved entities.

E-commerce unavoidably involves personal data processing. Every web store should thoroughly analyse its processes in terms of e.g. documentation it holds (both internal and external), the scope of data being processed and the safeguards used to protect those data.