{"id":24782,"date":"2021-09-03T14:30:50","date_gmt":"2021-09-03T13:30:50","guid":{"rendered":"https:\/\/www.alioze.com\/?p=24782"},"modified":"2021-09-03T14:47:56","modified_gmt":"2021-09-03T13:47:56","slug":"rgpd-which-is-affected-and-how-to-comply","status":"publish","type":"post","link":"https:\/\/www.alioze.com\/en\/gdpr-compliance\/","title":{"rendered":"GDPR: who is concerned and how to comply?"},"content":{"rendered":"

A source of concern for many businesses and e-tailers, the GDPR<\/strong>\u00a0came into force on 25 May 2018<\/strong>.<\/p>\n

If you handle online payments or manipulate data of EU residents for commercial and marketing purposes, you are one of the organizations concerned!<\/p>\n

To put an end to your worries, we help you to see more clearly by giving you all the GDPR<\/strong>\u00a0best practices<\/strong> to comply<\/strong>.<\/p>\n

But first, let’s start with the basics: what is the GDPR<\/strong>?<\/p>\n

 <\/p>\n

GDPR<\/strong>: definition<\/h2>\n

Established by the EU Council in April 2016, the General Data Protection Regulation<\/strong> (GDPR) is the European Union’s new data privacy<\/strong> law.<\/p>\n

Its entry into force took place on 25 May 2018, when it replaced the old EU Directive on the protection of personal data dating from 1995.<\/p>\n

The GDPR is an 88-page text that sets out the rules that organisations processing data must follow in terms of collection, storage, use, protection and security.<\/p>\n

Its stated aim is to extend the rights of European citizens with regard to their personal data, by strengthening their protection and giving them the means to manage the way it is used by companies.<\/p>\n

Specifically, the GDPR gives individuals the right to access, correct, delete and strictly process their data.<\/p>\n

 <\/p>\n

GDPR<\/strong>: who is concerned?<\/h2>\n

It is legitimate that you ask yourself the question: who is the GDPR for<\/strong>? To answer this question, here are three things you should know.<\/p>\n

 <\/p>\n

\"RGPD<\/a><\/p>\n

1 – Business activities in the EU<\/p>\n

Even if your company is not based in the European Union but you do business there, you need to comply with the GDPR<\/strong>.<\/p>\n

This new regulation concerns all companies in the European Union, but also all those who sell products or services to European residents.<\/p>\n

 <\/p>\n

\"RGPD<\/a><\/p>\n

2 – Data processing activities<\/p>\n

You are concerned by the GDPR as soon as you collect and\/or process personal data.<\/p>\n

What data is affected by the GDPR<\/strong>? Any customer information that identifies an individual. Photos, posts on social networks, IP addresses, bank details and all identification numbers such as the NIR: the GDPR<\/strong> applies to all marketing, sales, advertising, HR and accounting databases.<\/p>\n

In short, if you use your customers’ data for purposes other than simply filling orders, then you are particularly concerned!<\/p>\n

Don’t worry, you are not alone in this. The GDPR\u00a0does not only apply to e-commerce owners, associations or any other organisations. Tools, software, CMS and social networks such as Google, Facebook, MailChimp or Shopify, to name but a few, are also concerned and must comply.<\/p>\n

 <\/p>\n

\"RGPD<\/a><\/p>\n

3 – VSEs, SMEs, associations, major accounts… all in the same boat<\/p>\n

The GDPR affects private AND public companies of any size or sector.<\/p>\n

It doesn’t matter if you have one employee or 10,000: as long as you manage data on European citizens, the GDPR applies. However, small e-tailers and VSEs do not have to comply with the same requirements as a large company or an e-commerce monster.<\/p>\n

A company in the health sector, which manages medical data considered as “sensitive” will not have the same requirements as a company selling beauty products.<\/p>\n

However, many of the requirements of the GDPR apply to all businesses.<\/p>\n

 <\/p>\n

GDPR: best practices for compliance<\/h2>\n

[Editor’s note: our best recommendation is to consult a specialist GDPR agency<\/a> to help you get compliant]<\/p>\n

 <\/p>\n

Obtaining client consent<\/h3>\n

Consent should be given by a clear positive act by which the data subject freely, specifically, knowledgeably and unambiguously expresses his or her agreement to the processing of personal data concerning him or her<\/em>.”<\/p>\n

The GDPR requires organisations to be clear in how they obtain customer consent. In other words, an individual’s consent to hand over their data must be explicitly given.<\/p>\n

In this sense, previously checked boxes are not a valid indication of consent.<\/p>\n

Data subjects must also be able to withdraw their consent easily. In this case, they must also be able to request the deletion of their data.<\/p>\n

 <\/p>\n

Good practices for obtaining client consent :<\/strong><\/p>\n