GDPR in e-commerce and e-mail marketing

If some sectors are more affected by GDPR, e-business, online marketing and email marketing in particular are definitely among them, I would like to write that they literally rule the roost.


E-shops and online marketing is a huge chunk of work with data, both personal and sensitive data. Czech e-shoppers are going through a difficult time, having stabilized after the introduction of the EET, they are facing an even bigger change, in the form of a revolutionary regulation that fundamentally tightens the work with personal and sensitive data, the GDPR, which will come into force on 25 May 2018.

The new rules will primarily affect obtaining consent to the processing of personal data and not only the consent itself, but also how it should be specified and what it must contain.

Penalties for failure to prepare and fail to protect personal data can be devastating, but if you prepare early and carefully you will minimise or even eliminate the risk.

What about consents already granted?"
Any data that merchants have already collected from data subjects (the person to whom the data belongs) that has been recorded other than by active consent,must stop using it and remove it entirely or ask data subjects to provide new, active and unconditional consent. This includes data that has been collected in a passive manner, meaning the user has already pre-ticked the consent box, and consents that the user has had to enter conditionally, e.g. to complete an order.

GDPR compliant consents
Consents in e-commerce and email marketing are usually associated with sending commercial communications, promotional emails or newsletters. Consent must be unambiguous, free and explicitly separate from other provisions, i.e. general terms and conditions. The consent must be given actively, i.e. the user as data subject must freely tick the boxes himself and must not be conditional, e.g. that if the subject does not fill in the consent, he cannot order or will not receive a reward, etc. The consent should include information about why the data will be processed, how it will be handled, who will handle it and should also define what communications and materials you will send based on the consent.

Responsibilities of the data controller (e.g. e-shopper)
All data controllers must document that they only process, for the purpose, necessary information (for example, email, name, address, etc. in the case of an e-shop).This then entails the obligation to document the above regularly to the supervisory authority.

If you happen to leak or even misuse stored data, you must report the incident to the Data Protection Authority within 72 hours of discovery.

How to do it?
It is important to have all processes regarding the handling, storage and potential loss of data capturedin the company's internal policies so that everyone in the company knows how to handle personal data and what the procedure is in the event of a leak. So it is one thing to set up internal processes and another to technically secure the computer network, space, etc. against data leakage. You should do your best to minimize the risk of loss and misuse of personal data.

If you need to go through the process of preparing, advising, consulting in a non-binding way, checking and damaging the internal network or looking for a data processing officer, contact the experts, it will save you a lot of time and stress.