GDPR Compliance

  • Posts: 267
  • Thank you received: 5
6 years 6 months ago #292358

Hi Nicolas,

On the rest of the forms I am putting two buttons. One button for xls format and one for csv.

Thnaks!

Attachments:
Last edit: 6 years 6 months ago by dvddvd.

Please Log in or Create an account to join the conversation.

  • Posts: 82956
  • Thank you received: 13392
  • MODERATOR
6 years 6 months ago #292394

Hi,

Well, I don't think it's a good idea.
It would be better to have only one button for all the personal data of the user on the website: the joomla user account data, the addresses in HikaShop, the votes and comments on the products, other extensions data, etc.
And I think that it's what the GDPR requires: one button to get all the user data. Not tens of buttons here and there.
I read recently on the Joomla github of some idea to have some extension or some in the core of Joomla so that extensions could integrate with it to do that. I think that's really the way to go.
Us adding a button for the addresses of the users in HikaShop only won't help comply to the GDPR imho.

The following user(s) said Thank You: dvddvd

Please Log in or Create an account to join the conversation.

  • Posts: 267
  • Thank you received: 5
6 years 6 months ago #292404

thanks Nicolas, while this add-on appears, it would not be possible to perform this action?

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 6 months ago #292419

Having spent endless hours trying to figure out the best path to GDPR compliance,
I totally agree with Nicolas: there has to be one single, integrated solution for the end-user who wishes to view, edit, delete, or download ALL their personal data, which was submitted voluntarily, or collected automatically in our sites (such as the user profile, forum posts, comments, Hikashop profile, IPs, and so on). Unfortunately Joomla is not ready yet. It should have been ready, but GDPR was probably neglected or underestimated.

Nevertheless May 25 is approaching and we must comply with GDPR's requirements. Please correct me if (or where) you think I am wrong:
The GDPR sets the rights of the data subjects (right to erasure, portability, rectification, etc) and requires us to provide the means to the data subjects to perform all these rights. Until the Joomla team comes up with a solution, we must provide one. One way is to look for such software (Joomla components) from 3rd parties, which deal with GDPR. Some of these software solutions are very good, yet they don't fully comply with all requirements.

Another solution (which is perfectly acceptable in my opinion) is the following:
You can create a new email account dedicated to privacy issues (e.g. privacy @ yoursitename.com). Then you must add a section to your Privacy Policy page (called e.g. 'Your Access to and Control over your personal information'), where you inform visitors about all their rights to their personal information, and tell them that they can reach you in this email address if they wish to perform any of these rights. As an additional step, you may create a dedicated contact form e.g. on your site footer, which includes various checkboxes corresponding to the users' rights to information.
Of course this means more work for us. I don't think there will be so many request of this kind to keep us very busy. Or so I hope.

Last edit: 6 years 6 months ago by panefs.
The following user(s) said Thank You: dvddvd

Please Log in or Create an account to join the conversation.

  • Posts: 82956
  • Thank you received: 13392
  • MODERATOR
6 years 6 months ago #292420

Hi,

I think that panefs propositions are indeed better.
While a good solution comes from Joomla and/or 3rd party extensions, I would also recommend to setup something manual like proposed so that people can send a contact form and you reply to them manually with the information. I also doubt that a lot of people will bother with that and for the few who will, you can do that manually.
Then, once there is a suitable solution to handle all that automatically, you can scrap that contact form and use that solution instead.

Joomla 3.9 is actually working hard on the GDRP:
developer.joomla.org/news/725-goals-for-joomla-3-9.html
As you can read there, it includes a way to provide a download of all the personal data of the user and have extensions able to integrate with it.

Last edit: 6 years 6 months ago by nicolas.
The following user(s) said Thank You: dvddvd

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 6 months ago #292452

Nicolas, any ideas regarding the Joomla 3.9 release date?
In their announcement, the developers mentioned 'the short timeline for this release'. From your experience, could this translate into days, weeks? GDPR is 2 weeks from now.

Please Log in or Create an account to join the conversation.

  • Posts: 267
  • Thank you received: 5
6 years 6 months ago #292474

it's good news

Please Log in or Create an account to join the conversation.

  • Posts: 281
  • Thank you received: 3
6 years 6 months ago #292478

Just to be sure to have understood what you mean.
in the dedicated contact form the users can ask to delete their data or they can ask to know data that we stored. It is correct??
Moreover if users can buy products as a guest, technically how can they have access to their data if they dont have an account to log in??

Thanks
Frank

Another solution (which is perfectly acceptable in my opinion) is the following:
You can create a new email account dedicated to privacy issues (e.g. privacy @ yoursitename.com). Then you must add a section to your Privacy Policy page (called e.g. 'Your Access to and Control over your personal information'), where you inform visitors about all their rights to their personal information, and tell them that they can reach you in this email address if they wish to perform any of these rights. As an additional step, you may create a dedicated contact form e.g. on your site footer, which includes various checkboxes corresponding to the users' rights to information.
Of course this means more work for us. I don't think there will be so many request of this kind to keep us very busy. Or so I hope.

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 6 months ago #292481

Hello Frank,
The end-users have the right to know what personal data we've stored, the right to ask for their personal data to be erased, the right to get a copy of their data in a machine readable format, the right to make changes to any of their data that are inaccurate. If you plan to create a dedicated contact form, make sure it include all these options.
I am not a lawyer, but I think that you must begin with stating these user rights in your privacy policy and also state the means that the data subject can use to perform their rights (contact you via email or via a dedicated contact form, direct involvement, etc).
The very same rights apply to guest purchases. The customer can contact you to exercise any of these rights. There is an issue here regarding the right to erasure. We are obliged to keep the orders data for X years. The Hikashop team can help us here: if we delete the Hikashop user profile, will this affect the stored orders data (e.g. name, address, etc)?

Please Log in or Create an account to join the conversation.

  • Posts: 82956
  • Thank you received: 13392
  • MODERATOR
6 years 6 months ago #292454

I don't think that you'll see it in two weeks.
Even if the features were finished right now (which is not the case at all), between the beta period, the release candidate, and the final release two weeks would be short.
I'd wager you need to count in months.

At the moment, when you delete a Joomla user account, the HikaShop user and the associated orders/addresses are not deleted. Only the user account is and thus the user becomes a "guest checkout" user in HikaShop.
And if you try to delete a user from the HikaShop interface, it will only be accepted if the user doesn't already have orders.

Last edit: 6 years 6 months ago by nicolas.

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 6 months ago #292501

nicolas wrote: I don't think that you'll see it in two weeks.
Even if the features were finished right now (which is not the case at all), between the beta period, the release candidate, and the final release two weeks would be short.
I'd wager you need to count in months.

At the moment, when you delete a Joomla user account, the HikaShop user and the associated orders/addresses are not deleted. Only the user account is and thus the user becomes a "guest checkout" user in HikaShop.
And if you try to delete a user from the HikaShop interface, it will only be accepted if the user doesn't already have orders.


Thank you very much, Nicolas!
Frank, now we have a more complete picture about guest purchases: a guest customer may contact you (directly via email, or via a contact form) and ask to perform any of their GDPR rights, except for the right to erasure.

Please Log in or Create an account to join the conversation.

  • Posts: 281
  • Thank you received: 3
6 years 6 months ago #292505

Sorry but i dont understand how to handle with guest custmers :blush: :oops:
Can explain me please??
:)

Thanks

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 6 months ago #292506

You need provide your customers (guest or regular, it doesn't matter) a means to communicate with you regarding their GDPR rights.

1. Begin with creating a dedicated email address (e.g. privacy @ yoursitename.extension) where people can reach you about data privacy issues. You need to include this email address in your Privacy Policy page, in the section that explains the users' rights to their personal data. If you accomplish this step, you' ll have done a major step forward to the safe side.

2. The next step is optional. You may create a contact form, using a Joomla component that creates forms with radio buttons and check boxes. You need to add different radio buttons that correspond to different user rights (e.g. 'I would like to have my personal data erased from this site', 'I would like to download a copy of all my personal data stored on this site', and so on). The user will check the appropriate options and send you the form.
Mind that if you store the messages sent with this form then you should ask the user's consent at the end of the form (another GDPR requirement, since you are collecting the user's name and email address).

Please Log in or Create an account to join the conversation.

  • Posts: 281
  • Thank you received: 3
6 years 6 months ago #292512

Thank you for your clarificaion...If I need again your help I will bother you again here :)
HOwever I am followinf this discussion if there will be some developing.

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 6 months ago #292525

francota wrote: Thank you for your clarificaion...If I need again your help I will bother you again here :).

You don' t bother me at all. I am also trying to sort through this mess. I'd like to say (again) that this is my own interpretation of what can be done to align with the GDPR requirements regarding the rights of data subjects.

The following user(s) said Thank You: dvddvd

Please Log in or Create an account to join the conversation.

  • Posts: 281
  • Thank you received: 3
6 years 6 months ago #292535

Panefs I was thinking about your possible solution in the case of guest useres.
I wonder if I know your email I could ask to delete your data user ...what do you think about that?
If I insert in the GDPR text that data user will be deleted from the web site when the product is delivered, how is this solution? in this case do you think I still have to give the choise to delete the user data??

Frank

Please Log in or Create an account to join the conversation.

  • Posts: 105
  • Thank you received: 6
  • Hikashop Business
6 years 6 months ago #292542

Frank, I am not sure I completely understood the question. Retention (and deletion) of orders data is a topic that you must discuss with your accountant / financial advisor, taking into account the GDPR & local legal framework.
You'll find some answers in these pages:
ico.org.uk/for-organisations/guide-to-da...inciple-5-retention/
and
www.mycustomer.com/marketing/data/gdpr-a...requests-for-erasure

Please Log in or Create an account to join the conversation.

  • Posts: 87
  • Thank you received: 5
  • Hikashop Business
6 years 6 months ago #293083

Is there an easy way to delete user accounts of a certain age that have never placed an order from both the Hikashop user database and the Joomla user database at the same time?
For VAT purposes I am supposed to save order details for 7 years, but for users who only made an account but never placed an order this period can be a lot shorter. However, I don't know how to delete those accounts specifically and easily.

Please Log in or Create an account to join the conversation.

  • Posts: 82956
  • Thank you received: 13392
  • MODERATOR
6 years 6 months ago #293084

Hi,

There is nothing for that yet. But that's among the things which will come with the next releases of Joomla / HikaShop.

The following user(s) said Thank You: mohairbears

Please Log in or Create an account to join the conversation.

Time to create page: 0.110 seconds
Powered by Kunena Forum