RU EN

GDPR Policy for Online Store and Marketplace

Ivan Mashin
Request a call

The GDPR is believed to have revolutionized personal data protection and set a new standard. Now, most of the legal acts will strive for exactly this. However, several years have passed since the entry into force, and these requirements must be met by any company entering the European market. Marketplace or internet store has to change its approach, starting with algorithm of the site and ending the approximation of the local acts. You can read about what GDPR is and how to adapt to its requirements in our article. 

Contents:

What is GDPR?

GDPR (General Data Protection Regulation) is a European regulation for the protection of personal data. This act entered into force on April 25, 2018. After its adoption, many appreciated that the act sets high requirements for the protection of personal data. Some companies temporarily abandoned the European market in order to adjust their algorithms in accordance with the requirements of the GDPR. If the online store or marketplace opens now and expects to European customers, and it is better to create a platform and privacy policy, guided by its provisions.

What marketplace / online stores spread GDPR requirements

Even if marketplace created in Russia, in some cases it is necessary to take into account the norms GDPR. In accordance with Art. 3 of the Regulation, you are subject to the GDPR if:

  • You have an organizational unit in the European Union (hereinafter referred to as the EU) that processes personal data. An organizational unit in this case is understood as broadly as possible: it can be just an office without registration as a legal entity in this European state. To understand what can be considered an office, they usually look at the following criteria: an account in a European bank, a mailbox, a representative in the EU.
  • The data subject is located in the EU and the processing is related to the offer of goods and services to him. Here, the courts also interpret this rule broadly. EU citizenship is not required, it is enough to be in the territory of the Union. To understand whether your proposals are aimed at residents of these particular countries, the courts pay attention to information about the activities of the site:
    • The availability of the website in a specific territory;
    • E-mail address;
    • Use of the language of the Member State;
    • Use of European currency;
    • Mentioning users within the EU.
      If the first three points may look unconvincing, then the last two clearly indicate the focus of the online store on European users.
  • The company monitors behavior in the EU. There may be several potential cases for marketplaces. For example, marketplace is responsible for delivering the goods and monitor the movement of goods from cars. The most common is when an online store takes data on consumer behavior on its website.

In all these cases marketplaces have to take into account the requirements GDPR.

Drafting a policy for an online store in accordance with the requirements of the GDPR

The GDPR requires a more proactive approach on the part of organizations. This includes readiness for compliance audits and the ability to demonstrate compliance. The policy should be written in detail and at the same time understandable to the user. A customer visiting the site should not be misled by complex legal descriptions.

What data does the marketplace / online store collect in the context of the GDPR requirements

In the Policy, you need to specify what data the marketplace collects about customers. At the same time, the GDPR understands personal data very wide. This also includes aliases and company identifiers. Cookies also fall under the GDPR. For more details about them you can read in our article "Making file handling policy Cookie for online store and Marketplace 

What are the requirements to marketplace on GDPR

The policy should reflect a new approach to privacy by default, that is, any process should be built in accordance with the requirements for the protection of personal data. In addition, a Data Protection Impact Assessment (DPIA) process is required.

Data subject rights under the GDPR

In the Policy, it is also worth highlighting the rights of subjects of personal data in a separate section, i.e. marketplace or online store users. Users have the right to request a copy of personal data at any time, so the processes must be built for these rights. Another important right that needs to be spelled out in the Policy and that organizations are required to respect is the right to request the deletion of data. 

Consent to GDPR Privacy Policy

The rules for obtaining customer consent are related to the general approach of the GDPR to the Policy. The policy should be written simply and the user's consent should be informed. In addition, consent must be

  • Voluntary
  • Specified
  • Unambiguous.

If the voluntariness criteria are easy to meet and the company probably cannot take steps to verify it, then additional steps need to be considered for the awareness criterion. It is worth taking out the key provisions from the Policy and highlighting them so that the user, giving consent, draws attention to them. Of course, the field for putting a tick expressing consent should be after the text of the Policy, and not before.

Consequences of non-compliance of the privacy policy with the GDPR requirements

European legislation provides for liability for violation of the processing of personal data, i.e. actually a violation of the GDPR order. The fine is up to 20 million euros or 4% of the company's annual turnover. For marketplace or online store, these amounts may become significant.

Thus, marketplace must follow the following instructions. First, determine if it is covered by the GDPR. Secondly, to adapt the technical aspects of the work of sites and applications. Thirdly, to supplement the Privacy Policy, including the rights of users. Fourth, set up the procedure for giving consent to the terms of the Privacy Policy. If you have any questions or need help drafting the GDPR Privacy Policy, please contact A4 Law Firm lawyers.

REMAINED
QUESTIONS?

Актуальные новости и статьи

11January
How to protect your computer game software?
Copyright protection for software and computer games is an issue that lawyers often face in connection with the active development of the gaming industry. Computer games are complex objects of intellectual property. Even if the developer registers a trademark and files a patent, some elements can still be used by third parties. The least protected objects include source code, game characters, music, graphics.
Узнать подробнее
31December
Where to create a cryptocurrency fund: country overview.
Due to the development of cryptocurrencies and the growth of their value, legislators in many countries pay close attention to them and develop appropriate regulation. At the moment, Estonia is one of the most attractive jurisdictions for doing cryptocurrency business.
Узнать подробнее
30December
How to choose the best tax system for a marketplace?
A marketplace is an online platform designed for buying and selling goods. The marketplace acts as an intermediary between the buyer and seller, providing them with a convenient platform for placing goods and buying them.
Узнать подробнее
29December
How to avoid violating copyright when writing FanFiction?
With the development of pop culture, the layer of its influence on society increases. At the time of 2021, there is a huge fan base, divided into societies, depending on their favorite work. Accordingly, in order to express their own creative potential, the fan base expresses it in the form of their own interpretation.
Узнать подробнее
28December
How to profitably use a company in Gibraltar?
Gibraltar is a British Overseas Territory located on the border of Europe and Africa and is an extremely attractive jurisdiction. Gibraltar is currently in the stage of economic growth, attracting a large number of investments from all over the world. Also, this jurisdiction is considered one jurisdiction with a high level of confidentiality and a fairly moderate tax regime. The first step in transferring your assets to Gibraltar is to set up a company. This is quite simple to do compared to other offshore jurisdictions.
Узнать подробнее
27December
Deposit as a way to protect copyright
In the legislation of the Russian Federation, there is no mandatory requirement for registration of copyright. Copyright arises at the time of creation of the object, therefore, there is no obligation to legally enforce the right. Despite this, attribution disputes are not uncommon for courts, and a deposit procedure exists to avoid lengthy litigation.
Узнать подробнее
24December
How to conclude a contract for the development of a website?
In connection with the general transition to online, business owners are increasingly faced with the need to create a website. Online business presentation increases your sales and brand awareness. At the same time, you should take a responsible attitude to the legal registration of relations with the developers of the site, since mistakes in drawing up a contract can lead to extremely negative consequences.
Узнать подробнее
23December
How to avoid site blocking?
When deciding to block a site, government agencies are required to act in accordance with Federal Law No. 149. This law provides a large number of grounds for blocking any resource. Article 15.1 149-FZ and Decree of the Government of the Russian Federation of October 26, 2012 No. 1101 establish a list of bodies authorized to make a decision on blocking a site, and also introduces a register of sites containing information prohibited in Russia. Any resource for which such a decision has been made is included in this register. Inclusion of a site in such a register means restricting access to it in Russia. Internet providers rely on this registry and, when any site gets there, they suspend access to it.
Узнать подробнее
NEWSLETTER SUBSCRIPTION
By pressing the subscribe button I agree to the  Privacy Policy
+7 (499) 841-05-05
telegram whatsapp
RU EN
a4lawfirm.ru
г.Москва г. Москва, Новоданиловская наб., дом 6, корп. 1, БЦ "Данилов плаза" +7 (499) 841-05-05 info@a4lawfirm.ru