How to comply with GDPR (AVG) legislation.

6 minuten leestijd
Afbeelding voor How to comply with GDPR (AVG) legislation.

In Dutch, AVG stands for Algemene verordening gegevensbescherming. It is also known in Europe as the GDPR legislation: General Data Protection Regulation.

Since 25 May 2018, this legislation applies to all member states of the European Union. As a result, 28 separate legislations on the protection of personal data have lapsed and have been replaced by a single European regulation. The legislation ensures that the privacy of individuals is better protected and organisations have more responsibility to guarantee privacy.

What does the GDPR legislation mean for your webshop?

For you as a webshop, the GDPR legislation means that you are not allowed to use customers’ personal data for other purposes. For example, if you store your customer’s address details when you receive orders, you are not permitted to share those details with other parties. You are also obliged to inform customers about which of their personal data has been collected and to remove it if you are asked to.

There are some factors you need to consider relating to the AVG/GDPR legislation. We have summarised the most important points for you:

#1 Make sure you have a transparent privacy statement on your website
In the privacy statement, you need to clearly explain which data you collect and for which purposes you use it.

#2 Provide a clear cookie message

  1. You need to do this if you use remarketing, for example through Google AdWords or Facebook.
  2. You need to do this if you use Hotjar user recordings.
  3. You need to do this if you use personalised email marketing where you show content based on products that customers have previously purchased or viewed or based on characteristics such as age and gender.
  4. You need to do this if you use personal data to create audiences on Facebook or other social media.

#3 Clearly indicate the purposes for which you are going to use personal data
If you ask for personal data such as a date of birth, you need to clearly explain why you collect that data. When collecting data, you need to refer to your privacy policy.

#4 You need to be able to change and delete personal data
If a customer asks for data to be deleted, in some cases you are obliged to do so. This is also known as the right to be forgotten. As a webshop, you are also obliged to transfer personal data that you have collected to your customer or another webshop if they ask you to do so. You need to clearly specify in your privacy statement how your customers can change and delete their data.

#5 Show that you have obtained email addresses legally
If you send newsletters for marketing purposes, you need to register all your email opt-ins and be able to prove later how they were obtained and what exactly those customers gave permission for you to do.

A distinction needs to be made between opt-ins that are obtained when someone places an order and opt-ins that are obtained through pop-ups, for example. If you cannot prove this for your current customer base, you will have to ask these people to opt in once again. You are only allowed to continue sending emails to customers who actively subscribe to your emails. For customers with whom you have an invoicing relationship, you are allowed to send them emails about similar products and services without them having actively opted in. In every email that you send, you also need to provide an opt-out option.

#6 Protect your customer data
As an online retailer, you are responsible for your customers’ data. Make sure that your webshop’s information security is always up to date. It is essential that your webshop has an SSL certificate.

#7 Do not retain data for longer than permitted
In principle, you may not store personal data for longer than necessary for processing purposes. Under the guise of statistical purposes, you can make this period quite long. As mentioned, this only applies to scientific research. In the privacy statement, you have to inform data subjects about the data retention policy.

#8 Enter into a processing agreement with data subjects who have access to your personal data
A processing agreement ensures that the rights of individuals are safeguarded. If an issue arises, the processor may be liable. You have to include the following in a processing agreement:

  1. which purposes the personal data may be used for;
  2. which safety measures need to be taken;
  3. where personal data is stored;
  4. who is responsible for what;
  5. what happens when an agreement ends;
  6. which costs are involved and who pays for those costs;
  7. how to deal with data breaches and damage in the event of non-compliance with the agreements that have been made.

What happens if you don’t comply with the AVG legislation?

For violating the basic principles, fines can amount to 20 million euros or 4% of the annual turnover. For less serious violations, fines can amount to 10 million euros or 2% of the annual turnover.
Good preparation is half the work! So make sure you’re well prepared – that way, you’ll avoid nasty surprises. If you would like more information on what this means for your webshop, the Dutch Data Protection Authority website provides all the information you need to know.