View RSS Feed

Behind The Code, with DrByte

GDPR FAQ for Storeowners

Rating: 48 votes, 3.94 average.

NOTE: This material has been prepared for informational purposes only, and it is not intended to provide, and should not be relied on for legal or compliance advice. For specific advice on how you are to comply with the GDPR, you should consult your own legal advisor.

Posted 25 May 2018.

The following is simply a general outline of things to consider related to GDPR as it affects a merchant who has downloaded and installed the Zen Cart application on a webserver to run an online store.

Scope: The following comments consider the scope of a merchant running only the core unaltered Zen Cart application software on their server. Any customizations to the software, or additional software running on the server requires careful review and understanding of how best to use that software in a manner that is compliant. Thus again, it is important to consult your own legal counsel to ensure your entire web presence is compliant.


The Zen Cart application is software which you install and operate on your own website. It is your own responsibility to implement and use the software in a manner that is compliant with all regulations in jurisdictions where you operate or have customers.

The Zen Ventures LLC organization does NOT process or control or collect any of your customers' personal data, nor have any access into your store or its database or the hosting company on which it operates, nor any control over your website domain services. Only you control that data and manage those services.

What is the GDPR?

The General Data Protection Regulation (GDPR) is the European privacy law effective since May 25, 2018.

Data protection laws govern the way that businesses collect, use, and share personal data about individuals. Among other things, they require businesses to process an individual's personal data fairly and lawfully, allow individuals to exercise legal rights in respect of their personal data (for example, to access, correct or delete their personal data), and ensure appropriate security protections are put in place to protect the personal data they process.

Whom does the GDPR apply to?

The GDPR applies to all entities and individuals based in the EU and to entities and individuals, whether or not based in the EU, that process the personal data of EU individuals. The GDPR defines personal data as any information relating to an identified or identifiable natural person. This is a broad definition, and includes data that is obviously personal (such as an individual's name or contact details) as well as data that can be used to identify an individual indirectly (such as an individual's IP address).

Does the GDPR apply to me as a storeowner?

Yes, if you are processing the personal data of EU individuals on your website or online store, the GDPR applies to you, regardless of your own location or even your server's location.
Additionally, even if the current scope of the GDPR doesn't currently apply to you, it is still good practice to implement its requirements in order to offer maximum privacy and protection to your customers.

Who is the "Data Processor"?

As a storeowner running the Zen Cart application on your website, the "data processor(s)" include your hosting company, any external services you use, and you. Your hosting company is a processor of personal data and information that you and your customers submit to your store's database. Any external services, including shipping and payment processors, analytics tracking, etc, are a data processor of personal data submitted for processing transactions. You are a processor of personal data when you extract that data for various purposes including order fulfillment and reporting.

Again, consult professional counsel to identify all the Data Processors involved in all the services you use to operate your business.

Who is the "Data Controller"?

As a storeowner running the Zen Cart application on your website, you act as a data controller for the customer information you collect to provide products and services and to provide customer support. This customer information includes things such as customer name, contact information, physical address, etc.

If you are using external services or subprocessors to do Analytics tracking, Ad Retargeting, visitor browsing behavior, etc, they may also be considered a data controller. Consult their DPA and your own legal counsel.

Privacy Policy and Terms of Use

It is important that your Privacy Policy and your Terms of Use pages outline clearly what personal data you collect and process, what it is used for, and whom to contact if they wish to remove that information. Having this information clearly defined and easily accessible is a big part of the GDPR's most basic requirements. You should also not be forcing customers to opt-in to newsletters etc. Make sure that a link to access this information is prominent and/or obviously accessible from relevant pages on your site (pages such as your Create Account page, and probably your site's Footer, are good starting points).
Again, remember that external services for things such as Analytics tracking, Ad Retargeting, visitor browsing behavior, payment processing and order-fulfillment involve the use of personal data, so should be disclosed and described. This allows your customers to decide whether they want to provide their information in the first place.

What personal data do I collect and store from my customers?

As a storeowner running the Zen Cart application on your website you are storing data that customers have given you voluntarily. For example, in your role as data controller, you are likely collecting and storing contact information, such as name, email address, phone number, or physical address, when customers sign up for your products and services or seek support help. You may also collect other identifying information from your customers such as IP address, payment identifiers (consider maybe an ID supplied by a payment gateway), etc. These sorts of things need to be listed in your Terms/Use/Privacy policies. Your webserver's logs (both those you control, and those only your hosting company can access) likely also store IP addresses of all your website traffic.

Transmission of personal data?

If you are using external services to do payment processing, drop-shipping or order-fulfillment, analytics, adwords, etc, you may be transmitting personal data to those providers. Consult your legal counsel to ensure you and they are compliant. Document what kind of data is transmitted as part of your Terms of Use and/or Privacy Policy.

Do I need a Data Processing Agreement (DPA)?

Consult your legal counsel. If you are in the EU or serving EU persons then you may need to sign DPA's with all your providers. This gives you and them details on how to manage accessing and deleting personal data across all related services in the event someone requests it.

Transfer of international data

If you and your hosting company or external service providers are not all located within the EU, then you are most likely "processing data internationally". Consult your legal counsel and/or your hosting/service providers to determine whether they are fully compliant with your requirements, or to determine whether you may need to change providers in order to be compliant.

Right to be forgotten

The Zen Cart application offers the ability to delete a customer via your Admin dashboard.
This delete process includes deleting any reviews the customer has posted using the built-in reviews feature. It does not automatically delete customer-posted data stored by 3rd-party addons you may have added, nor in 3rd-party external services you may have implemented (such as a Reviews service that operates via a javascript widget on your store.)

Deletion of order history
Note that the deletion of a customer does NOT delete all of their orders (orders contain their contact/shipping details where necessary, and may be considered data "necessary to retain for normal business purposes" such as fulfilling orders and maintaining accounting records).
If you are going to delete orders, you may wish to manually delete their individual orders first before deleting their customer record, since you can filter to show all of a customer's orders from within the customer page for quick access, instead of having to use the Search from the orders page.

Check with your legal counsel about which data your business needs to keep, vs which data can/must be deleted upon request.
Note that customers requesting "to be forgotten" may only be asking for their public-facing information (ie: Reviews) to be deleted. Others may actually want all personal data to be removed from your database. Your legal counsel can assist with proper handling of such requests.

Right to access

When a customer wishes to review what personal data you store about them, the Zen Cart application offers the following components:
1. Their own "My Account" profile. Here they can review and edit the personal information about themselves (name, contact, physical/shipping addresses, etc) and access their complete order history. (If you employ some sort of 3rd-party guest-checkout plugin, they may need to inspect each order individually using that plugin's order-lookup page.)
2. Your Admin dashboard allows you to review the information you have about them (name, contact, physical/shipping addresses, etc). Buttons on that page allow you to inspect their order-history as well.
3. Your Admin dashboard allows you to search order history for orders containing the customer's name or email address.
4. Your Admin dashboard allows you to manage all product Reviews.
5. Any plugins you've added to your store may or may not provide means to review/manage data submitted. Consult each individually for guidance.
Consult your legal counsel to confirm whether you may have other sources which need to be considered during a request for access to (copy of) personal information.

This is not legal counsel.

This material has been assembled from various sources and is provided for informational purposes only, and it is not intended to provide, and should not be relied on for legal or compliance advice. For specific advice on how you are to comply with the GDPR, you should consult your own legal advisor.


Anonymizing Your Analytics Data

Related Reading

Community Forum discussion on implementing additional controls in Zen Cart in preparation for GDPR:

Submit "GDPR FAQ for Storeowners" to Digg Submit "GDPR FAQ for Storeowners" to Submit "GDPR FAQ for Storeowners" to StumbleUpon Submit "GDPR FAQ for Storeowners" to Google

Zen-Cart, Internet Selling Services, Klamath Falls, OR