General Data Protection Rules GDPR

[DarkMen]

Has anyone solved complications with GDPR? I solve this for a long time now, and I still don't have a complete solution, just minor modifications.
I'm looking for a module or someone who will be able to solve the problem of customer deletion + all the links with. Please for info, thanks in advance.

[mesnitu]

@DarkMen,
Really depends on your site data collection , etc.
For cookies opt-in : there is a "free" script from One trust ( just in english last time I saw) . But if you need more, perhaps you'll have to pay.
Is it worth it or not ? Depends on your site sales, etc.

The one from cookie consent can be altered also , but it takes some work, etc...

Deleting a customers: Zencart already does that, the only issue is on orders. I've opt to update the customers data that I don't need for a invoice. Also you must check other tables ( additional modules that may have customers info).
There is a post here in this thread where you have a way to do this in the account files. Perhaps it's a start.

[Andy-C27]

Hey all is there a way to add a memorable question to the sign in forms with FEC that we can see on their account ..Both account and non account, it's so we can prove it is really them and not someone else ..It's 1 of the GDPR requirements.
I've got the delete account sorted as it can be done

Also got to add a data capture form on website ,but can't exactly remember what I was told so need to check on that

[marton_1]

What Sage is doing on upcoming updates ( at least here for what I've been told ), it's to delete all data that it's not required to be in a invoice.
I've extended the zencart delete function, to check other tables, like rewards points, etc, it really depends on what's installed, and in the Orders, If a customer wants to delete the account, but has placed a order, I'll update the email to empty or something that the table default value accepts.

Standard Zen Cart emails have EMAIL_DISCLAIMER in every email footer, Why not simply add a suitable sentence there? It is defined in emailextras.php to be found in includes/languages/[language]/

[Andy-C27]

That's actually not a bad idea ... Once the order is completed..Well I send a final email , you could also add would you like to delete account yes / no

[DrByte]

Hey all is there a way to add a memorable question to the sign in forms with FEC that we can see on their account ..Both account and non account, it's so we can prove it is really them and not someone else ..It's 1 of the GDPR requirements.

Are you saying somebody has told you that GDPR requires that you add a "please tell us your mother's maiden name" question that you force everyone to answer every time they login?

[RixStix]

Question for the GDPR knowledgeable folks...

How does "Canvas Fingerprinting" relate to GDPR since it identifies a specific piece of hardware (computer, tablet, phone, etc) and then has ability to track that hardware presence across the internet in a seemingly more intrusive manner than a cookie? But since it does not identify a person or any PII, does that make a Canvas Fingerprint OK in terms of GDPR?

Not trying to open a can of worms but I am seeing more canvas fingerprinting popup notices and some websites actually stop working if fingerprinting is blocked or if a fake fingerprint is transmitted.

[Ryk]

@Darkmen

Please PM me if you still need help.

[Ryk]

To summarise the essentials of GDPR ....your users must

give Explicit Consent for you to use their data for the purposes you intend,
have Access to their information and
have the Option to remove their information.

Zencart has Consent (you may need to set admin> configuration > regulations ...Confirm Privacy Notice During Account Creation Procedure to true) and Access (through My Account) in place while the Option to Remove exists in the sense that the user must inform you that they want to have their data removed upon which you can delete their account from admin > customers > customers, but there is not really the clear guidance that GDPR demands.

Giving consent extends to your existing clients, so they need to have the opportunity to review and Accept/Decline your privacy policy.

So we've added 2 new links in My Account for Review and accept privacy statement and Delete My account.

The former takes the user to a page which displays the contents of admin > tools > define_pages_editor...define_privacy.php, with buttons to Accept or Decline. If they Accept, they continue with whatever they were doing, but if they decline, they are logged out and taken to a page which explains why, and lets them know they can log back in and change their mind, otherwise their account will be deleted.

Whichever decision they make, the date is recorded in the database and a flag also set to show the decision. These flags can then be used by those with appropriate skills to identify and automatically delete accounts. You would need to action Delete Requests manually via admin > customers > customers where, as a reminder, deleting the customer does not delete their past orders which you are legally required to retain in the UK by HMRC for 6 years.

It would also be necessary to email your existing customer base to invite them to visit the site and login to update their preferences.

Admin functions

You can specify the email address to which the Delete requests are sent.
Should you need to modify your privacy statement and require people to re-consent, you can reset so that the client will have to review the privacy on their next login.
The date of acceptance (or otherwise) displays in the customer info page.
There is a sortable and "searchable by email" display of all those who HAVE accepted

This manual version of our GDPR package for Zencart was written for ZC155 (although it will work on older) and for now you can download it from http://jsweb.uk/gdpr_service/gdpr4zc.zip as we haven't had time yet to meet the documentation requirements for submitting to the plugins section.

[Andy-C27]

Thank you will use your package ...
Re memorable question I have been advised to have this option as it can prove who you are if you actually want your details known or not.. Don't blame me I'm just trying to do what I have been advised to do by a legal advisor...Apparently if you have a account and you separate your partner or who ever cannot access your account without knowing the memorable password

Apparently we are also suppose to have a data capture form on website ..

I personally do not want all this, so if anyone can advise that would be great