General Data Protection Rules GDPR

[mesnitu]

https://ec.europa.eu/info/law/law-to...rsonal-data_en

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.

Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.

Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.

[mesnitu]

in a certain way, this all comes down to politics losing the power to big data processors and data controllers.
And a huge amount of data anarchy using user tags, like email, id , cart connections, etc.
The internet moved from piracy to piracy.

[RixStix]

Money Laundering statutory requirements, as well as accounting requirements trump GDPR

Sorry, I must have been day-dreaming when I thought there were minimum thresholds for compliance because I can't fine it now but we eliminated any 'targeting' for EU sales and removed the euro as an acceptable currency.

[brittainmark]

Been trying to think this through with customer deletions.
If a customer request their record be deleted. If we remove all records from the following tables.
zen_address_book
zen_customers
zen_customers_basket
zen_customers_basket_attributes
zen_customers_wishlist
zen_files_uploaded
zen_products_notifications
zen_reviews
zen_whos_online

Not sure about coupons if they need to be kept.
zen_coupon_gv_customer
zen_coupon_gv_queue
zen_coupon_redeem_track

Could we keep the following tables intact with out breaking zen cart. This way we still hold records of the transactions and customer and shipping details.
zen_authorizenet
zen_orders

if this appears ok a delete function could be added to the My account processing.
Could also change this to hold an optin for marketing messages/newsletters.
This works for people who create an account.
Might need equivalent added to admin for people who use paypal express checkout or check out as guest (not sure if customer account is created when they checkout in this way).

[brittainmark]

Done a bit more research. It appears that if someone uses PayPal express checkout they have an account created for them (in our store) each time they use it. So Admin function to delete also needed.

[DrByte]

Been trying to think this through with customer deletions.
If a customer request their record be deleted. If we remove all records from the following tables.
zen_address_book
zen_customers
zen_customers_basket
zen_customers_basket_attributes
zen_customers_wishlist
zen_files_uploaded
zen_products_notifications
zen_reviews
zen_whos_online

Not sure about coupons if they need to be kept.
zen_coupon_gv_customer
zen_coupon_gv_queue
zen_coupon_redeem_track

Could we keep the following tables intact with out breaking zen cart. This way we still hold records of the transactions and customer and shipping details.
zen_authorizenet
zen_orders

if this appears ok a delete function could be added to the My account processing.
Could also change this to hold an optin for marketing messages/newsletters.
This works for people who create an account.
Might need equivalent added to admin for people who use paypal express checkout or check out as guest (not sure if customer account is created when they checkout in this way).

Remember that the "Delete" button for deleting a customer already handles deleting non-order-related information: https://github.com/zencart/zencart/b....php#L362-L414

Remember: deleting the customer record means they can no longer gain access to anything that requires a login ... including virtual purchases. Might want to inform them of that if you're entertaining such requests.

Done a bit more research. It appears that if someone uses PayPal express checkout they have an account created for them (in our store) each time they use it. So Admin function to delete also needed.

Those same "accounts" are listed along with all other customer accounts, so nothing extra/special needed.



Remember: the "right to be forgotten" initiated with the problem of public social media posting, not with ecommerce transactions. With your store, the public-facing data would primarily be "product reviews", or other features you've added such as "testimonials".
Double-check with your legal team whether you're going too far with the amount of data you're considering deleting. Check also with your accountant about transaction data retention requirements, particularly if your online store is the primary record of your transactions.

[HeathenMagic]

A lot of websites are sending email to ask to resubscribe to newsletter. Are there any implications for not doing this? I asked the newsletter people I use, even they are not sure how to proceed.

[mesnitu]

A lot of websites are sending email to ask to resubscribe to newsletter. Are there any implications for not doing this? I asked the newsletter people I use, even they are not sure how to proceed.

They must have a way to opt-out. If you use ie: mailchimp, there's always a footer with your details and a unsubscribe link.
I was told today, that even if a customers agrees with with company's privacy policies, that should be renewed 1 year later. ie: cookies, etc

Another thing that I still didn't find, it's a Document that must be keap, because even if we do all correct, if we don't fill that kind of form saying what we did and why, it useless. Wich makes sense. It has to be save, recorded, somewhere.

If anyone knows the name of that form or file, please post

[mesnitu]

What Sage is doing on upcoming updates ( at least here for what I've been told ), it's to delete all data that it's not required to be in a invoice.
I've extended the zencart delete function, to check other tables, like rewards points, etc, it really depends on what's installed, and in the Orders, If a customer wants to delete the account, but has placed a order, I'll update the email to empty or something that the table default value accepts.

[HeathenMagic]

They must have a way to opt-out. If you use ie: mailchimp, there's always a footer with your details and a unsubscribe link.
I was told today, that even if a customers agrees with with company's privacy policies, that should be renewed 1 year later. ie: cookies, etc

Another thing that I still didn't find, it's a Document that must be keap, because even if we do all correct, if we don't fill that kind of form saying what we did and why, it useless. Wich makes sense. It has to be save, recorded, somewhere.

If anyone knows the name of that form or file, please post

Thanks for that. I don't use mailchimp, but I will have to see if I can put something in the footer