Changes regarding data controller beginning with 25.05.2018 applicable for online stores

With the advent of EU Regulation 2016/679, traders who have an online business have a number of new obligations regarding the processing of their customers’ personal data.

This responsibility of online stores is far more extensive than Law 677/2001, which will be repealed by the New Regulation on 25.05.2018.

One of the most important changes is the transparency of the relationship between the online store and the customer, as the trader has to provide their customers with all the information about the security of their personal data.

Therefore, data security implies the adoption of new technical and organizational measures.

For example, two new principles are required for platforms and applications: Privacy by design & by default, both requiring the introduction of technical measures at the level of the platform used to demonstrate that the user data is protected at the highest level and that it is only processed the data required for the specific purpose (for billing, for example, the processing of the CNP is not justified, since legally this date is not necessary for issuing the invoice).

For example, the provision in the legal documents that, once the personal data were transmitted, the data subjects agree that the online store will also automatically transmit these data to third parties does not fulfill the condition of legal processing based on user consent.

E-commerce platforms that provide unrestricted and irrevocable access to personal data, as well as the right to use, reproduce, display, modify, transmit or distribute this information do not comply with basic provisions of the EU Regulation 2016/679.

From the perspective of the Regulation, this express agreement integrated into a document that provides many other issues, including the phrase “Unrestricted and Irrevocable Access”, is inconsistent with one of the principles governing data protection.

Moreover, even this data transfer must fulfill the condition of legal processing.

Processing data without the consent of the person concerned

In the absence of the consent of the data subject and without informing him of the purpose for which the data is transmitted to third parties, the trader processes unlawful data and is exposed to the payment of fines, and in the worst case he may be forbidden to process personal data.

Security of customer’s data

As far as data security is concerned, the major online stores in Romania are just informing about the confidentiality of the collected data. The regulation, however, also talks about those guarantees that prove the measures taken.

Any processing of personal data should be legal and equitable. It should be transparent for natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent personal data are or will be processed.

The principle of transparency requires that any information and communications relating to the processing of such personal data are readily accessible and easy to understand and that a simple and clear language is used. This principle refers in particular to informing the data subjects about the identity of the operator and the purposes of the processing, as well as providing additional information to ensure fair and transparent processing of the individuals concerned and their right to be acknowledged and to communicate personal data concerning them that are being processed.

Individuals should be informed of the risks, rules, guarantees and rights in the processing of personal data and how to exercise their processing rights. In particular, the specific purposes of processing personal data should be explicit and legitimate and determined at the time of collection.

Personal data should be adequate, relevant and limited to what is necessary for the purposes for which it is processed. This requires, in particular, that the period for which personal data is stored is strictly limited to the minimum. Personal data should only be processed if the purpose of the processing can not be reasonably met by other means.

In order to ensure that personal data are not retained for longer than is necessary, the operator should set deadlines for the deletion or periodic review. All reasonable measures should be taken to ensure that personal data that is inaccurate is rectified or deleted.

Personal data should be processed in such a way as to ensure their security and confidentiality, including to prevent unauthorized access to or the unauthorized use of personal data and equipment used for processing.

Contact an Advisor

If you have any questions regarding this topic and how it might have an impact on your business, please contact the Mirus Consultant with whom you regularly work, or:

Irina Craciun

  • Legal Contributions
  • Bucharest
  • +40 724 000 173