The GDPR (General Data Protection Regulation) legislation intends to harmonize the protection of individuals’ data across the European Union (EU), Iceland, Liechtenstein and Norway. This page describes the impact GDPR has on printers and print service providers who use Apogee StoreFront or Asanti StoreFront, the cloud-based web-to-print solutions of ECO3.
GDPR focuses on protecting personal data, which is any information related to an identified or identifiable natural person. This includes people’s names, addresses, physical or genetic information, IP addresses, location data, business transactions, etc. The legislation harmonizes the multitude of different legislations that previously existed in various EU member states. It is known by other names in certain member states, such as AVG (Netherlands), DSGVO (Germany), RGPD (France & Spain) or RODO (Poland).
The GDPR became enforceable on 25 May 2018. If your company is located in the EU or you have customers within the EU, you must comply with the GDPR legislation. Companies that are not compliant risk fines up to a total of 20 million euros or 4% of their global turnover, whichever is higher.
Below you find GDPR-related information that applies to Apogee StoreFront and Asanti StoreFront. ECO3 strives to make sure StoreFront can be used in a GDPR-compliant fashion. As a StoreFront user, you need to be aware of the measures ECO3 has taken and you need to make sure that, with regard to customers, your usage of the platform is compliant with the GDPR legislation. The guidelines below are for informational purposes only and not for the purpose of providing legal advice.
Companies using StoreFront are considered to be a controller – ‘a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’. ECO3 is the processor – ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.
Your GDPR responsibilities as a controller
As a controller you need to share GDPR-related information with your customers. If a store is created for a specific business customer, the sales contract should cover your and their GDPR responsibilities. You also need to have certain processes in place to be compliant. When the text below refers to StoreFront users, it refers to store users as well as company and printer administrators.
- Storage of personal data
StoreFront stores personal data of all users. Some fields are mandatory, such as the user’s full name, email address, salutation/gender (if known) and preferred language. Users can see these fields and modify them. Optionally, you can define additional fields and hide these from users. The order history of users is also stored.- Stores should include a privacy statement, which you can make available to users using one of the information pages. This privacy statement should provide answers to the following questions:
- What personal information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
- In a separate Record of Data Processing Activities you need to document which data are stored, who has access and why these data are needed. There are Microsoft Word or Excel templates for this available for download on the web. These are especially useful for smaller companies.
- You should only store personal data that are relevant for use in StoreFront. Special care should be taken with sensitive or judicial information, such as religion or sexual orientation.
- If a store uses a tracker such as Google Analytics or Mouseflow, make sure your use of the data that are collected complies with the GDPR legislation. Since most trackers use a cookie, make sure they get mentioned on your cookie acceptance page which can be enabled and configured in the Stores > Pages > Legal tab of Storecenter.
- Stores should include a privacy statement, which you can make available to users using one of the information pages. This privacy statement should provide answers to the following questions:
- Data confidentiality and security
It is important that all personal data are transferred and stored in a secure fashion.- All data communication between the user’s browser and StoreFront uses the encrypted HTTPS protocol.
- When users access a store and leave their browser window open, StoreFront will automatically close the session after 60 minutes. This minimizes the risk of other people tampering with the account data of the user.
- When a security breach leads to a data leak, the local supervisory authority must be informed of this within 72 hours. All affected users must also be warned. An example of such a leak could be a disloyal employee who exports a list of all the users to make it available to a competitor. To minimize such risks, immediately deactivate the account of employees with admin level access rights who leave the company. When a data breach occurs, you must not only report this but also document which measures were taken to avoid that such a breach can reoccur in the future.
- If you share or sell user data to other parties, users must be aware of this.
- Accuracy of personal data
Personal data should be accurate and kept up to date. This means users must be able to see their personal data and have the means of correcting them. The privacy statement should explain how users can access and update their respective data. When custom fields are used in user profiles and users are prevented from modifying these themselves, the privacy policy should specify the procedure users can use to ask you to modify these data. - Data retention policy
Personal data should not be retained for longer than necessary. If a store for a business customer is no longer in use, you are expected to delete the user profile data it contains within a reasonable time frame. How long personal data are retained is up to you to decide. It is acceptable to do this after a few years only, since customers sometimes switch between suppliers and having the store data at hand if they become a customer again after a year is perfectly fine.- You are allowed to archive user profile data, prior to deleting them. This can be done using the Export function in the Users window of StoreCenter. Keep in mind that this archive does not contain the user’s order history.
- Other legislation may take precedence over this rule. Case in point: in most countries invoices should be kept for several years. In shops that are configured to generate invoices, these invoices are stored in the user’s account data. We recommend to export all invoices from the Orders Reports window in StoreCenter prior to deleting user accounts.
- Right to be forgotten
Users have the right to have their personal data removed in StoreFront. Since they cannot delete their profile data themselves, a StoreFront administrator has to do this for anyone asking to be removed. In your privacy policy, you need to document the procedure that users should follow. It can be as simple as asking them to send an e-mail with their full name and the subject line ‘Delete my account’. Admins can see when users accessed StoreFront the last time. This can be a handy tool to manage unused accounts. - Consent must be freely given
The GDPR legislation puts certain restrictions on your ability to subscribe customers to a newsletter. This is especially important if you operate public stores. E-mail marketing is a powerful way to reach out to customers, but you cannot add users to your mailing list without their explicit consent or legitimate interest.
ECO3’s GDPR responsibilities as a processor
StoreFront is hosted by ECO3, who acts as a processor of the personal data you manage. ECO3 commits to complying with the GDPR legislation. Below are key responsibilities as a processor:
- Processor’s obligation of confidentiality
Processors must ensure that the personal data that they process are kept confidential. - Records of processing activities
In order to ensure compliance, EU data protection law requires processors to ensure that they keep records of their data processing activities, and that the information in those records is provided to (or is available on request by) Data Processing Agreements. - Data security
EU data protection law obliges processors to ensure the security of personal data that they process. - Data breach reporting
One of the key issues in maintaining the security of personal data is ensuring that the relevant decision makers are aware of any data breaches and are able to react accordingly. - Liability of processors
EU data protection law recognizes the possibility that processors may be liable for breaches of their legal or contractual obligations. Processor duties include, but are not limited to:- Processing data only as instructed by the controller
- Using appropriate technical and organizational measures to protect personal data
- Assisting the controller with data subject requests
- Only appointing sub-processors with the permission of the controller.
- Ensuring sub-processors it engages meet these requirements
Specifically with regard to StoreFront, the following points are important:
- Each StoreFront account has a main administrator. This is the person who is the first to get access to StoreCenter and has the ability to add other administrators. This user account (containing a first name, last name, salutation and e-mail address) is managed by ECO3. To have this account updated, please contact your local ECO3 services team or dealer.
- The StoreFront License and Service Agreement has been updated to accommodate GDPR requirements. It can be consulted by clicking the License Agreement link in the top left menu bar of StoreCenter. If you prefer to establish a separate Data Processing Agreement with ECO3, please provide such a document to your local ECO3 sales organisation or dealer. They will have it validated and signed by the ECO3 headquarters legal team. There are graphic arts trade associations who offer a model contract that you can use as a template.
In summary, it is essential that your StoreFront users can access your privacy policy within their store and that you have a Record of Data Processing Activities in place. Once those basic requirements are covered you can focus on the other aspects of the GDPR legislation. If you have any GDPR-related questions regarding Apogee StoreFront or Asanti StoreFront, please contact your local ECO3 sales organization.