In the case of running e-shop under the new conditions of the GDPR Regulation, the marketer faces several problems. The interpretation of the regulation is not clear and few areas will limit its possibilities. For example, the question arises as to whether personal data may be used for other purposes, or other questions as to the legal bases for the processing of personal data.
Introduction
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46 / EC (General Data Protection Regulation) in force from 25.05.2018 (Veselý 2018), often causes a change in technology and processes in organizations and introduces a number of new concepts.
According to Kotler (Kotler and Armstrong 2010), for the prosperity of the company in this new era, it is necessary to change the marketing strategy and adapt to the new environment. It is therefore important:
• Identify the main factors that shape the period of internet development.
• Know the reactions of companies to the internet and new technologies.
• Know the four major areas of ecommerce and its use in practice.
• Know what is the company’s progress in implementing e-commerce.
• Have an overview of the benefits and challenges of e-commerce.
Changes in the world economy are influenced by many factors such as technology, globalization, the environment and many others, but the following are particularly important (Kotler and Armstrong 2010):
1. digitization and networking – Analog information used to date from telephone systems through watches, and industrial devices work with analog technology. Today, more and more devices work with digital information, i. that text, data, sounds and images are converted to a sequence of nulls and units, bits. Their transmission from one location to another requires interconnection, ie the telecommunication network, and this can be:
a. intranet – a network that connects people to each other within a corporate network,
b. extranet – links businesses with their suppliers, subscribers, and distributors,
c. internet – is a public global network that connects smaller networks and users of all types. It is an “information highway” that transmits data at high speeds regardless of distance.
2. the rapid development of the internet – a revolutionary technology of the new millennium, provides business with a high level of connectivity, enables customers and businesses to gain unprecedented amount of information during several computer operations, and if competition firms are to be able to adapt,
3. new forms of trading – when thousands of entrepreneurs have set up internet companies, to sell their production,
4. product customization to customer needs and the active role of customers in designing them.
So many of the basics of marketing theory. But this theory is a real reflection of practice. For example, one well-known online store reported a year-on-year increase in revenue of up to 20 percent to 830 million EUR without VAT (Moravčík 2018). This means a notable increase in sales. This issue is also seriously addressed by the EU and it forms legislative frameworks in this area. One of them is the GDPR regulation, in addition it is the ePrivacy regulation (ÚOOÚ 2018) and the CyberSecurity Regulation (Šimkovič 2015). The European Parliament has passed a regulation banning so-called geographic blocking when shopping online. All new EU Member States should therefore be given access to foreign product purchases without blocking websites. In the past, internet shop operators have been automatically redirected to another website based on their nationality, place of residence or temporary residence. This will not be after the new holiday. New arrangements apply, for example, to book hotel accommodation, hire cars or buy tickets for concerts. It will not cover copyrighted goods, such as electronic books, downloadable music or on-line games, but also on tickets. Online shop operators will have to offer their goods or services to their clients within the EU under the new regulation at the same price and under the same conditions. The measure will apply to the purchase and delivery of goods, provided that the delivery of the goods to the Member State concerned has been established in their business conditions. It will also apply to personal and non-copyrighted goods. It sounds fairly simple, but we also need to take into account the GDPR regulation, which states that every EU citizen must have access to consent in his own language, which he understands so that he clearly shows his agreement and clearly understands the terms. Well, that’s not just about the consents. Cookies are also subject to the GDPR regulation – even consent or refusal must be granted – and again in a language that can be understood. Not all EU citizens understand fluently the Slovak language and not everyone understands the English or German language. And the requirement of the GDPR Regulation is that consent must be clearly distinguished from business conditions. The logical conclusion will be that business conditions will be processed in that language. And this is no longer a minor cosmetic change of business processes and the information system. When creating GDPR documentation, other regulations regarding business processes of the organization need to be taken into account. We can see here that it is not possible to use the general framework of GDPR documentation and it is obviously necessary to deal with each individual organization in detail. This is actually the GDPR goal.
E-shop and GDPR regulation
The purchase of goods and services is currently being made largely via the internet. The e-shop (e-shop) can be defined as the sale of goods or services using information and communication technologies and web applications in an internet environment where on one side of this relationship is the operator of the e-shop and the other e-shop customer hereinafter referred to as the “customer”). The most common among them is the conclusion of an internet purchase contract (distance contract). Such a contract also includes obtaining information, including personal details of the customer. Given the dynamics of IT development, it is impossible to take into account in this methodological guideline any eventualities that might arise in the application of the Regulation to e-shop operators, so the Office mentions only the most common cases below. Given the specific conditions of which processing of personal data, it is possible that the e-shop operator will be able to use, for example, and other legal bases or settings other than those listed below. This methodological guideline is only a recommendation of the Office, from. that it does not exclude any other adjustment of the processing of personal data in fulfillment of all Regulations laid down by the conditions and obligations. It is also important to highlight the fact that e-shops are also covered by other special regulations, Act no. 351/2011 Z. z.3 and Act no. 22/2004 Z. z.4, which must be taken into account in the operation of e-shops. These regulations do not fall within the scope of the Office (ÚOOÚ SK 2018).
Processing activities of the e-shop and legal bases for processing customer personal data
Recording of personal information of a customer of a particular e-shop is a processing of the customer’s personal data from the point of view of the privacy rules. The purpose of such processing is most often the conclusion of a purchase contract and the subsequent execution of payment, delivery of goods or services and, where appropriate, the provision of other related services (complaints and other obligations arising, in particular, from the consumer protection legislation for the e-shop operator). It is necessary to distinguish the individual purposes of the processing of customer’s personal data by the e-shop operator. In view of this, we can identify some of the most common processing activities that can be closely related, but have a different legal basis. The processing of personal data by customers by e-shoppers is mainly carried out for the purposes of (ÚOOÚ SK 2018):
• Order of goods / services (e-shop) – Purchase agreement according to Art. 6 ods. (1) b) Regulations (including the subsequent payment, delivery of goods or services, handling complaints, etc.); processing of the customer’s personal data takes place without the consent of the customer because the legal basis for the processing of his or her personal data for the purposes of performance of the contract is a specific contract concluded at a distance between the customer and the e-shop,
• marketing communication with the customer – Legitimate interest according to art. 6 ods. (1) f) Regulations (eg newsletters, other forms of direct marketing, etc.); processing the customer’s personal data is without the consent of the customer because the legal basis for the processing of his or her personal data (to the extent necessary) is the legitimate interest of the e-shop operator, such as informing the customer about the new goods and services of the e-shop. We point out that within the meaning of recital 47 of the Regulation, the use of legitimate interest as a legal basis requires a thorough assessment, including an assessment of whether the person concerned may reasonably expect at a given time and context of personal data collection that the processing of his personal data for that purpose. The operator is also required to carry out the proportionality test.
• marketing communication with the person concerned without previous relationship – prior consent6 of the person concerned under Art. 6 ods. (1) (a). For further information on the consent of the person concerned, we recommend seeing the WP 29 Guidance on the consent of the person concerned.
• loyalty program – customer consent according to Art. 6 ods. (1) (a). For further information on the consent of the person concerned, we recommend seeing the WP 29 Guidance on the consent of the person concerned.
• consumer competition – customer consent according to Art. 6 ods. (1) (a) Regulations. For further information on the consent of the person concerned, we recommend seeing the WP 29 Guidance on the consent of the person concerned.
Obligations of the e-shop provider
Compliance with the Customer’s Privacy Policy pursuant to Article 5 of the GDPR Regulation (ÚOOÚ SK 2018):
• In order for the operator to legally process the customer’s personal data for the above purposes, he must have an appropriate legal basis (see point 1) (principle of legality).
• Customers have the right to be informed about the processing conditions, the manner in which their requests for the rights of the persons concerned are dealt with, etc. (the principle of transparency).
• The data obtained are to be processed by the operator only for a specific, explicit, legitimate purpose and cannot be processed in a way that is incompatible with such purpose (purpose limitation principle).
• The operator should only process personal data that is necessary to achieve a particular purpose of processing (data minimization), for example:
a) to conclude a purchase contract – for example, title, first name, surname, home address, address of delivery, if different from address, e-mail address, telephone number,
b) direct marketing – title, first name, surname and e-mail address,
c) loyalty program – title, first name, surname, home address or e-mail address and, if applicable, additional information (for example, depending on how loyalty benefits are provided or depending on other terms of participation in the loyalty program set up operators),
d) consumer competition – the list of processed personal data depends on the conditions of competition specified in the competition status to be informed by the persons concerned prior to granting consent to the processing of their personal data for the purpose of the competition.
• The operator processes correct and up-to-date personal data (principle of correctness).
• The operator keeps personal data only for the necessary time to achieve the purpose of the processing; longer only if it is necessary for another purpose (for example for purposes of archiving) compatible with the original purpose (the principle of minimizing retention):
a) the operator guarantees the adequate security of the processed personal data (the principle of integrity and confidentiality),
b) the e-shop operator must be able to demonstrate compliance with the previous processing principles (liability principle).
Information obligation under Article 13 and Article 14 of the GDPR Regulation (ÚOOÚ SK 2018):
• Applies to all the processing operations referred to in point 1; information obligation is directed from the e-shop operator to the affected person (the e-shop customer).
• The provision of information to the person concerned is the responsibility of the operator, ie the operator of the e-shop is obliged to perform it in an initiative (not at the request of the person concerned).
• The operator provides the person concerned with the information provided for in Article 13 (1) to (3) of the Regulation if he obtained the personal data directly from the person concerned; pursuant to Article 14 (1) and (2) of the Regulation, if personal data have not been obtained directly from the person concerned [example: person X order an ABC product in the e-shop purchase as a gift for the person Z. E-shop ABC processes the personal data of person X on the contractual legal basis and fulfills the obligation to provide information pursuant to Article 13 of the Regulation. E-shop ABC also processes personal information about a person Z who does not know that a gift will be sent to him, and there is no direct contractual relationship between ABC and Z. The legal basis for the processing of personal data from a person will be the legitimate interest of the ABC e-shop for the purposes of fulfilling the contract between ABC e-shop and X. E-shop ABC will also be liable to the person Z for fulfilling the information obligation under Article 14 of the Regulation. As a result, in this situation, a derogation under Article 14 (5) (b) of the Regulation (“… or if it is probable that the obligation referred to in paragraph 1 of this Article will hinder or seriously impair the attainment of the objectives of such processing”), e-shop ABC the information obligation according to Article 14 of the Regulation shall not be fulfilled until the moment of delivery of the gift purchased by the person X].
• Apply exemptions from the disclosure obligation only to the extent defined in Article 13 (4) and Article 14 (5) of the Regulation.
• In relation to new customers from 25.05.2018 – to meet the above information obligation at the latest when collecting personal data.
• In relation to existing customers before 25.05.2018 (eg with regard to ongoing marketing, loyalty program) – the obligation to supplement the information to the extent that the customer does not have the information in accordance with Article 13 and Article 14 of the Regulation.
• Provide the information in a concise, transparent, comprehensible and easily accessible form, formulated in a clear and simple manner.
• Can be informed in various ways (also in combination) – eg. on the e-shop web site, sending information to e-mail, in paper form in the “stone shop” premises, etc.
• (Articles 15 to 22 of the Regulation), in particular the right to object to processing for direct marketing purposes and the right to withdraw consent to the processing.
• Where the processing is based on a legitimate interest, the operator shall inform the customer of the legitimate interest he / she pursues; the operator is also required to perform a proportionality test whenever he processes personal data on this legal basis.
Managing records of processing activities (ÚOOÚ SK 2018):
• Each e-shop operator is required to keep records of processing activities under Article 30 of the Regulation always in relation to the processing activities:
a) order of goods / services,
b) loyalty program,
c) direct marketing.
• Consumer competitor – Organize regular competitions – occasionally organizing a competition – 1x / year and so on. (the exemption under Article 30 (5) of the Regulation applies, and this processing activity need not be recorded in the record).
• The operator keeps the records and fails to send them to the office, and, if necessary, submits them to the Office.
Responsible person (ÚOOÚ SK 2018):
• The obligation to designate a responsible person has e-shoppers who meet the condition of Article 37 (1) (b) of Regulation 11 – for example.
• If the condition under Article 37 (1) (b) of the Regulation is not fulfilled, the e-shop operator is under no obligation to designate a responsible person; if he voluntarily determines it, he / she is obliged to proceed as if the obligation to determine the responsible person was applicable to him/her.
Intermediary (ÚOOÚ SK 2018):
• The operator may entrust the processing or part of the processing of the intermediary, for example for the purpose of evaluating the competition organized by the operator, sending questionnaires of satisfaction with the purchased goods.
• The intermediary processes personal data in accordance with the instructions of the operator, to the extent and according to an intermediary contract or other legal act binding the mediator towards the operator. The Intermediation Contract and other legal act must comply with the requirements of Article 28 (3) of the Regulation.
• For the purposes of concluding an intermediary contract and the intermediary’s mandate by processing personal data, the consent of the person concerned is not required. As regards legality, the intermediary has a legal basis for the processing of personal data (eg legitimate interest) for the processing of personal data.
Security of the processing of personal data (ÚOOÚ SK 2018):
• The e-shop operator is responsible for the security and protection of personal data throughout their processing and is required to take appropriate security measures to protect them.
• Under Article 25 of the Regulation, the e-shop operator is required to provide protection at a stage when processing is not yet initiated, taking into account the latest knowledge and cost of implementing the measures as well as the nature, scope, context and purposes of the processing. The measures will be customized to suit their own environment and will take into account the safety standards that are common to the processing activity – secures a computer in which antivirus programs are processed by customers’ personal data.
• According to Article 32 of the Regulation, the e-shop operator is obliged to accept, in the light of the above mentioned technical and organizational measures, the following:
a) technical measures – antivirus, firewall, password-protected computer, alarm, security of premises, provision of automated and non-automated means, etc.,
b) organizational measures – instructions of the e-shop operator addressed to employees (if any), identification of the responsible person (if it is obliged to determine it), instruction of the employees to keep confidentiality, entry into the premises where personal data are processed, key policy, personal data, including their storage policies, and so on.
• These are just examples, it is not possible to generalize the necessary measures for all e-shops.
• The operator is required to carry out the data protection impact assessment pursuant to Article 35 of the Regulation if he fulfills any of the conditions laid down in this Article.
• The operator is in breach of personal data protection that will lead to a risk to the rights and freedoms of individuals (such as making the database with customers’ personal data available to unauthorized persons or damage and unavailability of backups by the e-shop operator) such violation within 72 hours of that he has learned to notify the Office; in some cases also to the person concerned, without undue delay.
• The e-shop operator may comply with the Regulation and Act no. 18/2018 Z. z. also by complying with the Code of Conduct or the Certificate, but it is not the operator’s responsibility to approach such a Code of Conduct (if any) request a certificate.
• As far as other duties are concerned, please note that the e-shop operator is also obliged to perform duties under Act no. 351/2011 Coll. on Electronic Communications as amended (hereinafter “Act No. 351/2011 Coll.”). On the interpretation of the provisions of Act no. 351/2011 Coll. the office is not competent, we recommend turning to the law gesture.
Position of the e-shop customer
The customer of the e-shop is, from the point of view of the Regulation, the person concerned, that is to say the natural person to whom the personal data processed by the e-shoppers are concerned. In accordance with the Regulation, the person concerned has the rights that he / she can apply to the e-shop operator at any time. The list of right of the person concerned (ÚOOÚ SK 2018):
• Right of access to data (Article 15).
• Right to rectification (Article 16).
• Right of cancellation (Article 17).
• Right to limit processing (Article 18).
• The right to portability (Article 20).
• The right to object (Article 21).
a) if the processing is done on the basis of a legitimate interest of the e-shop operator (eg for direct marketing purposes), the customer has the right at any time to object to such processing of his or her personal data,
b) the right to object for the purposes of direct marketing must be the person concerned expressly informed at the latest when communicating with him for the first time and this right must be presented in a clear and separate way from any other information,
c) after applying the customer’s objection, the e-shop operator is obliged to immediately cease the processing of personal data for the purpose of direct marketing, and these personal data are not processed for direct marketing purposes.
• Right to withdraw consent.
a) if the processing is done on customer’s consent (eg loyalty program, consumer competition), the customer may at any time withdraw his consent to the processing, and the e-shop operator is obliged to terminate the processing of personal data processed under consent if he does not have other legal basis,
b) if the processing is carried out with the consent of the customer, the right to withdraw consent at any time, the customer must be informed in advance of the provisions of Article 13 (2) (c) of the Regulation by the operators of the e-shop.
How should the operator handle the requests of the persons concerned (ÚOOÚ SK 2018)?
• It is recommended to prepare a short, clear and concise internal procedure as the e-shop operator will handle the requests of the persons concerned (eg by internal directive, instructions), which may be published on the e-shop operator’s web site (the operator can create a sample form).
• All information and notifications by the operator to the person concerned must be in a concise, transparent, easily understandable and easily accessible form, formulated in a clear and simple manner, taking into account the category of persons concerned whose communications and information are addressed.
• Information and notifications should normally be provided in the same way as the person concerned exercises his right unless he asks otherwise.
• The operator of the e-shop is obliged to equip the person concerned within 1 month of its delivery (if necessary, the operator can extend the processing of the application for another 2 months, while the extension of the deadline is obligatory to notify the person concerned).
Technical aspects of e-shop operation in context of protection of personal data
E-shop template – an e-shop operator can proceed in principle in two ways when choosing an e-shop template technical solution (interfaces that serve to view specific items offered in e-shops or to add items to a so-called “basket”). Either make yourself an e-shop template, or you can (eg through a license agreement) buy an e-shop template from another subject. In most cases from a personal data protection point of view, the processing of personal data by the provider of such a template is not processed (ÚOOÚ SK 2018).
Webhosting of the e-shop – in the event that the operator does not have his / her own web site for the technical operation of the e-shop, he / she is most likely to enter into a contractual relationship with the entity providing such space. The status of the webspace provider will then depend on how the conditions are set. If this entity provides a webspace for the e-shop operator without processing the personal data of the e-shop customers handled by the e-shoppers, it will not be necessary to modify their relationship from the point of view of personal data protection. If the personal data of the e-shop customers are processed, through a webspace provider, that provider will act as an intermediary under Article 4 (8) of the Regulation if the web host provider will process personal data on behalf of the operator. The relationship between the e-shop operator and the web host provider will be governed by a contract or other legal act under Article 28 (3) of the Regulation. The webspace provider may also have the status of a joint operator if, for example, to automatically back up your e-shop data. In such a case, the relationship between the joint operators, ie the relationship between the e-shop operator and the webspace provider, is processed within the meaning of Article 26 of Regulation(ÚOOÚ SK 2018).
Technical support provided to the e-shop operator by third parties – if a third party provides technical support for e-shop, when in case of removal of technical problems, this entity, its employees see the personal data of the e-shop’s customers, and do not come from the technical support body for the further processing of personal data (ie, the personal data, for example, only “sees” but does not work them), it is sufficient that the agreement between the operator and the technical support provider the obligation to maintain confidentiality and to take appropriate security measures (organizational and technical). This also applies to the implementation of remote access technical support (ÚOOÚ SK 2018).
Specific ways of processing personal data by the e-shop operator
With the expansion of various technologies, new ways of processing personal data of customers, in particular larger e-shops, have evolved over time. Below are some practical examples along with the legal basis for processing personal data:
• Wishlist.
a) a registered customer has the opportunity to place the selected goods in the so-called wishlist (wish list),
b) sending an email alerting you that the goods included in the wishlist are sold at a discounted price or are available again,
c) if it is a marketing activity – a legal basis = a legitimate interest under Article 6 (1) (f) of Regulation.
• Abandoned basket.
a) the registered customer did not complete his purchase, failed to complete the payment and sent him an email with a warning and a basket content,
b) no purchase contract yet, legal basis = pre-contractual relationships under Article 6 (1) (b) of the Regulation.
• Customer holiday.
a) legal basis = legitimate interest under Article 6 (1) (f) of the Regulation.
• Reactivation.
a) registered customer does not develop in e-shop for longer; the e-shop operator will send the code for the next purchase with the intention of motivating him / her to purchase,
b) if this is / is agreed in the contract – legal basis = contract under Article 6 (1) (b) of Regulation,
c) if it is a marketing activity – a legal basis = a legitimate interest under Article 6 (1) (f) of Regulation.
• Segmentation.
a) on the basis of what the customer purchases in the e-shop, the customer is sent to the operator of the e-shop newsletters with information about similar goods, what the customer purchases in the e-shop,
b) legal basis = legitimate interest under Article 6 (1) (f) of the Regulation.
• Upselling.
a) on the basis of the contents of the customer’s basket / on the basis of the goods already bought in the e-shop, the customer will display the recommended goods for further purchase when completing his order (in his payment process),
b) legal basis = legitimate interest under Article 6 (1) (f) of the Regulation.
• Cookies.
a) is not, in all circumstances, personal data; personal data is when it is part of a chain of additional data that binds to a particular physical person to identify that physical person,
b) cookies as personal information – depending on the circumstances of the particular case, may be the legal basis,
i. consent under Article 6 (1) (a) Regulations
ii. the contract referred to in Article 6 (1) b) Regulations
iii. a legitimate interest pursuant to Article 6 (1) f) Regulations (marketing purposes)
iv. at the same time, the obligation to fulfill the conditions under Section 55 of Act no. 351/2011 Coll.
c) if cookies are not personal data – the obligation to comply with the conditions of Act no. 351/2011 Coll.
Where personal data are processed for purposes other than the original purpose, either the new consent of the data subject must be given, specifying the purpose of the processing of personal data, or it may be in accordance with Union or Member State law. However, the last option – the compatibility test – will often be used. The purpose of the compatibility test is to define a link or a link between the purpose for which personal data has been obtained and the purpose of the intended further processing of personal data. It is also necessary to define the circumstances in which personal data have been acquired, in particular the relationship between the persons concerned and the operator. The compatibility test also includes an analysis of the possible consequences of the intended further processing for the persons concerned. The compatibility test is not a separate legal basis, it follows the legal basis of the original purpose of the processing and requires the existence of adequate safeguards, such as encryption or pseudonymization. The GDPR regulation on protection of personal data defines the above ideas in § 13 paragraph 3 as follows:
Where the processing of personal data for a purpose other than that for which the personal data were obtained is not based on the consent of the data subject or a specific regulation, the operator shall determine whether the processing of personal data for another purpose is compatible with the purpose, on which the personal data originally obtained, among other things, must be taken into account:
(a) any link between the purpose for which the personal data originally originated and the purpose of the intended further processing of personal data,
(b) the circumstances in which the personal data were obtained, in particular the circumstances relating to the relationship between the person concerned and the operator,
(c) the nature of personal data, in particular, or the processing of special categories of personal data pursuant to Section 16, or personal data relating to the recognition of guilt for the commission of a criminal offense or offense under Section 17,
(d) the possible consequences of the intended further processing of personal data for the person concerned and
(e) the existence of adequate safeguards, which may include encryption or pseudonymization.
The wording of the new law on personal data protection implies the need to find out – that is, to carry out a test or a check on the compatibility of the purposes of the processing of personal data. Ultimately, it can simply be called the GDPR Compatibility Test (Veselý 2018).
Literatúra/List of References
[1] Kotler, Ph. and Armstrong, G., 2010. Principles of marketing. B.m.: Pearson education, 2010. ISBN 978-0-13-700669-4.
[2] Moravčík, M., 2018. Alza trhá rekordy: Obľúbený obchod oznámil minuloročné tržby, ide až o 830 miliónov eur. TECHBYTE, 2018. [online]. [cit. 2018-02-07]. Available at: <https://www.techbyte.sk/2018/01/alza-obrat-trzba-2017/>
[3] Šimkovič, J., 2015. Kybernetická bezpečnosť na Slovensku a v Európe, euractiv.com. 2015. [online]. [cit. 2018-04-05]. Available at: <https://euractiv.sk/section/veda-a-inovacie/linksdossier/kyberneticka-bezpecnost-na-slovensku-a-v-europe-000338/>
[4] ÚOOÚ, 2018. Pracovní skupina WP29 vydala stanovisko k návrhu ePrivacy nařízení: Úřad pro ochranu osobních údajů, 2018. [online]. [cit. 2018-01-22]. Available at: <https://www.uoou.cz/pracovni-skupina-wp29-vydala-stanovisko-k-navrhu-eprivacy-narizeni/d-23467>
[5] ÚOOÚ SK, 2018. Nové metodiky úradu. Úrad na ochranu osobných údajov Slovenskej republiky, 2018. [online]. [cit. 2018-12-09]. Available at: <https://dataprotection.gov.sk/uoou/sk/content/nove-metodiky-uradu-0>
[6] Veselý, P., 2018. Test zlučiteľnosti podľa GDPR. Zákon o ochrane osobných údajov, 2018. [online]. [cit. 2018-04-11]. Available at: <http://www.zoou.sk/33/test-zlucitelnosti-podla-gdpr-uniqueidmRRWSbk196FPkyDafLfWAJWc7pG-Xzb602T6YbetGYr2ZspOsA8wwA/?query=Peter%20Vesel%FD&serp=1>
[7] Veselý, P., 2018. Internetové obchody a GDPR. Zákon o ochrane osobných údajov, 2018. [online]. [cit. 2018-04-11]. Available at: <http://www.zoou.sk/33/internetove-obchody-a-gdpr-uniqueidmRRWSbk196FPkyDafLfWAJWc7pG-Xzb602T6YbetGYoMO6VlftQMFg/?query=Peter%20Vesel%FD&serp=1>
Kľúčové slová/Key Words
GDPR, marketing
GDPR, marketing
JEL klasifikácia/JEL classification
M31
Résumé
Problematika GDPR z pohľadu marketingu
Spracovanie osobných údajov v e-shope je relatívne jednoduché a transparentné pri pochopení základných princípov a pravidiel spracovania osobných údajov. Prevádzkovateľ e-shopu nesmie vynechať štyri základné pravidlá pri spracovaní osobných údajov. Prvým pravidlom je právna základňa spracovania dát, potom naplnenie povinnosti uchovávania záznamov, následne naplnenie informačnej povinnosti dotknutej osoby – zákazníka a následne zabezpečenie spracovaných osobných dát.
Recenzované/Reviewed
1. október 2018 / 30. október 2018
