PGRD Compliancy Module

[Eolia]

Hi here !

Presentation of the GDPR Compliancy Module v.1.8.8

In accordance with the GDPR Law, you must appoint a Personal Data Protection Officer within your company.

This person will be the only one (or by delegation) authorized to access this module and to consult the sensitive data.

This module allows you to comply with the following points:

• The right of users to access their personal data and to export them on a readable medium.

• The right to modify and / or delete their recorded data.

• The ability to accept or decline your Personal Data Protection Policy.

All these choices and actions are recorded allowing monitoring and control of these sensitive actions.

Important:

• However, this module does not guarantee that your site is fully compliant with GDPR requirements. It's up to you to configure this module, create your CMS page (a template is provided) and check other points about your business.

• This module allows many automatic actions and interactive controls with your customers. If you have questions of a legal nature, we invite you to contact the professionals or the competent state services.

This module allows to display and obtain the consents of your customers and / or visitors when they pass on sensitive pages (data entry, forms, registration, payment, etc ...) The global consent of the shop is valid for a period of 13 months, beyond which renewal will be automatically requested at the next visit.

• If you have GDPR compatible modules, they will be taken into account by the module and will be able to display their own consent requests.

• The module also lists installed modules that handle client data and are not declared compatible with RGPD. If you know them or know that the data is not used for other purposes than those necessary for the operation of the shop, you can declare them compatible. For others, if you have any doubt, contact their developers or get updates.

This module finally allows each client to view, modify, export or delete their data. Several control systems are in place (validation by e-mail, restricted access to the employee-side module, forbidden access to anonymized elements for employees (excluding the GDPR manager), control keys and security deadlines) A template CMS page for your chart and a privacy statement for your partners or external stakeholders is provided. You must of course adapt the content according to the parameters of your shop.

Once the module installed and configured you will not have to worry anymore, a simple control of the logs will suffice.

The link : https://eoliashop.com/module-RGPD Enjoy !

Tested on thirtybees 1.0.3

[toplakd]

There is no front/admin demo link in your shop? Does the consent pop up needs to be almost fulscreen?

[lesley]

Hey @Eolia we were actually talking about you earlier this week. I saw some of your recent tweets, you seem to be putting the pressure on them.

[Eolia]

https://lab30.enter-solutions.net/ contact page or login page For the BO it's not possible because only the PGRD employee is allowed to see and configure this module and invoices pages

[toplakd]

I think you should add more languages, as many do not understand French. Like me.

1. So there is absolute no possibilities to test the admin area?
2. What happens with consent data if one resets or uninstalls the module? (by accident)
3. What happens with consent data if customer is deleted from the database?
4. What happens if customers places order and payment is made, and after that he deletes his account?

+ more to come as no access to admin area :)

And yes, I've read your description pages, but one can not test it without admin area access.

[Eolia]

I think you should add more languages, as many do not understand French. Like me. - Yes, but I do not master foreign languages enough. The module is in English and French.

So there is absolute no possibilities to test the admin area? - link below^^

What happens with consent data if one resets or uninstalls the module? (by accident) - Database will not be dropped

What happens with consent data if customer is deleted from the database? - These data are kept in accordance with the law We only have the first and last name or the guest id but no more the possibility of linking it to an account

What happens if customers places order and payment is made, and after that he deletes his account? more to come no acces to admin area - It is impossible to destroy an account being processed. A message explains it

https://lab30.enter-solutions.net/en/connexion?back=my-account

[Eolia]

[RandomFish]

I visited the test site, I was cookied by Facebook without my consent. How is this even close to GDPR compliant?

[Eolia]

In Europe, the law on cookies has already been active for 2 years. All stores have already incorporated the consent banner. The GDPR law only remembers this directive.

[RandomFish]

I am afraid that you do not understand the law and the changes in the law. One notable change in the law is you are required to let users opt out of tracking cookies and cannot use implied consent. When I visited your demo site I was cookied by the site, which is considered an essential cookie. That is ok if it is a session cookie.

But I was also cookied by a facebook tracking cookie. That is NOT ok under GDPR. You have shared my data with a 3rd party without warning me beforehand and getting my consent beforehand. This subjects you to fines. Please read this: https://www.itgovernance.eu/blog/en/how-the-gdpr-affects-cookie-policies

Implied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent. ‘By using this site, you accept cookies’ messages are also not sufficient for the same reasons. If there is no genuine and free choice, then there is no valid consent. You must make it possible to both accept or reject cookies. This means: It must be as easy to withdraw consent as it is to give it. If organisations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first. Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.

None of these obligations are met in regards to third party cookies.

[Eolia]

i understand the law ^^ These cookies are put by a third party module and it is up to him to become compatible. At that moment my module will be able to display the request consent, ok?

[RandomFish]

That is not even the area I am talking about. I am talking about the facebook faces box that triggers a cookie. This module seems scammy, it allows users to be tracked and makes shop owners feel safe. While all it does is expose them to risks because you have not stated that you need to disable every integration because this module does not work with any integrations.

[toplakd]

Sorry, but I have to add this. As I said before that almost no shops that sell GDPR modules are GDPR compliant. I know it's not 25. of may yet, but if you selling something like this, it would be apropriate if you are already compliant with GDPR :)

Eoliashop - 14 cookies in total and no true session cookie that expires at end of session. This is all the data that your shop sets in clean browser.

[Eolia]

Lol My site is an OpenCart :)

Do you want to dismount a site or the operation of the module? No module has yet integrated the hooks required by prestashop. I have provided a template on the block newsletter here https://shop.devcustom.net For the rest is the responsibility of the merchant not that of the module.

[nickon]

The whole GDPR gives me a headace. The most complete module seems to be https://addons.prestashop.com/en/legal/31185-gdpr-compliance-pro.html Waiting for the TB one and see what they have done.

[toplakd]

/sarcasm on Ok. So Opencart does not need to be GDPR compliant :) Migrating today. /sarcasm off

I don't want to dismount nor your site nor your module. I like that people are doing the GDPR modules, but also just pointing out the facts that almost none of the GDPR module sellers is GDPR compliant, including your shop. Opencart or no opencart.

If I was Mersedes seller it would be akward if I would drive arround with DACIA.

[RandomFish]

The official Europa site is not GDPR compliant either. You get a Piwik cookie from them and there is no means to opt out. This whole thing is a mess.

[Baarssen]

Quote: If I was Mersedes seller it would be akward if I would drive arround with DACIA.

I sell paint, but i dont like to paint ;)

Ofcourse the data protection and the rights of our customers who pay our daily bread is very important, but you cant say 1 module fixes everything for every type of business. It always takes energy to make your business compliant with the help of 1 or more modules and all the actions that are required for your type of business according to the size of your business and the way you act with data.

What will i do: I only do the strict visible things what are required and in the mean time i watch and learn from what happens with the big boys and how they solve this. Even the EU government does not know how to handle everything. But i am from 1 thing certain: if you make a mess from the privacy of your customers, and they are going to complaint about it you will be crusified ;)

[toplakd]

:) Yeah, that with MB vs Dacia was not good compare :) touchdown for you @Baarssen :)

Back to GDPR. The more cookies you set, the more data you collect with different modules, the harder it will be fully compliant.

I use only 1 front cookie, set to 0 to expire after session closes. Therefore no need for cookie consent of cookie banner for me as GDPR clearly states that no consent is required for first party cookies that are expiring after session is closed. I Don't use newsletter module and have no custurmers registered to it. So no need for consent base there. No other modules installed that would collect data in anyway.

So complying with GDPR is easier for ones than for others, but it all depends on what type of store you have and what are you selling as not every store could afford to live without newsletters, reviews, loyality points etc.

Cookie law was there a while ago, but still every site gives you just notification banner and drops 79 cookies.

Privacy policy is also there like forever. I've always informed customers through that how I use their data (only for processing orders). So without accepting privacy policy they could not register to my shop, therefore the consent date is date of registration.

But I do get ton's of mails everyday now, from everywhere I registered to newsletter. Are you with us? After 25.may you subscription will be deleted :) Nice, I now don't even need to click the unsubscribe button.

Happy GDPR.

[colorful-ant]

I do not want to present my current comment as a criticism of this module. I'm not sure, but maybe it helps various programmers understand the seller. Some shop owners have their own opinion, some just wait for one or the other. Here my thoughts / opinion:

The EU Cookie Law has been for over 2 years, for example so far for online shops in Germany was not necessary because this information in a privacy page (such as imprint, terms, etc.) so far was sufficient. A module was not necessary for this. I do not know how it was handled in other EU countries with its own laws on this subject.

I personally think that most shop owners want to use as few modules as possible. Preferably everything in the main system. ;) For legal certainty: I am referring to the sellers within the EU. In the EU area, the AEUC module has been necessary for a very long time to operate a legally compliant online shop. In the meantime, shop operators outside the EU also seem to be using functions with this module. If I can remove EU cookie law in my online shop, because it is integrated in the new GDPR module, I am thrilled. Of course, the other important paragraphs of the GDPR should not be missing.

[Eolia]

@randomfish Piwik (Matomo) does not require consent because the shelf life of the data does not exceed 13 months (unlike Analytics)

[RandomFish]

I will have to disagree with you on all points. Can you site the time frame requirement in the law?

Also from the Matomo site:

Data Storage and Data Collection Limits

There is no limit. You did not read this wrong. You can keep all your data forever.

By default, all historical visitor data, and all reports are kept. You can choose to anonymize the data or purge the old log or report data after a few months. It’s your decision as it is your data.

https://matomo.org/docs/data-limits/

[toplakd]

I suggest to read this: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

-session cookie which is erased when the user closes the browser or -persistent cookie which remains on the user's computer/device for a pre-defined period of time

-first‑party session cookies DO NOT require informed consent. -first‑party persistent cookies DO require informed consent. Use only when strictly necessary. The expiry period must not exceed one year. -all third‑party session and persistent cookies require informed consent. These cookies should not be used on EUROPA sites, as the data collected may be transferred beyond the EU's legal jurisdiction.

In our coutry if you deal with worldwide custumers and the ones from EU, you need to get clearance if you want to host your website (which collects european customers data) in country that is not in EU.

So basicaly if timing for Front Office cookie is not set to 0, you would need consent before the page sets session cookie. We will have to get used to use true session cookes, as otherwise all pages on first visits will be crippled with popups.

[Traumflug]

We will have to get used to use true session cookes

Sounds reasonable. I'd even say there's no reason to set a cookie until the visitor puts something into the cart. And then one can make the consent part of the click on 'buy'. Zero additional hurdles.

That said, I certainly see how hard it is for many to say bye-bye to cookies which are simply there, for years.

[datakick]

@toplakd said in PGRD Compliancy Module:

We will have to get used to use true session cookes, as otherwise all pages on first visits will be crippled with popups.

Remember that GDPR does not restrict use of cookies. It just says that when cookie can identify an individual (physical person), it is considered personal data. All other cookies are not subject to this law (but other existing cookie laws still applies, though)

The big question is whether thirtybees core cookie can identify individual or not

cookie for guest / anonymous visitor

When user first visits your site, the cookie contains these information: [date_add] => 2018-05-24 10:59:37 [id_lang] => 1 [id_currency] => 1 [viewed] => 1 [id_guest] => 91 [id_connections] => 300 [last_visited_category] => 6 [checksum] => 3940892666 What is problematic is id_connections, because it points to the tb_connections table, which stores visitor's IP address. IP address is personal information, so we need consent for this cookie.

The big problem is that we have already collected this personal information. We have already violated the GDPR before the visitor even saw our site, and before we even issued the cookie.

So, the first thing you'll wanna do is to disable module Data mining for statistics -- that will fix this problem. We will lose statistics, though. While we are talking about this, you'll also need to modify your apache/nginx logging settings, and omit/obfuscate IP addresses from your access/error logs, as this is also a GDPR violation.

So, once we have disable logging IP address into tb_connections table, there's nothing in the core cookie that can be used to identify physical person. Such cookie is not subject to GDPR, and we can safely continue to use it.

#### cookie for logged in customer

When customer sign in, cookie now obviously contains personal information. So, in order to use this cookie, we need consent. This is easy - just ask for it during customer registration. Single checkbox with link to our privacy policy. There's no need for dedicated consent for the cookie itself.

So, what's the reason to convert this to session cookie?