Edrone Recommendation GDPR 25052018

PILCH PIOTROWSKI & PARTNERZY
ADWOKACKA SPÓŁKA PARTNERSKA
Kraków, 14 May 2018

Get prepared for GDPR with edrone!

How did we do it and how can we help you meet the requirements resulting from the
regulation?

GDPR is a hot topic – especially in the e-commerce industry. For the last 10 months,
together with the law firm Pilch Piotrowski i Partnerzy we have been getting prepared for
changes which will enter into force on 25 May 2018. You have probably already noticed
modifications which are being gradually implemented into our panel. Moreover, as a system
which helps online stores increase their sales every day, we have gone one step further. We
want our customers and users get proper knowledge on how to prepare their store for the
General Data Protection Regulation. With edrone, the implementation of the GDPR will be
much easier!

Already now, we are providing you with the most important information, and until 25 May
2018 we will keep you informed on subsequent changes introduced to the system, which
adjusted edrone to all requirements of the Article 28 of the GDPR.

The most important changes

New agreement

We would like to inform you on the changes in the Terms and Conditions of the edrone
service. The Terms and Conditions include also the content of the new DPA (Data
Processing Agreement). However, we recommend you to execute with us also the new
DPA. If your Agreement was signed before 1 April 2018, please sign the updated version.
The DPA template is available here. Please print it and send us its scan to the address:
sales@edrone.me, and the original copy to the registered office address of the edrone
company.

[Download agreement]


Legal recommendation

Attorney Marcin Pilch and legal adviser Marek Suchan from the legal office Pilch Piotrowski
i Partnerzy created a legal recommendation specially for our customers. Due to the ensuing
works in the Polish parliament, the document is being updated according to arising
modifications. If you already have our instructions, download it again and check the date of
the file update. You will find a file with the recommendations on this website. We also
encourage you to watch the LIVE interview of 8 May 2018 and the LIVE interview of 25 June
2017.

[Adjust to GDPR]

New Terms and Conditions

We would like to inform you on the changes in the edrone Terms and Conditions. We
wanted the new Terms and Conditions to be written in a simpler language and to meet
other GDPR guidelines.

[Read Terms and Conditions]

Ask us about the GDPR

We are developing the "Legal issues" section, which can be found on the page Help &
Advice here. You will find there the most frequent questions on the GDPR from our
customers.

[Read GDPR FAQ]

Good Cooperation

We pay attention not only to our compliance with the GDPR – we cooperate only with those
technological partners who also adjusted themselves to the requirements of the regulation.
Our partners include: Amazon AWS, SparkPost, EmailLabs, FullContact API, SMSAPI. All
these companies declare that they will be awarded with the "compliant" status until 25 May.
The information concerning compliance of these companies with the GDPR can be found in

the new DPA here.

Changes in Mission Control (i.e. the edrone dashboard)

Information obligation

Getting prepared for the implementation of the GDPR, we should review the content of
consents which are currently collected from the store users. Sample "consents" can be
found here.

[Adjust consents]

Newsletter signup

We have standardized the "newsletter signup" scenario. Customers can choose from
among four options. The recommended option is the "Double opt-in from edrone". Find out
more.

[Activate double opt-in]

The purpose of the processing in the newsletter signup

Find out how your current configuration looks like. Check whether you determine the
purpose of data processing to a satisfactory extent. Use a clear and understandable
language.

[Your configuration]

GDPR widget and profiling

Profiling
Each personal data controller who profiles their customers is obliged to report on the
website about this fact. Practically each online store profiles its customers. This happens
when you divide them into groups, grant discounts only to some of them, tag them, etc.
Fortunately, no consent is needed for profiling, however, you are statutorily obliged to
inform users about this fact. So far, you have informed your customers about cookies. Now,
you should also inform them on profiling. Both obligations can be fulfilled by means of one
widget, "GDPR Widget".

[Activate GDPR Widget]

Monitoring

The edrone system monitors the behaviour of your customers and users in order to adjust
the content of your website to their needs and preferences. Consequently, we know what
works well and what needs improvement, as well as what contents the users want to view.
Inform your Customers for what purpose the data are collected – use our widget for this
aim. Your activities should be as clear for your customers as possible. Soon, we will publish
a video tutorial: "How to adjust the GDPR Widget?"

[See how it works]

Communicate consciously

What is the difference between a transactional and a marketing message? What content
can be sent to users? If you have doubts, you should definitely read this article.

[Adjust the content of marketing automation]

Right to information

Together with the implementation of the GDPR, the controller needs to fulfil the request of
exporting personal data. The individual profile of the customer in edrone includes now the
"Export" button, which makes it possible to download all the data on the activities of an
identified user. In the light of the GDPR, each user may ask you for a set of their data. All
data on the customer behaviour can be found in edrone. You can export customer data in
two formats: HTML or XML. HTML (browser view) is a format readable by a user, while XML
will be readable by a machine. If a customer wants to transfer their data to another
controller, they may need the XML export.


Right to forget

Soon, the panel will include a button enabling the permanent deletion of customer data with
one click of the mouse.

GDPR? Stay up-to-date with edrone!

If you have any questions or doubts – write to us on hello@edrone.me or on chat, by means
of our website or the app. Together with the lawyers from Pilch Piotrowski i Partnerzy we
will answer your questions.

GDPR RECOMENDATION

Imagine it is a sunny June morning. You have just come to work and check your emails.
Your eye is immediately caught by one title – “Request for information”. You open the
email and see a list with a dozen of questions. Your Customer decided to use their rights
and asked about their data you collected, how you process them and to whom you transfer
them. You are prepared for that, aren't you? Will you manage to prepare an answer to your
Customer within thirty days? And if the information is demanded by ten Customers?
Twenty? One hundred? All of them?

Take it easy. At the beginning, try to answer the question what personal data you
collect and why you need them. Let's say you ask your Customer to provide you with
their name and address. If you manage an online store, this type of information is necessary
for you to deliver a shipment. You need to know by whom and where it is should be sent.
Most probably, you provide this data to a courier company which delivers shipments. Let
your Customer know that their personal data are transferred outside your store. This refers
to all personal data and all third parties to whom the data are transferred. If you use edrone,
which is a great idea, your customer should know that. Remember, however, that the GDPR
allows you to process the data not only on the basis of the consent. Your personal data can
be processed also if this this is necessary to conclude an agreement, or connected with an
intent to conclude it. The legal bases for processing can accumulate and your customer can
tick the right checkbox (e.g. regarding the newsletter) although you process their personal
data on the basis of the sales agreement you concluded. Other useful legal bases for
processing are discussed below.

[CONSENT]

Today, there are plenty of checkboxes everywhere, aren't there? When the GDPR enters
into force we will find more of them. It seems to be the simplest form of obtaining a specific,
free and informed consent from the Customer. You should remember, however, to use this
legal basis for processing only if, in an honest and clear way, you want to give your
Customer the freedom to control their data. If you need the data anyway, e.g. in order to
perform the contract of sales of shoes in your store, you do not need a consent! You
probably use it yourself, e.g. when your Customer wants to sign up for the newsletter. Do
not write extensive texts with lists of all acts, described in a legal jargon that came to the
mind of your employee. Remember that the GDPR focuses on simplicity and
communicating with your Customer in a clear way. Your Customer should, first of all, get to
know your purposes and ways of their implementation. Let's say that the Customer leaves
their email address and you would like to use it for the purpose of direct marketing.
Moreover, you are planning a great special offer with a 10% discount (seriously?!).

[] I agree to the processing of my personal data in the form of an email address by XYZ
and to communicating with me in order to inform me on special offers and contests.

The checkbox should be ticked by default. It is very important. The text should be legible,
so although we are aware of the place restriction on the website, use the font size 2.
Communicate with your Customer in an understandable way.

We are frequently asked the same question: "hey, I have millions of consents I collected
from my Customers. Will the GDPR throw them all into the trash once it comes?" We
answer that if they all comply with the regulations on consents provided in the GDPR, you
will even not perceive any changes. The consent should be free, specific, informed and
explicit. And what is most important, you should be able to prove you received it. So if you
have not conducted an internal audit of consents collected from your Customers yet, it is
high time to do it. Above all, analyse the content of declarations submitted by Customers.
Have you applied double opt-in while collecting the consents? If you have, great – most
probably your Customer gave an informed and explicit consent by confirming the
information you had previously ticked on the website. Haven't you used checkboxes ticked
by default? Great. Consents are clear and it is possible to determine explicitly what they
refer to? Very good.

Let's come back to the elements of the consent. A valid consent needs to be:
1) free;
2) specific;
3) informed;
4) unambiguous.

In order to explain separate characteristics of the agreement, let's use the guidelines of the
Article 29 Working Party (WP 259). Let's start with the voluntariness. A consent is freely
given if a customer had a real influence on and control over giving the consent. In particular,
not giving the consent does not imply negative consequences. An example of a consent
which is not free can be presented by means of a mobile app for photo editing which
requires GPS localisation and consent to the collecting of behavioural data of its users. The
controller indicates that the user will not have a possibility to use the app unless they give
their consent. It seems clear that neither geo-localisation or behavioural data are necessary
for the provision of the core service – photo editing. According to the Working Party, the
consent cannot be considered as being freely given in this case.

The consent should be specific. In the terms and conditions of various applications we
frequently come across very general consents (we take all of your data so that we can do
everything with them!). It seems that already on the basis of the current law this attitude
should be avoided. First of all, we should therefore determine the purpose of data
processing. Let's then ensure that the consent is specific to a sufficient extent. So that
there is no room for doubts. For example, if our Customer consented to the marketing
activities conducted by us, we need to receive a new consent in order to use third parties
for the purpose of delivering trade information to the Customer.

The consent should be informed. Now you probably clutch your head in disbelief and ask
"How will I manage to include it all?!" In order to provide your Customer with a free choice,
you should inform them on:
1) the controller’s identity (e.g. name, seat, phone number, email address, tax
identification number and national court register);
2) the purpose of each processing operation for which consent is sought;
3) what data will be collected and used;
4) the existence of the right to withdraw consent;
5) if as a result of profiling we make automated decisions – information about this
fact;
6) if a consent refers to transferring the data to third countries – the possible risks
due to absence of the appropriate level of safeguards.

The above is the minimum recommended by the Working Party. Your Customers should
expect that you will exceed this minimum. Their personal data are valuable and deserve a
high level of protection. You should extend the scope of information they can get
acquainted with:

1) if a data protection supervisor was appointed – give their data;
2) if you will transfer personal data to third parties – indicate these persons;
3) indicate how long the data will be stored;
4) inform your Customer on the possibility to lodge a complaint with a supervisory
authority.

The consent should be specific. The requirement is directly connected with the so-called
principle of accountability, i.e. the possibility to prove that you have your Customer's
consent to process their data. It needs to be therefore clear that the data subject consented
to the specific processing of their personal data. An ideal solution is the double opt-in
model, which significantly restricts giving a consent by mistake. The consent cannot be
obtained by ticking the checkbox "I accept Terms and Conditions and Privacy Policy",
which is a quite popular solution. It is a bad practice and we recommend abandoning it.

OK, so how and in which form should we collect consents so that they are valid? First of all,
we recommend collecting declarations from your Customers in the double opt-in model.
Consequently, we will restrict possible doubts. Secondly, we recommend using simple and
clear language. Thirdly, we recommend reporting on your Customer's right to the broadest
possible extent (if you have limited space on your website, you should definitely do it in a
confirmation email).

A pop-up with a newsletter could look like this (to make it easier, let's use the data: XYZ sp.
z o.o. – it will be clearer then):

Example no. 1

Newsletter consent.

☐(optional)
I agree to the processing of my personal data for the purpose of receiving a
newsletter.

☐(optional)
I agree to receiving trade information on the selected products.

☐(optional)
I agree to receiving trade information and special offers also by means of text
messages.

We do not like checkboxes and spam. However, we like sending really good offers. Tick
the above consents if you want to receive unique information on our special offers.
Remember that you can always withdraw your consent. If you want to find out more
about how we protect your privacy, see the Privacy Policy or write an email to
rodo@xyz.com. Your data controller is XYZ

The extended version is presented below.

Example no. 2

Sign up for the newsletter and get a 10% discount for shopping!

I give:
[_____________] [email] [_____________] [first name]
[_____________] [phone number]

Who will be the personal data controller?
XYZ spółka z ograniczoną odpowiedzialnością (limited liability company), with its
registered office in Kraków (31-153) at ul. Rynek 1, NIP (tax identification number)
394873948, KRS (National Court Register): 871972, gdpr@xyz.com (hereinafter referred
to as: XYZ)

For what purpose will we use your personal data?
We want to use the personal data you will share with us in order to inform you on special
offers and contests we organize at our store, and in order to encourage you to do the
shopping again (marketing). The consent is given voluntarily and will have no
implications. If you wish at any time to withdraw your consent, please write to us at
gdpr@xyz.com.

How will we use your personal data?
If you give your consent, we would like to contact you by email or by phone. We will send
you our newsletter and inform you on the organised special offers and contests. If you
give us your first name, we will try to personalize the message.

[] I agree to the processing of my personal data by XYZ for marketing purposes and to
communicating with me in order to inform me on special offers and contests.

[] I agree that my personal data will be transferred by XYZ to ABC spółka z ograniczoną
odpowiedzialnością in order to communicate with me and inform me on special offers
and contests of XYZ

[Send]

If you gave your consent, you will receive a message from us. Confirm the given
consent and use your discounts! If you do not confirm the given consent, we will not
process your personal data for marketing purposes.

In the information email you dispose of much space to provide the interested party with
more information.

Example no. 1

Great! You have almost signed up for our unique newsletter. Before you click the
activation link, read the following information (link to the Privacy Policy).

Remember that your Data Controller is: XYZ with its registered office in K. You can always
amend, correct your personal data, withdraw the consent at any time, or even demand
the transfer or deletion of your data. The list of entities to which we provide your data is
available
here. Our purpose is to provide our services in the best possible way. Your data
will be stored as long as it is necessary in order to protect your right (e.g. according to the
warranty or limitation period when you buy a product). If you have any questions or
doubts, please contact us by email on gdpr@xyz.com. Your safety and trust is for us of
highest importance! PS Remember that you can submit a complaint to the President of
the Office for Competition and Consumer Protection with their registered office in Warsaw

ACTIVATION LINK

Example no. 2

Hello!

Thank you for your interest in our newsletter. We would like you to know that we take the
protection of your personal data seriously. If you have any questions or doubts, you can
contact us at any time.

We want to adjust our offer to your needs to the best possible extent. For this reason, we
have prepared for you much information we find important.

1. Your Personal Data Controller will be _________, with its registered office in
________, NIP _____, KRS: ______, (hereinafter referred to as Controller).
2. You are entitled to demand the access to your personal data, their correction,
deletion, restriction of the scope of their processing and transfer.
3. You are entitled to withdraw your consent at any time.
4. You gave us your first name, email address and phone number. We will process
these data for marketing purposes. We would like to contact you and inform you
on special offers and contests at our store.
5. The Data Protection Supervisor on behalf of the Controller is (...). You can contact
the Supervisor by phone (...) or by email (...).
6. We will store your data only if we still send the newsletter to you. If you are no
longer interested in the newsletter, you can withdraw the given consent at any
time.
7. We will use your email address to contact you. By its means, we will send you
information on our services which we think you may find interesting.
8. We will use your phone number to contact you. By its means, we will send you
information on our services which we think you may find interesting.
9. We will use your first name to send you personalized messages.
10. If your personal data were breached, you have the right to submit a complaint to
the President of the Office for Competition and Consumer Protection.
11. As the Controller, we use the services of various external providers to improve the
way we provide our services. The personal data given by you will be transferred to
ABC Spółka z ograniczoną odpowiedzialnością with its registered office in Kraków
at ul. Wawelska 77/333, NIP: 0009090909 KRS: 9831729. The company provides
us with services connected with the direct marketing – it prepares the content of
personalised messages. We cannot do everything on our own. We are connected
with the Company by the data processing agreement which ensures that your
data are safe by us to the same extent as in the Company. As the Controller we
are responsible also for entities which process your personal data for us.

You ticked that you agree to the processing of your personal data by XYZ for marketing
purposes and to communicating with you in order to inform you on special offers and
contests.

If you have concerns whether the consents collected so far will be valid after 25 May 2018,
you can consider sending them information on their rights together with an update of the
given consents. You can also send them an email with the relevant information or use a
pop-up on the website.

Remember that if you transfer Customer's data, you should inform them on this fact.

Remember that each consent can be withdrawn at any time. With no negative
consequences and as easily as it was given.

[NOT ONLY CONSENT!]

Remember that the consent is only one out of six legal bases for the processing of personal
data. Of course not all remaining legal bases will be justified in your case. Those which you
will find most interesting are:
1) processing required to fulfil a contract;
2) processing is necessary for purposes resulting from legitimate interests of the
controller.
You should use the consent as the legal ground for processing when you demand
non-standard data. For example, if you manage an online store, you will process personal
data of your Customers, such as name, address, email and phone number. You need these
data to deliver the shipment to the addressee and, consequently, to perform the agreement.
However, if you provide a newsletter or try to convince your Customer to do the shopping
at your store again in a different way, you should consider the consent as the legal basis for
processing. Conducting direct marketing may be considered to be an action in the
legitimate interest. Be careful, however, and do not use this legal basis for processing as a
remedy for all doubtful activities of data processing.

Use the rule of minimization – process only the data which are necessary for your aim.

[PROFILING]

We will start with the legal definition of profiling. Pursuant to Article 4(4) of the GDPR, it is
any form of automated processing of personal data consisting of the use of personal data
to evaluate certain personal aspects relating to a natural person, in particular to analyse or
predict aspects concerning that natural person's performance at work, economic situation,
health, personal preferences, interests, reliability, behaviour, location or movements.

This means that profiling is composed of three elements:
1) automation;
2) addressing to personal data;
3) its objective is the evaluation of personal aspects of a natural person.

Pursuant to the guidelines of the Working Party (WP 251), profiling should be distinguished
from automated decision-making. This means that if we use profiling on our websites, it is
just another form of our Customers' personal data processing. However, if the result of
profiling is the automated decision-making, without human involvement, the specific
consent of the profiled data subject is required.

Let's keep in mind that the GDPR provides for the far reaching right to information.
Consequently, if we use profiling to make automated decisions, we should inform the
profiled data subjects:
1) that they are being profiled;
2) about the rules on which profiling and decision-making take place;
3) what the reasons of profiling are and how they can object to it or to appeal
against the taken decision.

If you use a system monitoring the behaviour of your users, you should inform them on this
fact. Your activities should be as clear for your customers as possible.

You can use the GDPR Widget by Edrone

[Name of the website] We are analysing anonymised information of our users in order to
better adjust our offer and the content of the website to your needs. The website also
uses cookies, e.g. in order to analyse the website traffic. You can determine the
conditions of storage of and access to cookies in your browser.

The indicated warning was prepared in a more conservative version. Theoretically, it can be
assumed that data collected while profiling (determining only how a certain user uses the
website) are not personal data as such – they do not allow for the identification of a certain
user. Nevertheless, many monitoring systems connect information gathered while profiling
with the IP address – which, according to a common view, is personal data.

For example, data referring to the characteristic of a certain user (in case of an online store,
e.g. determining that a customer views most frequently offers with black Nike shoes for
men) do not allow for their identification. However, when combined with the data enabling
the identification – so the IP address – these are, according to common opinions, data
protected by the GDPR.

Assuming that while profiling only the data regarding the way of using a website will be
collected and, till the moment of the registration, the dataset will not include the data
allowing for the user's identification (i.e. the aforementioned IP address or localisation), it
will be probably possible to make the notification simpler, by resigning of sending back the
objection form. Considering the nature of the GDPR, very general as regards the problem of
profiling, we need to recommend special care at the current stage.

[GET PREPARED!]

Let's come back to the beginning. You have received from your Customer multiple
demands and you have thirty days for a to answer them. A good practise is to create a
subpage where you will publish all information and which you can use once you get
inquiries. We have prepared a text which, as we hope, you will find helpful.

PS Remember to ask the e-commerce platform of your store how they got prepared
to the GDPR and if you have any functionalities available which will make it easier for
you to implement the GDPR and, consequently, focus on your business!

INFORMATION ON PERSONAL DATA PROCESSING

The Controller of the data provided by you is XYZ spółka z ograniczoną odpowiedzialnością,
with its registered office in Kraków (31-542) at ul. Rynek 1, entered into the Register of
Entrepreneurs of the National Court Register (KRS) maintained by the District Court for
Kraków-Śródmieście in Kraków, 11th Commercial Division of the National Court Register,
under KRS number 123456, NIP 847391873 and REGON: 298179872

(optional!) The Controller appointed the Inspector for Personal Data Protection, i.e.
___________
You can contact the Inspector by email at: ___________@______

WHAT DATA DO WE PROCESS?

We process only the data you give us. In order to register on our website, we require from
you your email address, name and address. Processing these data is necessary for us to
conclude a sales contract, contact you on this case and deliver the goods you ordered.

Additionally, you can provide us in your profile with more personal data. The provision of
these data is voluntary and will help us personalize the offer addressed to you and facilitate
the contact. It is only up to you whether you provide us with more data and you can change
your settings at any time.

On our website, there is also an automated system which helps us adjust our offer to you to
the best possible extent. We do not make automatic decisions which influence your rights.
We just want our offer to be addressed specifically to you.

AIM OF PROCESSING

The main purpose for which we process your personal data is the conclusion of a contract.
We want to sell our products, you want to buy them. We are proud that you chose us.

If you gave a relevant consent, the data with which you provided us will be used for
marketing purposes. We will send to you messages with information on available special
offers, events, contests and bonuses. If you provided us with data other than an email
address, we will be able to personalise our offers and messages specially for you.
Consequently, you will receive information adequate to your interests and preferences.
Nobody likes spam.

In order to constantly improve our service, we process the data with which you provided us
for statistical purposes. We want to constantly improve ourselves, hence we need to know
our users perfectly.

If you have any questions, do not hesitate to write to us. We will answer all your doubts.

BASIS FOR PROCESSING

We process data with which you provide us while registering on the website, and which are
necessary for the shipment, on the basis of an agreement. We have to know your name and
address in order to send you a shipment. An email address is needed so that you can
register on our website and we can contact you.

The data you voluntarily give us for marketing purposes are processed by us on the basis of
your consent which can be withdrawn at any time.

We use the data you voluntarily provide to us also for statistical purposes. The legal basis for
their processing is our legitimate interest. We need to know what happens on our website
and we try to constantly improve it.

TO WHOM DO WE TRANSFER YOUR DATA?

In order to ensure the highest quality of our services, we use the services of external
providers. We choose our partners with utmost care. Below, you will find the categories of
entities to which we transfer your data:
1) courier companies;
2) hosting company;
3) payment systems;

(If you want to indicate specific entities, you can also complete the table according to the
following template)
Name Seat What data do we For what purpose do

transfer? we transfer the
data?

YOUR RIGHTS

If you have any doubts, questions or you would like to get more information, do not hesitate
to write to us. We will answer!

Remember that:
● You have the right to withdraw your consent at any time. It will have no
negative implications. We will simply stop sending to you our marketing emails.
The withdrawal of consent has naturally no influence on the current processing,
based on the consent. If you want to withdraw your consent, edit the profile data
or write to us.

● you have the right to demand access to your personal data;

● you have the right to correct your personal data or even delete them. The
deletion of the data which are necessary for the provision of services is
tantamount to the deletion of the account from the website.

● you have the right to raise objection against the data processing and demand
the restriction of this processing;

● you have the right to transfer the data where a consent is the basis for their
processing;

● you have the right to submit a complaint to the President of the Office for
Competition and Consumer Protection.

HOW LONG DO WE STORE YOUR DATA?

As long as you are with us, we process your data. When you delete your account, your data
will be stored by us solely for the claim limitation period.

You can always contact us. We will try to help!

Edrone Recommendation GDPR 25052018

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Edrone Recommendation GDPR 25052018

Uploaded by

Copyright:

Available Formats

PILCH PIOTROWSKI & PARTNERZY

ADWOKACKA SPÓŁKA PARTNERSKA

Kraków, 14 May 2018

The information concerning compliance of these companies with the GDPR can be found in

Name Seat What data do we For what purpose do

You might also like