Intershop - Data Protection and Security

The 25th of May 2018 was an important day for data protection and personal rights. Simultaneously this date denotes a special day for web shop managers selling goods to or processing data of citizens within the European Union. It was the day when the General Data Protection Regulation (GDPR) entered into force. The new regulation enriches the former Data Protection Directive and evolves it to protect the rights of individuals regarding their personal data. Thereby personal data are defined as all data that can be used to identify an individual. The so called personally identifiable information is for example the name, email address or phone number (provided as contact information) or the IP address, geolocation or the behavioral data of a person (collected via web tracking).

Hence, regarding web shops, the GDPR concerns three areas of personal data:

  1. The regulation applies to all data which is actively provided by a user (login, address data, etc.). This data for example is provided when an account is registered. The user gives consent by accepting the terms and conditions of the web shop and by proceeding with the registration process.
  2. It also applies to observed data (order history, web tracking, etc.) which is passively provided by a user. This data for example is processed to improve the user experience and is used for web shop optimizations.
  3. The actively and passively collected data can also be used to generate new personal data. With this data it is for example possible to provide customer-specific product recommendations. The regulation also applies to this generated personal data as it could be used to identify an individual.

Regarding the areas 2 and 3, the personal data is collected or generated in the background, accordingly it is below the perceptional threshold of a person. As a result, this data is collected and processed without the explicit consent of the user. This is where the new regulation strongly applies in order to give users better possibilities to control what data is processed and for what purpose.

Another very important aspect of GDPR is the explicit consent.

This concerns in particular all data which is passively provided by the user and all data which is shared with third party services:

  • To ease the implementation of consent all web tracking capabilities of the ICM are deactivated by default. As a web shop manager you may use additional web tracking (e.g., Google Analytics, Piwik, Open Web Analytics or similar). Consequently you have to inform your customers about the personal data which is recorded and submitted to such third party service.
  • If your shop provides payment via a payment gateway provider (e.g., PAYONE, Computop) be aware that your customer has neither a legal contract with the payment gateway provider nor with possible third party services, which actually process your customer's personal data. Regarding GDPR, you, as a shop manager, are responsible for keeping this information accessible and erasable upon customer request.

Regarding possible customer requests we considered the relevant aspects and implemented features to realize a fast export and deletion of all personal data, which was collected within the ICM. A customer can request her or his personal data or the account deletion either as a registered user via the My Account section or as an unregistered user via the Contact Us form.

No matter which way the customer prefers, the request is processed in the back office via the Customer Service Representative (CSR):

Intershop Logo

We provided tips against nasty surprises in our resources section.

Furthermore we are offering a special GDPR-Workshop. For further information and question regarding GDPR please contact me.

Alexander Maciej Rossudowski Senior IT Security Expert Phone