A basic foundation for being able to implement a successful GDPR adaptation of Askås e-commerce platform has been to find out what is classified as a personal data and when and where processes of this personal data are done in the system.
This survey, which was done early in the process, was a starting point for the development of new features.
Authorization feature - Setup accounts and conditions for controlling which backend features individual employees and entire staff groups should have the right to handle in the system.
GDPR analysis - Feature which at the touch of a button creates a report that lists functions, customizations and external connections where personal data is involved. This report can be used as support, for example to create texts for customer consent. (See consent feature below).
Consent feature - Create and collec consents from customers in different places and at different events in the store.
Logging of personal data processing - When personal data somehow is altered in the system, this is logged. The log is only available for Askås but can be requested if needed.
Mass update of passwords - Tool that make it possible for our clients to update the password of a number of customers at the same time based on given customer ID.
Removal - Set up rules for how customer information should be stored and sorted out.
Right to be forgotten - An end consumer has the right to demand to have personal data completely removed from the system.
Personal data export - Feature for exporting personal data about a specific customer.
Logged sessions in backend. - Authorization and accessibility for Askås staff to our customers' stores are regulated. The purpose is to limit unnecessary exposure of personal data.
What responsibilities does Askås and our customers have?
Askås has the role of personal data assistant (Personuppgiftsbiträde) and this is regulated in new and supplemented agreements between us and our customers. As a supplier and partner, we have developed our product, our e-commerce platform, and continuously informed about GDPR.
It is our customers and not Askås who are responsible for personal data towards the end consumers. Customers decide for themselves how they want to use the GDPR features we develop. Customers must set up their own rules for removal of personal data, they write their own texts for consent and are responsible for communication with their customers. (Translated text from Datainspektionen).
What is personal data?
All kinds of information that can be directly or indirectly attributed to a natural person who is alive are counted as personal data according to GDPR.
Images and sound recordings of individuals processed on a computer can also be personal data, even if no names are mentioned. Encrypted information and various types of electronic identities, such as IP numbers, are counted as personal information if they can be linked to natural persons. (Translated text from Datainspektionen)
What does data controller mean?
The person responsible for personal data is normally the legal person (for example a limited company, foundation or association) or the authority that processes personal data in its activities and which decides which data is to be processed and what the data is to be used for. (Translated text from Datainspektionen)
What does data processor mean?
The personal data processor is the person who processes personal data on behalf of the person responsible for personal data, for example a service provider or web host. A personal data assistant is always outside your own organization. (Translated text from Datainspektionen)
More reading: www.datainspektionen.se