/

GDPR Compliance

Learn how Donation Store deals with GDPR and how you can remain GDPR compliant.

Introduction

GDPR stands for the General Data Protection Regulation and is Europe's "big law" regarding privacy. It came into effect on the 25th May 2018.

It gives citizens and residents control over their personal data and to simplify privacy law clear for international businesses.

Want to learn more about GDPR and the law surrounding it?

Find out how to install Donation Store on your VPS and how to setup your first webstore

Click here to read the official document regarding GDPR

But my Network isn't in the EU

Regardless of where your store or network is based, if you offer products and services on your store which can be purchased or used by customers located within the EU, then GDPR will apply to you.

What Data is Protected?

GDPR focuses mainly on protecting data of individuals and not companies. However the definition of "Personal Data" can extend to more than just an individual, whether it relates to an individuals private or professional life. Some example of the data GDPR protects are as follows:

  • A persons name
  • Their home address
  • A persons picture
  • A person email address
  • A persons bank details
  • Medical information
  • Posts on social media sites
  • The user's IP

The above is a non exhaustive list. Any data that pertains to a users identity or could be used to somehow identify that user is the kind of data GDPR protects. This means that if your store collects ANY of this data, then you are responsible for following the laws and regulations GDPR sets out. To note, by default, Donation Store collects some of the above data (will be explained in a further section), so your store is responsible.

Where does Donation Store come in?

While Donation Store allows you to collect data from your store about individuals, it is important to note that you, are in fact the data controller meaning you are responsible. However, Donation Store has provided tools and information that allow you to remain safe when it comes to being a data controller in the eyes of GDPR.

Individual Rights

GDPR defines a number of rights that an individual has. Using Donation Store means that you are responsible for fulfilling some of these rights, however it will help you to do so in the best way possible. The rights applicable are explained in detail below, showing how Donation Store helps.


The Right to be Informed

This allows for customers to be informed regarding your Terms and Conditions and your Privacy Policy. Both are provided to you and can be edited through the Donation Store control panel in your webstore's settings. When purchasing from your store, users are asked to both accept your Terms and Conditions and your Privacy Policy.


Terms and Conditions Tips

Your Terms and Conditions should set out the terms that you enforce on the person purchasing items on your store. For example, perhaps you want to make your customers agree that they are over the age of 13 or have their parents consent if they are not.

You should also provide a clear refund policy in your Terms and Conditions. Explain how refunds work and what customers can expect when they apply for a refund.

You should also mention information regarding chargebacks and how you handle them on your store.

Terms and Conditions are the legal agreements between the customer on your webstore and you the store owner. If you have any conditions you want here, they should be in your Terms and Conditions.


Privacy Policy Tips

Your Privacy Policy has less information regarding the agreements between you and your customers on your webstore, however it should outline information regarding the collection and storage of a customers personal data by you on their behalf. Some of the points you should cover in order to have a sound Privacy Policy and to be GDPR compliant are:

  • Explain what PII (Personally Identifiable Information) you collect on your store for a given customer. For the default installation of Donation Store this includes:
    • Email address
    • Full Name
    • If enabled, their billing address
    • Their Minecraft Username and UUID
    • Their IP Address

  • Explain what users will have access to the data. Do all staff members have access to the data or only certain users? What do the authorised parties do with this data?

  • If you use the data for other external purposes explain what they are. Do you save the data externally in spreadsheets, external databases, email marketing tools like Mailchimp? Do you store their data on your network's linked website. If so, explain where and why you store this data. You should also make sure that you explain where this data is physically located. Is it in a database somewhere? What country does this data reside in?

  • Explain the activities that you as the store owner may perform on the data collected, whether it be to provide customer support, marketing etc.

  • If the data is exported and stored outside of the EEA, please confirm that the country it has been exported to has adequate levels of protection for the data, it has been approved by the European Commission and you are following best practices to control the data correctly.

  • You are required to inform the customer that they have the right to see what data is collected regarding them. You must provide this information and you must also change/rectify the data if the customer wishes.


The Right of Access/Right of Rectification

Donation Store doesn't provide an area for users to login and see the data you have linked to them as there are no user accounts on Donation Store's webstore. However, it is advised that in your Privacy Policy you make it clear that a customer can request a copy of the information you have regarding them. You should also mention that the user can change this information if they would like.


The Right of erasure (the right to be forgotten)

If you receive a request to delete a customer's information you should first authorise the customer by asking them some questions about their previous orders or their data to ensure the right customer is making the request. At no point should you give any sort of information over to the user. For example, if you are clarifying their billing address you should not do the following:

"Is 123 Fake Street your billing address?"

Instead you should ask:

"What is your billing address?"

Once you have verified the identity of the customer, you can delete the customer from the Donation Store control panel. This will delete all of the user's information from the database including all of their payments.


The right to data portability

Data portability means the right to receive personal data in a machines readable format and to request for such data to be transferred from one controller to another. You cannot charge for this service and it is your obligation. To export a customer's data you can simply click on them in the Donation Store control and click "Export Data". This will then return a JSON object containing their data.

Summary

Donation Store's webstore does not collect a huge list of personally identifiable information so if you implement the above, you will remain GDPR compliant. We will let you know if GDPR changes in anyway. If you have any questions regarding GDPR or need more information about how your Privacy Policy should be setup, please do not hesitate to open a support ticket, and we will be delighted to help you.

Have Questions? Open a Support Ticket

View Common Issues on the Knowledgebase

Video Guides on YouTube

Other clients and Donation Store developers hang out on our Discord server, where you can ask for support in #ds-chat, or if you are a Client and you don't uet have your Client role on Discord, let us know and we can add it. Once added you get access to our private Client's support channel.