Learn how Donation Store deals with GDPR and how you can remain GDPR compliant.
GDPR stands for the General Data Protection Regulation and is Europe's "big law" regarding privacy. It came into effect on the 25th May 2018.
It gives citizens and residents control over their personal data and to simplify privacy law clear for international businesses.
But my Network isn't in the EU
Regardless of where your store or network is based, if you offer products and services on your store which can be purchased or used by customers located within the EU, then GDPR will apply to you.
What data is protected?
GDPR focuses mainly on protecting data of individuals and not companies. However the definition of "Personal Data" can extend to more than just an individual, whether it relates to an individuals private or professional life. Some example of the data GDPR protects are as follows:
- A persons name
- Their home address
- A persons picture
- A person email address
- A persons bank details
- Medical information
- Posts on social media sites
- The user's IP
The above is a non exhaustive list. Any data that pertains to a users identity or could be used to somehow identify that user is the kind of data GDPR protects. This means that if your store collects ANY of this data, then you are responsible for following the laws and regulations GDPR sets out. To note, by default, Donation Store collects some of the above data (will be explained in a further section), so your store is responsible.
Where does Donation Store come in?
While Donation Store allows you to collect data from your store about individuals, it is important to note that you, are in fact the data controller meaning you are responsible. However, Donation Store has provided tools and information that allow you to remain safe when it comes to being a data controller in the eyes of GDPR.
GDPR defines a number of rights that an individual has. Using Donation Store means that you are responsible for fulfilling some of these rights, however it will help you to do so in the best way possible. The rights applicable are explained in detail below, showing how Donation Store helps.
The Right to be Informed
Your Terms and Conditions should set out the terms that you enforce on the person purchasing items on your store. For example, perhaps you want to make your customers agree that they are over the age of 13 or have their parents consent if they are not.
You should also provide a clear refund policy in your Terms and Conditions. Explain how refunds work and what customers can expect when they apply for a refund.
You should also mention information regarding chargebacks and how you handle them on your store.
Terms and Conditions are the legal agreements between the customer on your webstore and you the store owner. If you have any conditions you want here, they should be in your Terms and Conditions.
- Explain what PII (Personally Identifiable Information) you collect on your store for a given customer. For the default installation of Donation Store this includes:
- Email address
- Full Name
- If enabled, their billing address
- Their Minecraft Username and UUID
- Their IP Address
- Explain what users will have access to the data. Do all staff members have access to the data or only certain users? What do the authorised parties do with this data?
- If you use the data for other external purposes explain what they are. Do you save the data externally in spreadsheets, external databases, email marketing tools like Mailchimp? Do you store their data on your network's linked website. If so, explain where and why you store this data. You should also make sure that you explain where this data is physically located. Is it in a database somewhere? What country does this data reside in?
- Explain the activities that you as the store owner may perform on the data collected, whether it be to provide customer support, marketing etc.
- If the data is exported and stored outside of the EEA, please confirm that the country it has been exported to has adequate levels of protection for the data, it has been approved by the European Commission and you are following best practices to control the data correctly.
- You are required to inform the customer that they have the right to see what data is collected regarding them. You must provide this information and you must also change/rectify the data if the customer wishes.
The Right of Access/Right of Rectification
The Right of erasure (the right to be forgotten)
If you receive a request to delete a customer's information you should first authorise the customer by asking them some questions about their previous orders or their data to ensure the right customer is making the request. At no point should you give any sort of information over to the user. For example, if you are clarifying their billing address you should not do the following:
"Is 123 Fake Street your billing address?"
Instead you should ask:
"What is your billing address?"
Once you have verified the identity of the customer, you can delete the customer from the Donation Store control panel. This will delete all of the user's information from the database including all of their payments.
The right to data portability
Data portability means the right to receive personal data in a machines readable format and to request for such data to be transferred from one controller to another. You cannot charge for this service and it is your obligation. To export a customer's data you can simply click on them in the Donation Store control and click "Export Data". This will then return a JSON object containing their data.