[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f9GGkgabghb3luhIuRyWYiB-UKUHL2E8QakdzaoxBXSs":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":7,"nbDownloads":11,"excerpt":12,"lang":13,"url":14,"intro":8,"featured":4,"state":15,"author":16,"authorId":17,"datePublication":21,"dateCreation":22,"dateUpdate":23,"mainCategory":24,"categories":40,"metaDatas":46,"imageUrl":47,"imageThumbUrls":48,"id":56},false,"Data protection has become a major concern for consumers and businesses.\r\n\r\nThe General Data Protection Regulation (GDPR) imposes strict rules to ensure the confidentiality and security of personal information.\r\n\r\nThis article aims to guide e-commerce businesses in their efforts to comply with the GDPR.\r\n\r\n## What is the GDPR?\r\n\r\nThe GDPR is a regulation of the European Union designed to harmonize data protection laws across the EU, strengthen citizens' rights to privacy, and impose increased obligations on businesses regarding the processing of personal data.\r\n\r\nTo find out more about the RGPD, read our article: [What is the RGPD?](https://www.dastra.eu/en/article/what-is-the-gdpr/57249)\r\n\r\n## Key principles of the GDPR\r\n\r\n1. **Transparency**: Clearly inform users about how their data is collected and used.\r\n2. **Purpose limitation**: Collect data only for specific, explicit, and legitimate purposes.\r\n3. **Data minimization**: Collect only the data necessary for the declared purposes.\r\n4. **Accuracy**: Keep data up to date and accurate.\r\n5. **Storage limitation**: Retain personal data only for as long as necessary for the declared purposes.\r\n6. **Integrity and confidentiality**: Ensure the security of data against unauthorized or unlawful processing.\r\n\r\n## Obligations of e-commerce businesses\r\n\r\nThe legislation requires taking certain measures to ensure the security of the e-commerce database.\r\n\r\nArticle 5 of the GDPR emphasizes three essential axes for this protection:\r\n\r\n### Data security\r\n\r\nIt is essential to guarantee the integrity and protection of the collected personal data while minimizing the risk of loss in case of hacking. The extent of security measures depends on the sensitivity of the data involved (name, first name, age, banking information, etc.).\r\n\r\nTo secure an e-commerce data, we invite you to start with the basics of the digital:\r\n\r\n- Keep your antivirus up to date.\r\n- Keep your software up to date.\r\n- Regularly change your passwords.\r\n- Encrypt collected data.\r\n\r\nAlthough these may seem basic, data breaches often start with simple and common vulnerabilities that are often overlooked.\r\n\r\n### Data records, access, and retention periods\r\n\r\nThe company's leader is legally responsible for the company's data records. To optimize file security, it is crucial to determine which services and members of your company can access them.\r\n\r\nThis privileged access must be clearly defined and documented to ensure transparency and traceability of data consultations and uses.\r\n\r\nYour data record should provide an overview of the processing of personal data collected within the company, including:\r\n\r\n- The purpose of collection (customer loyalty, cart recovery, etc.)\r\n- The categories of data collected (for example, for customer loyalty: name, first name, gender, date of birth)\r\n\r\n➡️ Dastra offers a feature that allows you to create and collaboratively manage [data processing registers](https://www.dastra.eu/en/product-features/data-processing). \r\n\r\nFor an e-commerce business, data retention is crucial for legal, operational, and security reasons.\r\n\r\nHere are some examples of types of data that an e-commerce business might retain, along with typical retention periods and reasons why this data is important:\r\n\r\n1. **Transaction data**:\r\n   - **Examples**: Order details, purchase history, invoices.\r\n   - **Retention period**: Generally 5 to 10 years.\r\n   - **Reason (or purposes)**: Tax and accounting compliance, dispute resolution, sales trend analysis.\r\n\r\n2. **Customer data**:\r\n   - **Examples**: Names, addresses, phone numbers, email addresses, interaction history.\r\n   - **Retention period**: As long as the customer has an active account and for a few years after the account deactivation.\r\n   - **Reason (or purposes)**: Customer service, personalized marketing, customer loyalty.\r\n\r\n3. **Payment data**:\r\n   - **Examples**: Credit card information (typically tokenized), billing details.\r\n   - **Retention period**: Usually, payment data is retained for the duration necessary to process the transaction, with tokenized or masked elements kept longer for security and tracking purposes.\r\n   - **Reason (or purposes)**: Payment processing, fraud prevention.\r\n\r\n4. **Site browsing and usage data**:\r\n   - **Examples**: IP addresses, cookies, browsing history, user preferences.\r\n   - **Retention period**: 6 months to 2 years.\r\n   - **Reason (or purposes)**: User experience optimization, targeted marketing, site usage analysis.\r\n\r\n5. **Customer support data**:\r\n   - **Examples**: Chat records, support emails, support tickets.\r\n   - **Retention period**: 1 to 3 years.\r\n   - **Reason (or purposes)**: Improvement of customer service, dispute resolution, internal training.\r\n\r\n6. **Legal compliance data**:\r\n   - **Examples**: Identity verification documents, user consents.\r\n   - **Retention period**: Dependent on local legal requirements, often 5 to 7 years.\r\n   - **Reason (or purposes)**: Compliance with regulations (such as GDPR in Europe), fraud prevention.\r\n\r\n### Best practices for data retention\r\n\r\n1. **Data retention policy**: Establish a clear policy describing how long each type of data is retained and why.\r\n\r\n2. **Data security**: Implement robust security measures to protect stored data, including encryption, firewalls, and regular audits.\r\n\r\n3. **Regulatory compliance**: Ensure compliance with local and international data protection laws, such as the GDPR, CCPA, etc.\r\n\r\n4. **Limited access**: Restrict access to sensitive data only to employees who need it for their work.\r\n\r\n5. **Secure deletion**: Ensure that data is securely deleted when no longer needed, using methods such as secure erasure or physical destruction of storage media.\r\n\r\nThese practices not only ensure legal compliance but also build customer trust and enhance the security of e-commerce operations.\r\n\r\n#### What to do in case of data breach?\r\n\r\nZero risk does not exist when it comes to computer security. If your store is a victim of a malicious attack or unintentional data alteration, it is imperative to report any compromise to the CNIL (French Data Protection Authority).\r\n\r\nThis report must be made online on the CNIL website. In the event of a major incident, you must also inform the affected individuals so that they can take necessary measures.\r\n\r\n➡️ With Dastra, easily create your incident reports! Store and manage your data breach records. [Test now and improve your security](https://www.dastra.eu/en/product-features/data-breach)!\r\n\r\n## How do I know if I am in compliance? How do I get up to date?\r\n\r\nWondering if your store is GDPR compliant or if adjustments are needed? Don't panic, the CNIL offers a MOOC, a distance learning program specifically designed for professionals.\r\n\r\nThis training, called 'L’atelier RGPD,' was developed by CNIL lawyers and is completely free. It consists of four essential modules to guide you in your efforts:\r\n\r\n1. **The GDPR and its key concepts**\r\n2. **Principles of data protection**\r\n3. **Responsibilities of the actors involved**\r\n4. **The DPO and compliance tools**\r\n\r\nAt the end of the MOOC, participants receive a certificate of completion, which is a valuable bonus.\r\n\r\n## What are the penalties for non-compliance?\r\n\r\nNow that you know how to comply with the GDPR, it is important to be aware of the potential consequences in case of non-compliance:\r\n\r\n- A reprimand\r\n- Temporary or definitive limitation of data processing\r\n- Suspension of data flows\r\n- An administrative fine of up to 20 million euros\r\n- An administrative fine of up to 4% of the company's annual global turnover\r\n\r\nThese penalties serve as a serious reminder of the importance of GDPR compliance!\r\n\r\nCompliance with the GDPR is essential for e-commerce businesses not only to avoid severe penalties but also to gain consumer trust!\r\n\r\n{% button href='https://www.dastra.eu/en/contacts/demo' text='Request a demo' role='button' class='btn btn-primary' target='_blank' %}","\u003Cp>Data protection has become a major concern for consumers and businesses.\u003C/p>\r\n\u003Cp>The General Data Protection Regulation (GDPR) imposes strict rules to ensure the confidentiality and security of personal information.\u003C/p>\r\n\u003Cp>This article aims to guide e-commerce businesses in their efforts to comply with the GDPR.\u003C/p>\r\n\u003Ch2 id=\"what-is-the-gdpr\">What is the GDPR?\u003C/h2>\r\n\u003Cp>The GDPR is a regulation of the European Union designed to harmonize data protection laws across the EU, strengthen citizens' rights to privacy, and impose increased obligations on businesses regarding the processing of personal data.\u003C/p>\r\n\u003Cp>To find out more about the RGPD, read our article: \u003Ca href=\"https://www.dastra.eu/en/article/what-is-the-gdpr/57249\">What is the RGPD?\u003C/a>\u003C/p>\r\n\u003Ch2 id=\"key-principles-of-the-gdpr\">Key principles of the GDPR\u003C/h2>\r\n\u003Col>\r\n\u003Cli>\u003Cstrong>Transparency\u003C/strong>: Clearly inform users about how their data is collected and used.\u003C/li>\r\n\u003Cli>\u003Cstrong>Purpose limitation\u003C/strong>: Collect data only for specific, explicit, and legitimate purposes.\u003C/li>\r\n\u003Cli>\u003Cstrong>Data minimization\u003C/strong>: Collect only the data necessary for the declared purposes.\u003C/li>\r\n\u003Cli>\u003Cstrong>Accuracy\u003C/strong>: Keep data up to date and accurate.\u003C/li>\r\n\u003Cli>\u003Cstrong>Storage limitation\u003C/strong>: Retain personal data only for as long as necessary for the declared purposes.\u003C/li>\r\n\u003Cli>\u003Cstrong>Integrity and confidentiality\u003C/strong>: Ensure the security of data against unauthorized or unlawful processing.\u003C/li>\r\n\u003C/ol>\r\n\u003Ch2 id=\"obligations-of-e-commerce-businesses\">Obligations of e-commerce businesses\u003C/h2>\r\n\u003Cp>The legislation requires taking certain measures to ensure the security of the e-commerce database.\u003C/p>\r\n\u003Cp>Article 5 of the GDPR emphasizes three essential axes for this protection:\u003C/p>\r\n\u003Ch3 id=\"data-security\">Data security\u003C/h3>\r\n\u003Cp>It is essential to guarantee the integrity and protection of the collected personal data while minimizing the risk of loss in case of hacking. The extent of security measures depends on the sensitivity of the data involved (name, first name, age, banking information, etc.).\u003C/p>\r\n\u003Cp>To secure an e-commerce data, we invite you to start with the basics of the digital:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Keep your antivirus up to date.\u003C/li>\r\n\u003Cli>Keep your software up to date.\u003C/li>\r\n\u003Cli>Regularly change your passwords.\u003C/li>\r\n\u003Cli>Encrypt collected data.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>Although these may seem basic, data breaches often start with simple and common vulnerabilities that are often overlooked.\u003C/p>\r\n\u003Ch3 id=\"data-records-access-and-retention-periods\">Data records, access, and retention periods\u003C/h3>\r\n\u003Cp>The company's leader is legally responsible for the company's data records. To optimize file security, it is crucial to determine which services and members of your company can access them.\u003C/p>\r\n\u003Cp>This privileged access must be clearly defined and documented to ensure transparency and traceability of data consultations and uses.\u003C/p>\r\n\u003Cp>Your data record should provide an overview of the processing of personal data collected within the company, including:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>The purpose of collection (customer loyalty, cart recovery, etc.)\u003C/li>\r\n\u003Cli>The categories of data collected (for example, for customer loyalty: name, first name, gender, date of birth)\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>➡️ Dastra offers a feature that allows you to create and collaboratively manage \u003Ca href=\"https://www.dastra.eu/en/product-features/data-processing\">data processing registers\u003C/a>.\u003C/p>\r\n\u003Cp>For an e-commerce business, data retention is crucial for legal, operational, and security reasons.\u003C/p>\r\n\u003Cp>Here are some examples of types of data that an e-commerce business might retain, along with typical retention periods and reasons why this data is important:\u003C/p>\r\n\u003Col>\r\n\u003Cli>\u003Cp>\u003Cstrong>Transaction data\u003C/strong>:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>Examples\u003C/strong>: Order details, purchase history, invoices.\u003C/li>\r\n\u003Cli>\u003Cstrong>Retention period\u003C/strong>: Generally 5 to 10 years.\u003C/li>\r\n\u003Cli>\u003Cstrong>Reason (or purposes)\u003C/strong>: Tax and accounting compliance, dispute resolution, sales trend analysis.\u003C/li>\r\n\u003C/ul>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Customer data\u003C/strong>:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>Examples\u003C/strong>: Names, addresses, phone numbers, email addresses, interaction history.\u003C/li>\r\n\u003Cli>\u003Cstrong>Retention period\u003C/strong>: As long as the customer has an active account and for a few years after the account deactivation.\u003C/li>\r\n\u003Cli>\u003Cstrong>Reason (or purposes)\u003C/strong>: Customer service, personalized marketing, customer loyalty.\u003C/li>\r\n\u003C/ul>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Payment data\u003C/strong>:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>Examples\u003C/strong>: Credit card information (typically tokenized), billing details.\u003C/li>\r\n\u003Cli>\u003Cstrong>Retention period\u003C/strong>: Usually, payment data is retained for the duration necessary to process the transaction, with tokenized or masked elements kept longer for security and tracking purposes.\u003C/li>\r\n\u003Cli>\u003Cstrong>Reason (or purposes)\u003C/strong>: Payment processing, fraud prevention.\u003C/li>\r\n\u003C/ul>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Site browsing and usage data\u003C/strong>:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>Examples\u003C/strong>: IP addresses, cookies, browsing history, user preferences.\u003C/li>\r\n\u003Cli>\u003Cstrong>Retention period\u003C/strong>: 6 months to 2 years.\u003C/li>\r\n\u003Cli>\u003Cstrong>Reason (or purposes)\u003C/strong>: User experience optimization, targeted marketing, site usage analysis.\u003C/li>\r\n\u003C/ul>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Customer support data\u003C/strong>:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>Examples\u003C/strong>: Chat records, support emails, support tickets.\u003C/li>\r\n\u003Cli>\u003Cstrong>Retention period\u003C/strong>: 1 to 3 years.\u003C/li>\r\n\u003Cli>\u003Cstrong>Reason (or purposes)\u003C/strong>: Improvement of customer service, dispute resolution, internal training.\u003C/li>\r\n\u003C/ul>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Legal compliance data\u003C/strong>:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cstrong>Examples\u003C/strong>: Identity verification documents, user consents.\u003C/li>\r\n\u003Cli>\u003Cstrong>Retention period\u003C/strong>: Dependent on local legal requirements, often 5 to 7 years.\u003C/li>\r\n\u003Cli>\u003Cstrong>Reason (or purposes)\u003C/strong>: Compliance with regulations (such as GDPR in Europe), fraud prevention.\u003C/li>\r\n\u003C/ul>\r\n\u003C/li>\r\n\u003C/ol>\r\n\u003Ch3 id=\"best-practices-for-data-retention\">Best practices for data retention\u003C/h3>\r\n\u003Col>\r\n\u003Cli>\u003Cp>\u003Cstrong>Data retention policy\u003C/strong>: Establish a clear policy describing how long each type of data is retained and why.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Data security\u003C/strong>: Implement robust security measures to protect stored data, including encryption, firewalls, and regular audits.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Regulatory compliance\u003C/strong>: Ensure compliance with local and international data protection laws, such as the GDPR, CCPA, etc.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Limited access\u003C/strong>: Restrict access to sensitive data only to employees who need it for their work.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Secure deletion\u003C/strong>: Ensure that data is securely deleted when no longer needed, using methods such as secure erasure or physical destruction of storage media.\u003C/p>\r\n\u003C/li>\r\n\u003C/ol>\r\n\u003Cp>These practices not only ensure legal compliance but also build customer trust and enhance the security of e-commerce operations.\u003C/p>\r\n\u003Ch4 id=\"what-to-do-in-case-of-data-breach\">What to do in case of data breach?\u003C/h4>\r\n\u003Cp>Zero risk does not exist when it comes to computer security. If your store is a victim of a malicious attack or unintentional data alteration, it is imperative to report any compromise to the CNIL (French Data Protection Authority).\u003C/p>\r\n\u003Cp>This report must be made online on the CNIL website. In the event of a major incident, you must also inform the affected individuals so that they can take necessary measures.\u003C/p>\r\n\u003Cp>➡️ With Dastra, easily create your incident reports! Store and manage your data breach records. \u003Ca href=\"https://www.dastra.eu/en/product-features/data-breach\">Test now and improve your security\u003C/a>!\u003C/p>\r\n\u003Ch2 id=\"how-do-i-know-if-i-am-in-compliance-how-do-i-get-up-to-date\">How do I know if I am in compliance? How do I get up to date?\u003C/h2>\r\n\u003Cp>Wondering if your store is GDPR compliant or if adjustments are needed? Don't panic, the CNIL offers a MOOC, a distance learning program specifically designed for professionals.\u003C/p>\r\n\u003Cp>This training, called 'L’atelier RGPD,' was developed by CNIL lawyers and is completely free. It consists of four essential modules to guide you in your efforts:\u003C/p>\r\n\u003Col>\r\n\u003Cli>\u003Cstrong>The GDPR and its key concepts\u003C/strong>\u003C/li>\r\n\u003Cli>\u003Cstrong>Principles of data protection\u003C/strong>\u003C/li>\r\n\u003Cli>\u003Cstrong>Responsibilities of the actors involved\u003C/strong>\u003C/li>\r\n\u003Cli>\u003Cstrong>The DPO and compliance tools\u003C/strong>\u003C/li>\r\n\u003C/ol>\r\n\u003Cp>At the end of the MOOC, participants receive a certificate of completion, which is a valuable bonus.\u003C/p>\r\n\u003Ch2 id=\"what-are-the-penalties-for-non-compliance\">What are the penalties for non-compliance?\u003C/h2>\r\n\u003Cp>Now that you know how to comply with the GDPR, it is important to be aware of the potential consequences in case of non-compliance:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>A reprimand\u003C/li>\r\n\u003Cli>Temporary or definitive limitation of data processing\u003C/li>\r\n\u003Cli>Suspension of data flows\u003C/li>\r\n\u003Cli>An administrative fine of up to 20 million euros\u003C/li>\r\n\u003Cli>An administrative fine of up to 4% of the company's annual global turnover\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>These penalties serve as a serious reminder of the importance of GDPR compliance!\u003C/p>\r\n\u003Cp>Compliance with the GDPR is essential for e-commerce businesses not only to avoid severe penalties but also to gain consumer trust!\u003C/p>\r\n\u003Cdiv class=\"content-btn-container\">\u003Ca>\u003C/a>\u003C/div>\r\n","GDPR and E-commerce: A guide to achieving compliance","This article aims to guide e-commerce businesses in their efforts to comply with the GDPR.",1175,7,0,null,"en","gdpr-and-e-commerce-a-guide-to-achieving-compliance","Published",{"id":17,"displayName":18,"avatarUrl":19,"bio":12,"blogUrl":12,"color":12,"userId":17,"creationDate":20},10458,"Marine Boquien","https://static.dastra.eu/tenant-19/avatar/10458/logo-icon-primary-150.png","2023-10-02T14:39:10","2024-07-02T06:00:00","2024-07-02T07:17:43.7530464","2024-07-02T07:57:19.8463816",{"id":25,"name":26,"description":27,"url":28,"color":29,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":30},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[31,34,37],{"lang":32,"name":26,"description":33},"fr","Une liste d'articles rédigés par la communauté",{"lang":35,"name":26,"description":36},"es","Una lista de artículos escritos por la comunidad",{"lang":38,"name":26,"description":39},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[41],{"id":25,"name":26,"description":27,"url":28,"color":29,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":42},[43,44,45],{"lang":32,"name":26,"description":33},{"lang":35,"name":26,"description":36},{"lang":38,"name":26,"description":39},[],"https://static.dastra.eu/content/67176d18-d22e-4f5e-a785-2824a2bdc073/dans-la-jungle-les-logiciels-rgpd-2-original.png",[49,50,51,52,53,54,55],"https://static.dastra.eu/content/67176d18-d22e-4f5e-a785-2824a2bdc073/dans-la-jungle-les-logiciels-rgpd-2-1000.webp","https://static.dastra.eu/content/67176d18-d22e-4f5e-a785-2824a2bdc073/dans-la-jungle-les-logiciels-rgpd-2.webp","https://static.dastra.eu/content/67176d18-d22e-4f5e-a785-2824a2bdc073/dans-la-jungle-les-logiciels-rgpd-2-1500.webp","https://static.dastra.eu/content/67176d18-d22e-4f5e-a785-2824a2bdc073/dans-la-jungle-les-logiciels-rgpd-2-800.webp","https://static.dastra.eu/content/67176d18-d22e-4f5e-a785-2824a2bdc073/dans-la-jungle-les-logiciels-rgpd-2-600.webp","https://static.dastra.eu/content/67176d18-d22e-4f5e-a785-2824a2bdc073/dans-la-jungle-les-logiciels-rgpd-2-300.webp","https://static.dastra.eu/content/67176d18-d22e-4f5e-a785-2824a2bdc073/dans-la-jungle-les-logiciels-rgpd-2-100.webp",57629]