Frequently Asked Questions About GDPR
The GDPR harmonized data privacy laws across Europe. It gives EU residents greater protection over how their personal information is used.
Even three years after it came into force, many are still unsure of the basics of GDPR. That's why in this guide, we have the answers to the top 10 questions everyone asks about the GDPR.
NOTE: The information provided here is intended to be educational and should not be constructed as legal advice. AVADA encourages all of our customers, as well as all E-commerce merchants, to seek legal advice for counsel on how they specifically should comply with the GDPR.
10 frequently asked questions about GDPR
1. What is the GDPR?
GDPR stands for the General Data Protection Regulation. GDPR came into effect on 25th May, 2018 as the new European Union Regulation, replacing the Data Protection Directive (DPD) and the UK Data Protection Act 1998.
After many years of debate, it was approved by the EU Parliament on April 14th 2016. It relates to the protection of personal data and the rights of individuals. Its main target is to ease the flow of personal data and increase privacy and rights for EU residents across all member states.
Any organization which processes and holds the personal data of EU citizens is obliged to abide by the laws set out by GDPR. This applies to every organization, regardless of whether or not they reside in one of the 27 EU member states.
2. What rules should businesses follow to ensure compliance?
GDPR Article 5 states that personal data must be:
- Processed lawfully, fairly, and in a transparent manner
- Collected only for specified, explicit, and lawful purposes
- Adequate, relevant, and limited to what is necessary
- Accurate and kept up to date
- Kept only for as long as it is needed and no longer
- Protected in a manner that ensures its security and integrity
3. What are the penalties for GDPR breaches?
The GDPR introduced a tiered approach to fines, which means that the severity of the breach determines the fine imposed.
The maximum fine a company can face is 4% of their annual global turnover, or €20 million, whichever is the highest. For less serious violations, such as having improper records, there is a maximum of 2% of their annual global turnover, or €10 million.
Each year significant fines are issued for GDPR breaches. In the year following the introduction of the regulation, these reached hundreds of millions. Although the biggest penalties have got smaller, they still reach tens of millions.
4. If we can't prove explicit opt-in for legacy profiles, is there a way to confirm consent via email?
Prior to GDPR going into effect (May 25, 2018), it was recommended sending a re-permissioning campaign to any of your subscribers in the EU. Nevertheless, now that GDPR is in effect, we no longer recommend this practice. Before contacting any of your existing subscribers or customers for whom you cannot prove explicit opt-in, please consult your legal team.
5. Does everyone need a Data Protection Officer (DPO)?
It is not compulsory for organizations to appoint a DPO. It depends on a number of factors. A DPO is required if companies:
- Are a public authority; with the exception of courts acting in their judicial capacity
- Carry out large scale systematic monitoring of individuals, such as online behavior tracking
- Carry out large scale processing of special categories of data or data relating to criminal convictions and offences
Any organization can appoint a DPO if they wish to do so. However, even if a company chooses not to appoint a DPO because the above doesn't apply to them, they must still ensure that they have sufficient staff and skills in place to be able to carry out their obligations under the GDPR.
6. How do we prove consent, including the day a subscriber opted in?
In addition to using double opt-in, you are required to retain the language that was presented to the consumer in the form, email, or webpage where they provided content. Therefore, you will have to be able to produce both the time/ date that they consented and exactly what they consented to.
7. Should I be updating the fine print when I capture emails that include any information about how their data is being stored in AVADA?
Yes, your fine print should be updated to reflect the following guidance for EU prospects and customers:
- Use clear, plain language that is easy to understand
- Specify why you want the data and what you are going to do with it
- Name your organization and any third party processors you will be using
- Tell individuals that they can withdraw their consent
8. Am I required to get consent on all personal data from consumers?
Your only option to have a lawful basis for collecting or processing sensitive data is explicit consent. For other personal data, there may be several options when it comes to establishing a lawful basis, but consent is one that organizations frequently rely upon.
Other lawful bases include:
- The processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering a contract
- The processing is necessary for compliance with a legal obligation
- The processing is necessary to protect the vital interests of the data subject or another person
- The processing is necessary for the legitimate interests of the business ad such interests are not outweighed by the interests or fundamental rights of the data subject
- The processing is necessary for a task performed in the public interest or to fulfill the responsibilities for a public official
We recommend consulting your legal team to determine the appropriate lawful basis for the processing of data by your organization.
9. Is an Abandoned Cart email GDPR compliant?
The answer to this one is not entirely clear; nevertheless, many organizations take the view that you can still send abandoned cart emails without explicit consent or marketing communications under the basis of legitimate interest. You may be able to consider an abandoned cart email as a communication relevant to the explicit intent to complete a transaction with your business. Other triggered emails, such as browse abandonment and winbacks, on the other hand, may not be permissible unless customers have previously consented to receive marketing emails from you in a GDPR compliant fashion.
That said, the applicability of legitimate interests of any other legal basis will depend on the specific circumstances, including, for instance, the number and frequency of emails and the amount of time that has elapsed since the cart was abandoned. We highly recommend you consult with your legal team about your email campaigns to confirm they are compliant with applicable law.
10. What did AVADA do to prepare for GDPR?
As a customer of AVADA who puts data about your end users into your product, you are a Data Controller. We act as a Data Processor for you. We are also a Data Controller in supplying services to you (as an AVADA customer) and making decisions about your personal data.
We got ready for GDPR by preparing for our own compliance - as well as making it easy for you to comply as a data controller. For more information about GDPR in AVADA, head to this page and our guide on How to Set up GDPR Compliant.
Updated on: 07/09/2021