GDPR in e-commerce – e-shops under a magnifying glass

GDPR in e-commerce

Although the sense of introducing detailed guidelines regulating the processing of personal data leaves no doubt, it must be admitted that the multitude of requirements and obligations that fell on entrepreneurs can be overwhelming. The partnership with partners representing e-commerce allowed DVS to specialize in the subject of personal data protection and to understand the pains related to it. This mixture of knowledge and experience became the inspiration to take Polish online stores under the magnifying glass. The survey, which was conducted from November 2020 to January 2021, brought results that on one hand may worry, but on the other hand clearly show what work needs to be done.

E-commerce under the magnifying glass

Da Vinci Studio analyzed 300 Polish e-commerce sites taking into account both general legal guidelines related to privacy policy or regulations, as well as very detailed information contained in checkboxes. Cookies, contact forms and newsletters were also checked. The resulting report collected examples of personal data violations popular among Polish e-shops. The aim of DVS was not to stigmatize entities that “fell in the struggle with GDPR”. After all, this is what most companies – not only those operating in the e-commerce industry – are looking for.

– The tools that we have designed so far, as well as the ongoing cooperation with our legal partners have allowed us to deeply understand the topic of personal data protection and to find optimal technological solutions in this area – explains Wojciech Bachta, CEO at Da Vinci Studio.

GDPR in e-commerce – what works and what should be improved?

It’s time to delve into the report itself. According to the GDPR in e-commerce study, 93% of Polish e-commerce companies have a privacy policy, which is quite a good result. Unfortunately, it is worse with the information about the scope of collected data, which only 66% of e-shops provided. The customer should also know how long his or her data will be stored by a particular business entity – only 38% of companies in the industry provide such information.

There is a lot of room for improvement when it comes to the use of cookies. While in the case of 76% of the checked companies such a message is visible on the website, only 42% of them give the user the possibility to give consent on their own through checkboxes that are not pre-selected by default. Specialists in GDPR remind that the consent given by default, from a legal point of view is simply… invalid.

The report also showed that more than half (57%) of verified e-commerce sites do not have a contact form. What’s worse, if there is one, in most cases it is incomplete. As much as 80% of the forms do not have a checkbox for consent to process personal data for further contact, and 79% operate without an information clause or a clear reference to the privacy policy. It’s hard to disagree that these are things that need immediate improvement.

The issue of using a newsletter remains an individual choice of a particular company (although it’s hard to deny that, properly prepared, it can work wonders). According to the report, 60% of the surveyed companies use such a form of contact with clients, yet only 26% of them include information on personal data processing.

This is just some of the data. More information can be found in the report GDPR in e-commerce [link]. We encourage you to read and draw conclusions!

GDPR – a never-ending process

Mateusz Sawaryn, a partner at Sawaryn and Partners law firm, reminds us that GDPR is not a monolith that once set does not change.

– Protection and processing of personal data require cyclical actions, Sawaryn emphasizes. – Running an online store requires, among other things, introduction and adaptation of appropriate technical and organizational measures to ensure, first of all, the security of the processed data, as well as that, by default, only that personal data is processed which is necessary to achieve each specific purpose of the processing.

The lawyer reminds that entrepreneurs are obliged not only to regularly check, but also (and perhaps above all!) to improve the implemented procedures related to personal data while always complying with the current regulations.

Data protection also applies to the internal affairs of a company, which are outside the customer’s field of vision. It involves the necessity to implement protection procedures, to introduce appropriate security measures, to carry out regular trainings and to keep the documentation in order.

– This is an area that is invisible to users, but necessary for real personal data protection; therefore, it should be kept up-to-date and adjusted to, among other things, the company’s business and changing personnel, explains Sawaryn.