FAQ - GDPR - frequently asked questions about the protection of personal data

Are we forced to make some independent changes on our site due to the entry of the GDPR or are they automatically introduced to all customers?

GDPR imposes duties on both sides - an online store and a company entrusted with the processing data. This solves many problems in the field of technical data processing such as security, back-ups or privacy-by-design, but on the side of the online store lays the issue of preparing their procedures, describing and implementing them, appointing Data Protection Inspectors. We (IAI) can not go so deep into the procedures in the stores.

If I am not sure whether the paper contract has been sent, can I check it or do I have to contact you directly for verification?

In this case, it's best to send a ticket.

Is the certificate offered by IdoSell Shop different from the SSL certificates offered by competing companies?

We offer several types of SSL certificates. Depending on the needs of the online store, you can choose the most suitable one. For smaller stores, we recommend Commercial SSL Certificate and for larger stores Commercial Wildcard SSL Certificate.

Is having an SSL certificate on websites where you do not enter your personal details is necessary?

No, but it is highly recommended. It is something that everyone pays attention to. Secondly, it is extremely beneficial from the point of SEO view. Therefore, one way or another you should have an SSL certificate on every page.

Is there going to be a need for changes in layouts concerning the GDPR?

We do not anticipate changes in layouts in connection with the entry of the GDPR.

Are EU clients' data stored in the EU?

All customer data from the European Union is stored in the European Union, at the moment the data is stored on the territory of Poland.

What are the rules of the GDPR concerning placing orders "without registration" and the fact that in IdoSell Shop such an order is not very different from the usual one (in the administration panel) and the controller of personal data does not know that the client has used such an option?

The order without registration is treated in the same way as any other order: the client does not create an account, but transfers data in order to execute the transaction, allows the processing of data and accepts standard regulations. Anyway, this data needs to be saved somewhere to process it to handle the order. There is no difference here, the rules are the same.

Is sending a product evaluation request (from the IAI system) consistent with the GDPR?

Yes, if such a general record allowing us to do so will be in the regulations that the client will accept. Evaluation of products or the entire purchasing process may be a natural element of validation or evaluation of the purchase experience, and in this respect the processing of personal data seems to have business justification.

Is information in the "regulations" of auctions eg. on eBay or Allegro required that the data is processed by IAI?

Unless it violates the regulations of Allegro or eBay you can indicate which software the store uses to process transactions.

Should we have an additional signed contract with IAI as an online store, as you also have access to our database?

No, there is no need. Everything is settled by our Terms and Conditions and the Agreement. Latest and subsequent planned changes define the principles of our cooperation.

Can I apply to IAI in order to, for example review the shop's regulations for compliance with the GDPR?

We recommend a contact with a specialized law firm, preferably a few, for price verification. At the moment there are many specialized companies on the market, and we can not provide legal advice.

If I have personal data of clients in my business management / transaction service system, but they are transferred there via IdoSell Shop / Allegro, then am I their controller?

Yes, the system in which we obtain the data does not matter. They can be written on a piece of paper, said through the phone or by exchanging information through the API. The important thing is who ultimately processes the data, not what the tool is used.

What exactly is the processing of personal data referred to as "profiling Customer's online stores in the field of customer service and marketing"? Namely what category of personal data, which processing operations are concerned, and are personal data entrusted to the sub-processor?

This type of profiling consists of the automatic analysis / forecast of a given person's behavior on the website, for example by adding some product to the cart, browsing a particular item in the store, analyzing the Customer's purchase history. The categories of this personal data are customer identification data (name, surname, e-mail address, telephone number) and data on their purchase preferences. Processing operations are primarily the collection of this data, their arrangement, storage, modification and use.

Intelligent product recommendation system IAI RS and the GDPR

How will the consumer be able to opt out of collecting information about themselves?

Just block cookies in your browser.

Exactly what behavioral data is collected by the IAI RS system?

The system collects data on interactions with products (product display, comparison, favorites, adding to basket, product evaluation, product order).

Will the collected behavioral data be saved on the client tab?

No, data is transferred to are not stored in the store's database and can not be seen on the customer tab.

What if the consumer does not have an account yet? Where will such data be collected and what will it be? Will the data collected in this way be linked to an account that e.g. will be set up at a later time?

If the client does not have an account, we collect data for an anonymous client and we associate it with the cookie set on the client's device. At the time of registration / order placement, we combine previously recorded behavioral data with the customer who registered.

Can a person be identified on the basis of the information collected?

It is impossible to identify a person. We do not store IP or any personal data. IAI RS has only the client's ID, the IDs of the products ordered and the order number.

The user has the option to withdraw consent. How to do it technically on the IdoSell Shop platform? There is a checkbox to delete information about the newsletter. How would you withdraw your consent for profiling?

When it comes to profiling, especially if we use the IAI RS system it is only necessary to inform the buyer, e.g. about the Terms and Conditions. Information that the shop for the purpose of better customer service and better matching offer uses recommendation systems, which idea is that they profile the customer in the context of the shopping preferences.