Frequently asked questions about the GDPR and how can your business fully comply with its provisions? | CloudCart

CloudCart works constantly to ensure that the platform meets the requirements and rules for personal data protection. You know that as an innovative online business management platform, CloudCart always takes care to provide you with the latest tools and meet all the laws and requirements of the market.

Therefore, as our customer, you can easily and quickly use the ready-made functionalities that we offer you. We have also prepared answers to the most frequently asked questions that continue to excite businesses regarding personal data and the EU General Regulation on GDPR (General Data Protection Regulation).

Let's take a look at the most frequently asked questions related to GDPR:

What is GDPR and since when is it applicable in our country?

The so-called general regulation on personal data protection (General Data Protection Regulation или GDPR) is an European Union legislation which, once applicable, obliges controllers and processors of personal data (individuals, companies and institutions) to comply with certain rules and processes when collecting, storing and processing personal data of individuals (data subjects). Regulation (EU) 2016/679 of April 2016 imposes new rules for the management of this type of information, due to the development of online commerce, social networks and the analysis of large data sets. The GDPR regulation became applicable in Bulgaria on May 25, 2018. In issue 17 of the State Gazette of February 26, 2019, in the Тhe law on personal data protection (LPDP) the new changes were announced, which brought compliance with the European regulations. The last update of LPDP is from November 26, 2019.

Is it true that the fines under the GDPR are high?

Yes, the amount of fines for infringements is one of the important aspects of the new general regulation. Penalties for those who process and store personal data can reach up to EUR 20 million or 4% of annual turnover (in the case of a company). Sanctions vary depending on whether or not the admin stores and processes personal data in accordance with the regulation.

Who is the responsible authority that monitors compliance with GDPR regulations?

According to Regulation (EU) 2016/679, Member States should provide one or more independent public bodies to monitor compliance with the requirements of the GDPR. According to Chapter Two of the Personal Data Protection Act, the supervisory body in Bulgaria is the Personal Data Protection Commission (PDPC).

If my company is small, should I also follow the GDPR regulation?

The general EU regulation (European Union) on GDPR applies in cases where the company (or institution) based within the EU collects, stores personal data, and processes it. If a company is established outside the EU, but its activity is related to the supply of goods or services to individuals in the EU, it is assumed that it processes personal data of individuals and should apply the provisions of the GDPR. To this end, companies established outside the EU must appoint a representative to process personal data on behalf of the data controller. Shortly, GDPR affects all companies and institutions that process the personal data of their customers or employees. To understand the extent to which regulation applies to your business, you must first analyze all processes in it. Regulation is long and some parts of it affect different businesses to varying degrees. If your business has anything to do with the IT industry, the financial, or insurance sector, healthcare and pharmacy, you practice online sales, or rely on some modern form of marketing - yes, the GDPR affects you.

What does "data minimization" mean?

GDPR obliges companies to collect and process personal data for specific and clearly defined purposes. You may not process the same information for purposes that go beyond those originally set without a different legal basis, such as additional and specific consumer consent.

When can I process personal data?

The processing of personal data may be applied when necessary for the performance of a contract, in the performance of legal obligations of companies, and / or institutions, in actions of a public interest (eg journalistic investigations), in the legitimate interest of the data processor,  and of course, when the user has given his explicit consent to the use of personal data.

How do I prepare to comply with the EU's General Regulation on GDPR?

As a processor of personal data, you must be perfectly aware of this:

• what information about individuals enters and leaves your company and business.
• what are the procedures for accessing and processing it.
• whether your customers, users or employees are also informed about them.
• do they need to give you permission to process personal data.

Should I be able to delete data?

Individuals (data subjects) have the right to request to be "forgotten" - ie. the information collected about them to be deleted forever. The reasons for the need to destroy information could be:

• the data is not needed for the purposes of which it was collected.
• the user withdraws his consent to data processing.
• the consumer appeals to the company's justification for collecting data (in case of an allegation of "legitimate interest").
• the data has been collected / processed without legal grounds.

The user may not request the deleting of data where this would prevent the controller from fulfilling his obligation, make a claim or jeopardize basic principles such as freedom of expression or research.

What is categorized as personal data?

This is any information that can be used to identify a particular individual. According to the GDPR, your business should only collect information related to a specific purpose and legal basis, and the ways in which it will be protected (with limited access, strict procedures, specialized software and hardware, etc.) should be at the heart of every business process. It is mandatory to provide processes for the destruction of information in case your user, employee or contractor requests it.

Should there be a data protection officer in my company?

The role of the Data Protection Officer (DPO) is to monitor the process of personal data processing, as well as to provide information and advice to employees processing personal data. PDPO (personal data protection official) does not have to be an additional employee, the position can also be performed by an employee of the company, who can be appointed by order as a personal data administrator. Furthermore, there is no obligation for each company to appoint such a person, except in the following three cases:

• the company is a public administrative body (NRA, NSSI, Traffic Police and others).
• in carrying out activities related to large-scale monitoring of individuals, hospitals, hotels, utility providers).
• in carrying out activities related to the processing of the so-called "Sensitive data" (racial, ethnicity, political beliefs, sexual orientation, etc.).

In case you are not sure whether you need a PDPO you should contact a lawyer.

How should I collect the data of my customers at my online store?

According to the EU General Regulation on GDPR, companies and institutions can process personal data of individuals only under a few specific conditions. One of them is that the client has explicitly agreed to this. This means that he is clearly and specifically informed about all the purposes for which his data is used. Consent can be given online, but the data controller must be able to prove that he has received it and has it.

Should I give my customers the technical ability to manage the data they provide at my store?

Tacit consent or pre-selected bookmarks in online forms are not considered free consent. There should also be a sufficiently simple procedure for individuals to withdraw their consent to their data being processed.

Will I have the documents and functionalities that I need as an online merchant prepared?

Yes, with the GDPR bundle for your online store you will get:

• Additional clarifications to the General Terms and Conditions
• Privacy policy
• Policy for collecting information through cookies
• GDPR Email Policy for "Incomplete Orders"
• Protocols for action performed by the data controller
• A bar that shows all the cookies used
• Fields for agreement with additional policies to the store
• Functionality that records user actions
• Functionality for exercising the right of transferring data
• Customer’s information profile

Who has created the documents and functionalities of the GDPR bundle?

The new CloudCart  app for GDPR is created through the partnership between the technical and the law departments.

Whom is the GDPR bundle suitable for?

The GDPR bundle will meet any merchant’s requirements who has an online store, regarding the use of personal data of its customers and potential customers for the purposes of order processing, remarketing, or service.

When and how to pay for using the GDPR app?

You can pay through the button in the GDPR app at the admin panel of your store. The bundle is paid once and stays active through the whole period of using and administrating your online store.

If I buy the GDPR bundle, does it mean that everything is set?

No, you need to use the documents and clauses you have purchased, as well as the settings we provide in the package. The GDPR package provides the data management documents in your online store, and if you want to help your company fully meet all GDPR requirements, we will analyze your business and help you after you contact us at gdpr@cloudcart.com.

Does the GDPR app contain all required documents?

Yes, all required documents regarding the use of personal data and the regulations of GDPR for your online store are available.

Will I qualify for GDPR if I do not purchase the app for my online store?

No. The application contains the functionalities through which your store will automatically record the actions and permissions of each of your customers,  regarding the use of their personal data. According to the requirements of the GDPR, as an online trader you are obliged to store the information of your customers and to tell them when and for what they have given their consent.