As you know, all eCommerce must comply with the LOPD, that is, with regulations related to electronic commerce. However, when you don't have much idea about laws, you may start to doubt: what is the LOPD? How to comply with it in an eCommerce? Are there more laws on data protection in online stores?
We want to talk to you about all of this today, so that, if you don't comply, you do it as soon as possible since they imply sanctions in the event that you are discovered.
What is the LOPD
Before telling you how you must comply with the LOPD, you need to know what we are referring to with it.
The initials LOPD refer to Organic Law 15/1999, of December 13, on Protection of personal data. In other words, it is a regulation that aims to protect and guarantee that the personal data that users leave you will remain private and nobody will see it.
All online stores must comply with the regulations, in the sense that you are managing personal data of the people who visit your website. For example, when they place an order with you, you have access to their name, postal address and email. And all this is mandatory to protect it.
In fact, the LOPD is not the only one that must be complied with in an eCommerce (although on this occasion we are going to focus on it). There are actually more regulations that you should be aware of:
- General Data Protection Regulation, known by its acronym RGPD.
- Organic Law on data protection and guarantee of digital rights. Although you may think that it is the same as the LOPD; not really, it is a norm that introduces previous regulations, that is, the RGPD, thus obtaining the LOPDGDD.
- Law on services of the information society and electronic commerce. The objective is to regulate the transactions that are made, as well as the communications and the rights of the users. Its initials are LSSI-CE.
- General law for the defense of consumers and users, known as LGDCU.
How to comply with the LOPD
Focusing on the LOPD, you should know that there are options to comply with the law. Actually, you could choose to hire a company specialized in legal issues to review your website and adapt it to what you have to comply with. Another option is to be part of the Confianza Online seal, a procedure that costs money, yes, but it is much cheaper than the first way that we have recommended.
And what must be fulfilled for an eCommerce?
If the LOPD is analyzed, you will discover that there are three large important blocks that you must take into account for an eCommerce. These are:
Notification
It refers to the fact that you will have to notify the Spanish Agency for Data Protection (the so-called AGDP) of the files that you have in your possession that are related to personal data.
To do this, you must fill out a form in person or online to comply with this section.
Related to this, you should know that article 88 of the Regulation of the LOPD (Royal Decree 1720/2007) establishes that you must have a security document for each file, which is updated and with the maximum security measures.
get consent
That is to say, you need to notify the user of what you are going to do with the data that he provides you and that he himself gives you his consent for it. Besides, You have to delimit the steps so that this person can access their data, update it or directly delete it.
This implies that you must make it clear what happens with your data, if they are going to be in a private file, if you are going to share them with third parties, if you delete them after x months...
Data Protection
The files where the data that has been collected must be kept protected, not only physically, but also technologically. In fact, Not everyone can access it, only authorized people.
And, for an eCommerce to comply with this, one of the first keys is to have accommodation with a legal provider (if possible European, because they are the ones that best comply with the LOPD).
Within data protection there have been recent changes that you must comply with, as they are:
- The right to be forgotten, in the sense that a person can completely delete all their data.
- Protection against profiling. If you do not know what we are talking about, it is about the creation of discriminatory profiles. The use that must be given to the data is unique and exclusive to eCommerce. But in no case should they be used for any purpose other than the one for which they were obtained.
- Data portability, in the sense that the user can request that the data be transferred from one website to another, from one social network to another, etc.
- The processing of personal data, because a person is the only one who can consent to their data being processed. Otherwise, it would be illegal.
How to adapt an eCommerce to current legislation
Based on all of the above, the next step you must follow is that your page has everything it needs to comply with the law. And in this sense, you will have to:
Put the legal texts
That is, you need to include a legal notice, a privacy policy and a cookie policy, and the contracting and sale conditions.
Data protection officer
Only when the company you have (in this case your eCommerce) is very large and, therefore, has massive data, you will have to have a figure that will be the data protection delegate. He must ensure that the regulations are complied with.
Do risk analysis
They are tests to verify if the security systems are strong enough so that the data does not leak.
In the case of eCommerce with special, sensitive data or that involves a risk in terms of rights and freedoms, they will also have to do an impact assessment.
Have express consent
Of people. A tacit one is not worth it, now they have to authorize you so that you can have their data, store it and treat it. Likewise, users can access, rectify, delete, limit, carry and oppose this data.. That is, they are free to manage them and you will have to abide by what they ask for. Including the right to be forgotten.
Is it now clearer to you what the LOPD is and how to comply with it if you have an eCommerce?