Data protection
Introduction
The Swiss Data Protection Act (CH-DSG) and the European General Data Protection Regulation (EU-GDPR) protect personal data and regulate its handling. For online shops, this means that they must comply with legal requirements when collecting, storing and processing customer data in order to guarantee the privacy of users.
When you are affected
- CH-DSG:
- You have a branch, branch office or subsidiary in Switzerland
- You process personal data via a Swiss company
- You deliberately offer services to persons resident in Switzerland
- You monitor the behaviour of Swiss persons*.
- EU GDPR:
- You have an establishment, branch or subsidiary in the EU
- You process personal data via an EU company
- You deliberately offer services to persons residing in the EU
- You monitor the behaviour of EU persons*.
*Google Analytics and similar tracking tools are in the foreground here.
If you are affected, there are now a few points that you must comply with.
Note: We are not legal advisors and accept no liability. For legal advice, we recommend that you consult a lawyer.
Shop settings
We will now look at the individual settings in your web shop.
Trusted Shops
If you have a Trusted Shops certification, please also note the separate Anleitung zu Trusted Shops.
Google Analytics
Since May 25, 2018, IP addresses must be transmitted in hidden form. Activate the anonymization of the IP addresses in the shop administration so that you can continue to use your Google Analytics module in a compliant manner.
To do this, go to the shop administration under Module → Analytics
Important note: Please do not forget to include the use of analytics in your privacy policy / terms and conditions. Google also requires a data processing agreement. The process of setting up this contract will be simplified from May 25, 2018: From then on, the contract no longer has to be printed out and sent by post to Ireland. You need only to confirm the contract electronically in the Analytics settings.
Cookies
Operators of online offers are obliged to inform visitors about the use of cookies. Make sure that the cookie message is activated under _Settings → General → System Configuration “Use Cookie Manager” and also the setting “Default essential cookies” to comply with the Privacy by Default premise.
Since the judgment by the Federal Court of Justice of May 28, 2020, in which the highest judicial authority in Germany agreed with the ECJ judgment of 2019, it is absolutely necessary to obtain the active and voluntary consent of the visitor before non-essential cookies are used on a website. It is best to integrate a professional consent management tool such as usercentrics or the Trusted Shops Consent-Manager. As soon as you have the HTML/JS code for use on your page from the respective consent manager, integrate it for each language in the shop administration: ‘Settings’ → ‘Languages’ → ‘Header variables (e.g. Meta tags)' → ‘Choose language’ → Paste code in text field with label HEADER VARIABLES. The Consent Manager will then be active after saving. From PepperShop v.8 there is also a Consent Manager Module, which conveniently controls such settings automatically.
Credit Checks
According to the new data protection regulation, you must inform your customers whenever their data is passed on to third parties (in this case to a credit rating provider such as MF Group, SwissBilling, Billpay, Klarna or similar).
PepperShop now offers you three options for pointing this out to your customers:
- No: No information is displayed to the customer that his data will be forwarded to the credit rating provider.** **(Note: This checkbox may only be activated if you *not* are affected by the CH-DSG / EU-DSGVO)
- Inform: The customer is informed that his data will be forwarded to the credit rating provider.
- Confirm: The customer must confirm that their data will be forwarded to the credit rating provider. (Note: This checkbox is mandatory if you are affected by CH-DSG / EU-DSGVO)
Important note: Please clarify whether you also need a data processing contract with your credit checker.
E-Payment
If you offer payment methods via a payment service provider (e.g. Saferpay, Datatrans or PostFinance), we recommend that you ask the relevant payment service provider whether a data processing contract is required.
Forms: confirming the data protection declaration and general terms and conditions
If you process personal data in your system, appropriate consent should be obtained. Depending on the input forms in your online system, the GTC and/or the privacy policy including a checkbox for acceptance may be displayed.
Recommended settings
Your customers must now also accept the terms and conditions and the data protection declaration for forms in your web shop.
At the following locations there is now the possibility to have the data protection declaration and the general terms and conditions confirmed by the customer:
- Contact form
- Newsletter Sign up
- New customer registration
- Checkout without registration (during the ordering process)
- Registration of a company (in B2B/reseller mode)
- Login Post Connector
You can see how to activate the query for the general terms and conditions and the data protection declaration in Point 2.6.1.
Activation of the request for confirmation of the general terms and conditions and the data protection declaration
You can re-request confirmation of the data protection declaration and the general terms and conditions as follows: Settings → General → Customer information/Revocation/General terms and conditions
For CH-DSG in the general terms and conditions, we recommend using only the bottom tick box.
Newsletter
Since May 25, 2018 you cannot send a newsletter without the recipient’s permission. If the customer registers for the newsletter, they will be sent a verification link by email. You may only start sending newsletters after receiving this confirmation.
In addition, the default setting for the newsletter registration must be “No”.
You can find these settings in the shop administration under Marketing → Newsletter → Settings / Export Link
Persistent shopping cart
The persistent shopping cart is an additional module that does not delete the shopping cart (with the corresponding items) even if the customer logs out.
The shopping cart can be restored using the login or the cookies. Please set the cart recovery maximum up to one year. Saving this data for more than a year is not permitted according to the new CH-DSG / EU-DSGVO.
You can set the persistent shopping cart in the shop administration under Modules → Persistent shopping cart.
Shipping options
If you are using the shipping options module, a data processing contract must be concluded with Swiss Post because this involved passing your flows to a third-party provider (Swiss Post).
Hide IP address
To make a sale which is CH-DSG / EU-DSGVO compliant you have to hide the IP address of your customer. To do this, go to Settings → General → System Configuration → Hide IP Address
Customer information
View, export or anonymize saved data
If the customer requests it, you are obliged to export their data and make it available to them. To do this, pull up the desired customer via customer management and “edit” them. Scroll to the end of the page. Here you will see the CH-DSG / EU-DSGVO data management mask.
Export/download saved data
If the customer wants to see the data, you can export it here.
These are exported as a .json file and can be opened with Notepad++.
Anonymize saved data
If the customer wants to delete all of their data and thus exercise their right to be forgotten, you can do so. Please note that no recovery is possible afterwards and all data will be irreversibly deleted.
The customer’s data is anonymized in the shop, i.e. the customer’s data will no longer be available. However, as a shop owner, you will still have things like the order.
Note: Please read the text carefully before deleting so that you are fully aware of all consequences. Make sure you have deleted all of your client’s accounts. Your customer has had the option of having multiple accounts, all of which must be deleted upon under the same single request. PepperShop is not an accounting department. Please remember that you should first export data that is subject to the statutory retention obligation before deleting all data.
Once you have deleted the data, you can’t get it back!
Anonymize customer data
As of version 10, the “Anonymize customer data” tab is available in the customer management under “Customers/Orders”. Here you can set up automatic anonymization, anonymize the data as a one off or download the data records concerned. More detailed information on the functions can be found in the help text.
Contact for data protection questions
Do you have any questions about how we process and protect your or your customers’ data? Would you like general information on the subject of data protection? Then send us an e-mail to compliance@glarotech.ch. As soon as we receive your enquiry, we will process it as quickly as possible.
We would like to point out that you are responsible for concluding contracts with third parties, the content of your terms and conditions and privacy policy and for special settings depending on the intended use and customer segments. We are not legal advisors and accept no liability whatsoever. For legal advice, we recommend that you consult a lawyer.
Further help
Do you need further support? PepperShop provides you with different options.
- Often a click in the administration on the top right on the question mark icon helps. Here you can get direct help on the relevant topic.
- Various answers can be found in the FAQ. These can also be called up in the shop administration via Help&News -> Help archive. Or via our homepage https://www.peppershop.com/de/services/support/faq/
- We are also available to you by email or phone (CHF 195./h) support@glarotech.ch or +41 71 923 08 58