The mass media have recently reported news of the largest fine in Latvia to date (EUR 150,000) being levied on an e-commerce company for breaches involving failure to comply with requirements of the General Data Protection Regulation (“GDPR”). Considering the company’s circumstances, as cited by the National Data Office in its decision, this article explores requirements that must be met by any company processing personal data on its website to steer clear of the fine prescribed by the GDPR.
The GDPR governs all companies offering goods or services to EU nationals and applies to any e-commerce company using the data of persons living in the EU. The GDPR covers all databases containing user information, such as credit card data and purchase data.
Under the GDPR, breaches (including the one in Latvia) attract fines of up to EUR 20 million or – in the case of the Latvian company – up to 4% of its worldwide turnover in the previous financial year.
Failure to comply with the GDPR may not only cause a large financial loss but also harm the company’s reputation, reducing its ability to win business in the future.
A privacy statement is a public document that must describe how the company applies the principles of data protection. The GDPR requires a privacy statement to be concise, transparent and unambiguous, and it must use a simple language to ensure that any person visiting the company’s website is informed in a comprehensible way about data processing done by the company.
The majority of large companies have probably put up a privacy statement on their websites, paying attention to the following aspects:
The GDPR aims to provide customers/users with complete control over the use of their data online, including e-commerce. Consent is a key element of data protection.
For example, an e-commerce company must have legitimate solutions for obtaining consent and for further data processing based on that consent. A privacy statement must provide all the required information about collecting, processing, storing and using customer/user data. When personal data is processed in forms, registration processes, emails and pop-up banners, the company must enable the user to give or withdraw consent to the use of their data.
Below are the main questions about personal data processing based on consent:
(to be completed)
It’s your choice to accept these or not. You can either click the 'I accept all’ button below or use the switches to choose and save your choices.
These cookies are necessary for the website to operate. Our website cannot function without these cookies and they can only be disabled by changing your browser preferences.
These cookies allow us to measure and report on website activity by tracking page visits, visitor locations and how visitors move around the site. The information collected does not directly identify visitors. We drop these cookies and use Adobe to help us analyse the data.
These cookies help us provide you with personalised and relevant services or advertising, and track the effectiveness of our digital marketing activities.