What is GDPR?

The General Data Protection Regulation (GDPR) is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the 1995 Data Protection Directive. The GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”). It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached. The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data. In summary, here are some of the key changes to come into effect with the upcoming GDPR:

  • Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, amongst other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard.
  • Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
  • Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
  • New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
  • Increased Enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.

If you are a company outside the EU, you should still be aware of this. The provisions of the GDPR apply to any organization that processes personal data of individuals in the European Union, including tracking their online activities, regardless of whether the organization has a physical presence in the EU. If you have any questions, please don’t hesitate to contact us at info@racadtech.com.

What do W2P Customers need to do?

There are two things that you might need to do depending on your situation and jurisdiction. Below are the only impactful changes that we can foresee that might affect you as a result of using W2P:

  1. Make sure your Terms of Service or Privacy Policy properly communicate to your users how you are using W2P (and any other similar services) on your website or app. We have updated the Privacy Policy to factor in the GDPR in a generic way. The GDPR can heavily penalize you if you’ve not done this clearly. Therefore we recommend you ensure the policies are up to date and clear to your readers. Any changes that you recommend can be incorporated by us if required.
  2. If you are in the European Union you’ll likely want to sign a Data Processing Agreement with W2P. We’re happy to do so.

Companies using Racad Tech’s W2P Solutions such as GOePOWER, W2P Cloud, W2P Shop, GoPrint2 and uDRAW etc. are considered to be a controller – ‘a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’. Racad Tech is the processor – ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.

GDPR responsibilities as a Controller

As a Controller, you need to share GDPR-related information with your customers. If a store is created for a specific business customer, the sales contract should cover your and their GDPR responsibilities. You also need to have certain processes in place to be compliant. When the text below refers to W2P users, it refers to store users as well as company and printer administrators.

Storage of personal data

W2P stores personal data of all users. Some fields are mandatory, such as the user’s full name, email address, salutation/gender (if known) and preferred language. Users can see these fields and modify them. Optionally, you can define additional fields and hide these from users. The order history of users is also stored. Stores should include a privacy statement, which you can make available to users using one of the information pages. This privacy statement should provide answers to the following questions:

  • What personal information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?

In a separate Record of Data Processing Activities you need to document which data are stored, who has access and why these data are needed. We have a generic Privacy Policy that you can review that include issues raised by GDPR. However it is advisable that Controllers review it to ensure compliance within their jurisdictions and apply it as applicable. You should only store personal data that are relevant for use in W2P. Special care should be taken with sensitive or judicial information, such as religion or sexual orientation. Due to the possibility of our customers having stores that may use a tracker such as Google Analytics, our privacy policy is written in a way to account for that possibility and its conformity to GDPR.

Data confidentiality and security

It is important that all personal data are transferred and stored in a secure fashion.

  • All sensitive data communication between the user’s browser and W2P uses the encrypted HTTPS protocol.
  • When users access a store and leave their browser window open, W2P will automatically close the session after a set amount of time. This minimizes the risk of other people tampering with the account data of the user.
  • When a security breach leads to a data leak, the local supervisory authority must be informed of this within 72 hours. All affected users must also be warned. An example of such a leak could be a disloyal employee who exports a list of all the users to make it available to a competitor. To minimize such risks, immediately deactivate the account of employees with admin level access rights who leave the company. When a data breach occurs, you must not only report this but also document which measures were taken to avoid that such a breach can reoccur in the future.
  • If you share or sell user data to other parties, users must be aware of this.

Accuracy of personal data

Personal data should be accurate and kept up to date. This means users must be able to see their personal data and have the means of correcting them. The privacy statement should explain how users can access and update their respective data. When custom fields are used in user profiles and users are prevented from modifying these themselves, the privacy policy should specify the procedure users can use to ask you to modify these data.

Data retention policy

Personal data should not be retained for longer than necessary. If a store for a business customer is no longer in use, you are expected to delete the user profile data it contains within a reasonable time frame. How long personal data are retained is up to you to decide. It is acceptable to do this after a few years only, since customers sometimes switch between suppliers and having the store data at hand if they become a customer again after a year is perfectly fine.

  • You are allowed to archive user profile data, prior to deleting them. This can be done using Export.
  • Other legislation may take precedence over this rule. For example: in most countries, invoices should be kept for several years. We recommend to export all invoices prior to deleting accounts.

Right to be forgotten

Users have the right to have their personal data removed in W2P. Since they cannot delete their profile data themselves, a W2P producer or administrator has to do this for anyone asking to be removed. Our Privacy Policy stipulates the procedure that users should follow by asking them to send an e-mail with their full name and the subject line ‘Request to Delete Information’.

Consent must be freely given

The GDPR legislation puts certain restrictions on your ability to subscribe customers to a newsletter. This is especially important if you operate public stores. E-mail marketing is a powerful way to reach out to customers, but you cannot add users to your mailing list without their explicit consent or legitimate interest.

W2P’s GDPR responsibilities as a processor

W2P is hosted by Racad Tech, who acts as a processor of the personal data you manage. RACAD commits to complying with the GDPR legislation. Below are key responsibilities as a processor:

  • Processor’s obligation of confidentiality. Processors must ensure that the personal data that they process are kept confidential.
  • Records of processing activities In order to ensure compliance, EU data protection law requires processors to ensure that they keep records of their data processing activities, and that the information in those records is provided to (or is available on request by) Data Processing Agreements.
  • Data security EU data protection law obliges processors to ensure the security of personal data that they process.
  • Data breach reporting – One of the key issues in maintaining the security of personal data is ensuring that the relevant decision makers are aware of any data breaches and are able to react accordingly.
  • Liability of processors EU data protection law recognizes the possibility that processors may be liable for breaches of their legal or contractual obligations. Processor duties include, but are not limited to:
    • Processing data only as instructed by the controller
    • Using appropriate technical and organizational measures to protect personal data
    • Assisting the controller with data subject requests
    • Only appointing sub-processors with the permission of the controller
    • Ensuring sub-processors it engages meet these requirements

Specifically with regard to W2P, the following points are important:

  • Each W2P account has a main administrator or producer. This is the person who is the first to get access to the Back End administration and has the ability to add other administrators. In instances when this user account (containing a first name, last name, salutation and e-mail address) is managed solely by Racad. To have this producer account updated, please contact Racad support team.
  • The W2P License and Service Agreement has been updated to accommodate GDPR requirements.
  • If you prefer to establish a separate Data Processing Agreement with W2P, please provide such a document to your W2P account representative and/or email info@racadtech.com.

In summary, it is essential that your W2P users can access your privacy policy within their store and that you have a Record of Data Processing Activities in place. Once those basic requirements are covered you can focus on the other aspects of the GDPR legislation. If you have any GDPR-related questions regarding W2P and its related properties, please contact W2P via email at info@racadtech.com.

Here’s a condensed version of our GDPR Roadmap and steps taken to comply with GDPR:

  • Research the areas of our product and our business impacted by GDPR – COMPLETE
  • Appoint an internal Data Protection Officer – COMPLETE – Users to contact info@racadtech.com or Racad Tech Support.
  • Develop a strategy and requirements for how to address the areas of our product impacted by GDPR – COMPLETE
  • Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR – COMPLETE