An online store or website, that is, a business (both legal entities and natural persons, if they operate under individual activity) that receives or otherwise processes the personal data of its individual customers for the purpose of carrying out commercial activities is considered a personal data controller and is subject to certain obligations established by legal acts:
- If such a business processes (i.e., receives, uses, etc.) the personal data of its customers who are natural persons automatically (in this case, via the internet), it is currently required by law to register with the Personal Data Controllers Register maintained by the State Data Protection Inspectorate (VDAI). This register specifies what personal data a particular business processes, for what purposes, etc. The register is public.
The personal data controllers’ register itself is expected to remain in operation, and the obligation to register in it should remain relevant until the second half of May 2018, when the General Data Protection Regulation (GDPR), which applies directly across the EU, comes into force. Once the GDPR takes effect, the register will likely be discontinued (although this is not entirely certain at the moment). Nevertheless, even if the register is abolished, the State Data Protection Inspectorate (VDAI) will continue to retain the data on controllers submitted up to that point and will take this information into account when investigating the activities of a specific data controller (for example, upon receiving a customer complaint).
- A business that processes the personal data of individual customers must currently have its own internally approved personal data processing rules. These rules define the personal data protection measures applied and include other information required by legal acts. Once the GDPR comes into force in the second half of May 2018, these rules will need to be reviewed.
- A business that collects the personal data of individual customers online (e.g., an online store) must publish an appropriate privacy policy / terms of use or a similarly titled document on its website. This document must specify, among other things: what personal data is collected via the website, for what purposes it is collected, how long it is stored, whether it is shared with third parties, what rights the data subjects have, what third-party cookies are used, and so on. An individual customer must be informed about this specific document and must give clear consent before submitting their personal data to the data controller (for example, when purchasing a product online, the customer checks a box confirming agreement with the stated terms before placing an order). If the business intends to use the collected data for a separate marketing purpose (sending newsletters, advertisements, etc.), a clear and separate consent from the data subject (the individual customer) must be obtained for that purpose.
