<\/p>\n\n\n\n
By Bud P. Bruegger (ULD) , Eva Schlehahn (ULD), Harald Zwingelberg (ULD)<\/p>\n\n\n\n
When illustrating concepts pertaining to data protection, it is often useful to have a concrete use case at hand. The following post therefore provides such a use case. Namely, it describes the various aspects of the processing activities of an online shop. In particular, the aspects include the involved entities, the purposes pursued by the processing, the legal bases for the processing, the data necessary to fulfill the purposes, as well as the storage period necessary for this data.<\/p>\n\n\n\n
It is hoped that this use case can facilitate discussions on how to best describe data protection aspects of processing activities. In that sense, it is regarded a contribution to the Data Privacy Vocabulary Community Group. <\/p>\n\n\n\n\n\n\n\n
The example of online shopping has a\nnumber of participating entities. In particular these are:<\/p>\n\n\n\n
The processing activities of the\nexample online shop pursue the following purposes:<\/p>\n\n\n\n
While these purposes are treated\nseparately for analytical purposes, in actual processing there may be\na strong interdependency of purposes and a processing step may\ninvolve multiple purposes. \n<\/p>\n\n\n\n
The above purposes described in\nfurther detail in the sequel:<\/p>\n\n\n\n
Order Processing is concerned with\nwhich items are contained in an order, how these items can be\nobtained internally in the shop, what their cost is, and what is\nnecessary to package them. \n<\/p>\n\n\n\n
This purpose is concerned with\nobtaining the payment for the merchandize and the shipping of the\nmerchandize. \n<\/p>\n\n\n\n
This purpose is concerned with how\nthe ordered merchandize can be delivered or shipped to the customer. \n<\/p>\n\n\n\n
This purpose is concerned with\nkeeping the customer informed about the current status of the order. \nSuch notifications typically include tracking information for the\nshipment. \n<\/p>\n\n\n\n
This purpose is concerned with\nrendering it easier to customers to interact with the online store. \nIt focuses particularly on avoiding that customers repeated have to\ntype in the same data. For this purpose, it is for example common to\nstore addresses and payment instrument data across individual orders.\n<\/p>\n\n\n\n
Accounting is concerned with the\noperations of the online shop as a commercial enterprise, as well as\nthe legal requirements of accounting and taxation. \n<\/p>\n\n\n\n
Customer support, while potentially\nmore general in character, is here only concerned with a single\norder. In particular, it has to handle cases where shipments are\ndelayed or lost, or where the merchandize is faulty or unsuited. The\naccording processing supports, among others, the return of\nmerchandize and possible reimbursements. \n<\/p>\n\n\n\n
The example assumes that the online\nshop manages the warranty of certain products. For this purpose, it\nneeds to be possible to determine that a possibly warranty claim\nindeed refers to merchandize sold by the store and that the warranty\nperiod has not yet expired. \n<\/p>\n\n\n\n
In this example, continuing customer\nrelationship is concerned with informing customers of special offers\nand new items. It is assumed that there is no customization of\noffers for specific customers and that the activities are therefore\nrestricted to the delivery of information to customers. \n<\/p>\n\n\n\n
The different parts of the\nprocessing that make up online shopping are typically sustained by\ndifferent legal bases. The following discusses possible legal bases\nfor each purpose: \n<\/p>\n\n\n\n
The purchase of merchandize from an\nonline shop can be considered a contract. Order processing can thus\nbe based on Article 6(1)(b) GDPR \u201cprocessing is necessary for the\nperformance of a contract\u201d. \n<\/p>\n\n\n\n
Payment is also necessary for the\nfulfillment of the same contract and is thus also covered by Article\n6(1)(b) GDPR. \n<\/p>\n\n\n\n
The same goes for order delivery\nthat again is covered by Article 6(1)(b) GDPR. \n<\/p>\n\n\n\n
Status notifications are today\nconsidered an integral part of the operations of an online shop. \nNotifications can thus be considered part of the core activities\npursued to fulfill a the contract of the purchase and the legal basis\nis thus represented by Article 6(1)(b) GDPR. \n<\/p>\n\n\n\n
Customer convenience is not required\nfor the core activity to fulfill the contract that regulates a\npurchase. It must therefore be an option that is offered to\ncustomers who need to grant their consent according to Article\n6(1)(a) GDPR. \n<\/p>\n\n\n\n
Accounting constitutes one of the core activities of any commercial enterprise. It is further governed by laws on commerce (in Germany, for example, the Handelsgesetzbuch<\/em>) and taxation (in Germany, for example, the Abgabeordnung<\/em>). Accordingly, the matching legal basis for the required processing in the GDPR is either Article 6(1)(f) \u201clegitimate interests pursued by the controller\u201d or, more fittingly, Article 6(1)(c) \u201ccompliance with a legal obligation\u201d. <\/p>\n\n\n\n Customer support is necessary for\nthe fulfillment of the contract of a purchase. It is thus also\ncovered by Article 6(1)(b) GDPR. \n<\/p>\n\n\n\n Warranty is also an integral part of\na commercial operation. It may also be mandated by law. The\nsuitable legal basis is thus either represented by Article 6(1)(b) or\n6(1)(c) GDPR, respectively. \n<\/p>\n\n\n\n An online shop informing its\ncustomer base about offers and news can under certain circumstances\nbe based on the legitimate interest of the online shop, or\nalternatively it may be possible based on request (i.e., consent) by\nthe customer. Accordingly, the legal basis is either Article 6(1)(f)\nor 6(1)(a). \n<\/p>\n\n\n\n Some EU Member states (such as\nGermany) have introduced further requirements compared to the GDPR in\ntheir national data protection laws. E.g. in Germany, there are\ndifferentiations made between marketing via email or via postal\naddress. Moreover, it may be regulated nationally which customer data\ncan be used specifically for marketing. One selected example: In\nGermany, *email* marketing for own products or products of partner\nenterprises needs to be based on explicit consent, thus excluding the\npossibility of legitimate interest. \n<\/p>\n\n\n\n The following discusses which data\nelements are necessary for the different purposes. \n<\/p>\n\n\n\n The data elements necessary to\nsupport order processing include at least<\/strong>:<\/p>\n\n\n\n The data that are necessary here\ninclude the following:<\/p>\n\n\n\n To deliver an order, the following\ndata is required:<\/p>\n\n\n\n To deliver status notifications, a\nsuitable contact, such as an e-mail address of the customer is\nnecessary. \n<\/p>\n\n\n\n While there are evidently\nalternative ways of delivering notifications, as for example as\nmessages accessible from customer accounts, for simplicity it is\nassumed that the store pushes messages to the customer. \n<\/p>\n\n\n\n 4.5 Customer convenience, to avoid the\nneed for repeated input of the same data by the customer, stores\nthese data for later reuse. This is typically done in connection\nwith an account that requires registration. It typically includes\naddresses for shipments and invoices, as well as payment instrument\ninformation. \n<\/p>\n\n\n\n The data necessary for accounting\nlargely depends on national legislation and the shop\u2019s accounting\npractices. It is therefore not possible to describe what data is\nactually necessary here. \n<\/p>\n\n\n\n Customer support not only needs\naccess to the data regarding the order, the payment, and the\nshipping, it also needs to manage the communications about the\nsupport case with the customer. \n<\/p>\n\n\n\n To process warranty claims, a record\nof which covered merchandize was sold on which date is necessary. \nInformation about the amount paid for the merchandise may also be\nnecessary in case of the possibility of reimbursement (in addition to\nrepair and replacement). If the merchandise is identified by an\nindividual serial number, storing serial number and date may be\nsufficient to determine whether the merchandise is still covered by\nwarranty; in case that the individual pieces of merchandize are\nundistinguishable and could have been purchased elsewhere, data about\nthe identity of the buyer may also be necessary. \n<\/p>\n\n\n\n Continuing customer relationship\nrequires contact information, such as an e-mail address, in order to\nbe able to send the relevant information. \n<\/p>\n\n\n\n Processing activities for different\npurposes usually have different life spans until they are completed. \nIt is a principle of European data protection that personal data\nshall be deleted as soon as it is no longer needed for the purpose\n(data minimisation principle, see Article\n5(1)(c) GDPR). The following therefore discusses how long data is\nneeded for the different purposes. \n<\/p>\n\n\n\n The processing of an order usually\nends when the merchandize is packaged and sent off. However, when\nthis happened, the information obtained for the order processing\nusually cannot be deleted yet. The reason being that the data it is\nstill needed for other purposes such as payment, customer support, or\naccounting. The necessary storage period is therefore determined by\nthese other purposes. \n<\/p>\n\n\n\n Data on payment instruments is only\nnecessary until the payment has been fully received. The data may\nhowever live on for other purposes such as customer convenience that\nstores this data for use in future orders. \n<\/p>\n\n\n\n Data needed for delivery of an order\nare usually no longer needed once the shipment has arrived at the\nshipping address. For other purposes, such as customer support, they\nmay have to be stored longer, however. \n<\/p>\n\n\n\n Contact information for the delivery\nof status notifications is no longer necessary once the merchandise\nhas been delivered to the shipping address. \n<\/p>\n\n\n\n Customer convenience data are only\nnecessary as long as a customer has recurring contact with the online\nshop. In the case where a customer has not had any contact for a\ncertain period of time (for example, a year), the data is unlikely to\nbe further used and can be deleted. In case that the data also\ncontains contact information of the customer, a notification in\nadvance of the deletion may leave the choice of deletion to the\ncustomer. \n<\/p>\n\n\n\n In particular tax laws require a\nrelatively long retention period of accounting data. For example, in\nGermany, certain data need to be stored for 10 years. \n<\/p>\n\n\n\n Customer support typically requires\nthe storage of data initially collected for other purposes (such as\norder, payment, or shipping) beyond the life time of those purposes. \nIn particular, after delivery of the merchandize and thus the\nfulfillment of the purchasing contract, the customer must be given a\ncertain time period (for example, 3 months), in which to initiate a\ncustomer support ticket. There may be national laws governing such\ntime periods and the rules with which the enterprise must comply.\nOnce this period has expired without opening a ticket, the data is no\nlonger required. If a support ticket was opened, the communication\ndata that was collected in order to process the ticket can be closed\na certain period after the closure of the ticket. \n<\/p>\n\n\n\n Data kept to support warranty can be\ndeleted after the expiry of the warranty period. Minimal warranty\nperiods may be prescribed by law. \n<\/p>\n\n\n\n Contact data to send informational\nmaterial to customers should not be kept indefinitely, particularly\nif consent was used as a legal basis. Consent should always be given\nfor a limited period of time (for example, a year) at the end of\nwhich customers can be asked to renew their consent or simply let it\nexpire. \n<\/p>\n","protected":false},"excerpt":{"rendered":" When illustrating concepts pertaining to data protection, it is often useful to have a concrete use case at hand. The following post therefore provides such a use case. Namely, it describes the various aspects of the processing activities of an online shop. In particular, the aspects include the involved entities, the purposes pursued by the processing, the legal bases for the processing, the data necessary to fulfill the purposes, as well as the storage period necessary for this data.<\/p>\n3.7 Customer Support <\/h3>\n\n\n\n
3.8 Warranty <\/h3>\n\n\n\n
3.9 Continuing Customer Relationship <\/h3>\n\n\n\n
4. Necessary Data Elements <\/h2>\n\n\n\n
4.1 Order Processing <\/h3>\n\n\n\n
4.2 Payment <\/h3>\n\n\n\n
4.3 Order Delivery <\/h3>\n\n\n\n
4.4 Status Notification <\/h3>\n\n\n\n
4.5 Customer Convenience <\/h3>\n\n\n\n
4.6 Accounting <\/h3>\n\n\n\n
4.7 Customer Support <\/h3>\n\n\n\n
4.8 Warranty <\/h3>\n\n\n\n
4.9 Continuing Customer Relationship <\/h3>\n\n\n\n
5. Necessary Storage Periods <\/h2>\n\n\n\n
5.1 Order Processing <\/h3>\n\n\n\n
5.2 Payment <\/h3>\n\n\n\n
5.3 Order Delivery <\/h3>\n\n\n\n
5.4 Status Notification <\/h3>\n\n\n\n
5.5 Customer Convenience <\/h3>\n\n\n\n
5.6 Accounting <\/h3>\n\n\n\n
5.7 Customer Support <\/h3>\n\n\n\n
5.8 Warranty <\/h3>\n\n\n\n
5.9 Continuing Customer Relationship <\/h3>\n\n\n\n