GDPR compliance in WinShop SQL

GDPR in general

GDPR = Directive REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

The GDPR will affect anyone who collects or processes Europeans' personal data, including companies and institutions outside the EU that operate in the European market.

The regulation targets companies, institutions and individuals who handle personal data - employees, customers, clients or suppliers - across segments and sectors. It will also affect those who track or analyse user behaviour on the web, when using apps or smart technologies. The GDPR aims to protect the digital rights of EU citizens.

The GDPR will apply uniformly throughout the EU from 25 May 2018. In the Czech Republic, it will replace the current personal data protection legislation in the form of Directive 95/46/EC and the related Act No. 101/2000 Coll., on the Protection of Personal Data. The rights and obligations in the current Data Protection Act will be replaced by the rights and obligations under the General Regulation. After its amendment, the Data Protection Act will only regulate certain aspects related to the Data Protection Authority (e.g. its establishment, organisation, etc.) and certain sub-issues necessary to complete the overall framework of personal data protection which are not regulated by the General Regulation or which the General Regulation allows to regulate at national level. For some aspects, the General Regulation even foresees national regulation. These include, for example, aspects of the processing of personal data for the exercise of freedom of expression, the right to information, freedom of scientific research and artistic creation.

Until now, the main Czech regulator in the field of data protection has been the Office for Personal Data Protection (ÚOOÚ), which should remain in this function. However, it will be given powers reflecting the seriousness of the reform and will be partly subordinated to the European Data Protection Board (EDPB). If there is then any doubt about the decision of the Czech regulator, there will always be the possibility to appeal to the EDPB

Role of WinShop software s.r.o.

To enable Winshop SQL operator to set up and ensure compliance with the provisions of R**EGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 **on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. In this context, it will be necessary to revise the existing service support contract between Winshop software and the operator to regulate the mutual relationship related to this issue.

Role of Winshop SQL system operator (user)

For WinShop system operators (in terms of the provisions of the GDPR, it is a personal data controller), the new versions of WinShop system are prepared with modifications that will allow to individually configure and reduce access to personal data only to authorized users who have a legitimate interest in handling, viewing, editing, working with a reduced list of personal data of natural persons that they need due to their work duties.

Personal data recorded in Winshop SQL system

WinShop system works with customer, supplier and customer dials in its databases. In the event that the records of these dials include natural persons, such records must be handled in accordance with the GDPR. WinShop system allows the following Personal Data to be recorded in its dials for natural persons:

  • name and surname
  • address, residence, delivery address
  • date of birth, birth number
  • photographic record
  • e-mail address
  • phone number
  • registration number, VAT number, ID card number
  • BN (birth number)
  • related recorded documents (especially information on individual purchases)

Winshop SQL system settings

Winshop Sql General Settings

Within Winshop SQL, the GDPR regulation only applies to natural persons, so it is very important for the user of Winshop SQL to mark individual customers (suppliers, customers, etc.) as a natural person (see picture), otherwise the restrictions and system settings will not affect them.

If the customer is identified as a natural person, it is necessary to determine whether the processor has a valid authorisation to record personal data with the customer. The GDPR authorised consent checkbox on the customer's card is used for this purpose. If this field is not checked, then regardless of the rights and settings of the GDPR templates, the system will not display the customer's data (it will be possible to search „blindly“). If the field is checked, i.e. the processor has consent to process personal data for a specific individual, then Winshop SQL users will see his/her data according to the permission settings of their GDPR templates (see below).

GDPR ADMIN user account

There is a new GDPR ADMIN right in the user rights:


checking which will give the user access to the admin section of the GDPR permission settings:


Creating GDPR templates

In the section STORE -> System -> GDPR -> Access Template Administration, users with GDPR permissions can create, modify and delete access templates.


GDPR rights templates, by their settings, allow assigned users to operate on individuals' data according to the template definition. It is therefore possible to set up custom templates for individual user groups with different types of permissions (action types = creation, modification, deletion, visibility, permanent deletion from the database, reason for access) to individual items of personal data in the user codebook listed above. Specific Winshop SQL users are assigned to each template and thus the respective GDPR rights are defined for them in the system. The items (fields for the contact) subject to GDPR are delivered in Winshop version, it is not possible to add them user-specifically, their addition will always be integrated into the new version of Winshop SQL.


Unassigned users to templates

Users who are not assigned to one of the GDPR templates by the administrator will be authenticated by the system but their GDPR permissions will be without access to the data. This also applies to service access by Winshop SQL employees.

Addition of standard Winshop SQL user rights

User rights have been added to the GDPR right to copy datagrids.


Users will be forbidden by default to take a data print using the CTLR+A and CTRL+C keyboard shortcuts, and will not be allowed to manually copy datagrids to other MS applications (Excel, Word, etc.)

Furthermore, the user rights have been supplemented with the right to export data. Users without a link to a template with the appropriate permissions cannot export the record(s)/recordings/printout report to other systems.

New licensing policy

The GDPR solution is conditional on the installation of a new version of Winshop SQL with the GDPR READY label on all backoffices and all cash registers. In order to prevent any unauthorized access to GDPR sensitive data through different older versions of Winshop SQL, we are unifying the licensing policy and therefore the functionality of Winshop SQL in relation to a specific PC - i.e. the functionality will be limited to customer-defined and Winshop-registered PCs. Any reinstallations or new installations will have to be reported in advance to Winshop helpdesk or administration department, where the PC address will be scrapped / replaced / a new one registered. It will not be possible to run Winshop SQL GDPR READY on an unregistered PC. All versions of GDPR READY will be available from 25.5.2018. In the future, we are planning a user tool to move the free license to another PC.

The specific price of the upgrade to the GDPR READY version and other costs (training and setup assistance recommended by us) will be agreed with our sales department upon your request.

New WINSHOP SQL functionality

Logging access to sensitive data

Winshop SQL GDPR READY logs all accesses to GDPR sensitive data. The subject of the log is among others: date+time, user and PC identification, description of the action, type of action (insertion, data visibility, editing, deletion, request validity, etc.)

Logging and automatic reporting of unauthorized accesses

In cases of an unauthorized request (see previous point) Winshop SQL will automatically send an email to the GDPR Administrator with a warning that an unauthorized access to GDPR sensitive data has been attempted.

Enabling the permanent deletion of personal data from the database - the right to be forgotten

One of the fundamental GDPR rights of the customer - natural person is the right to be forgotten. In Winshop SQL GDPR READY application on the customer tab, selecting right mouse - apply right to be forgotten will permanently and irreversibly overwrite the GDPR sensitive data so that the customer can no longer be identified.

The erasure-overwriting of data is carried out to the extent that it corresponds to a legitimate higher interest (tax documents, compulsory records of state institutions and statutory records)

Communication encryption/security - inter-server data transfers.

Encryption of data transmissions is not a necessary condition to ensure compliance with the GDPR. Regardless of the necessity of the condition, Winshop SQL has provided operators with a VPN connection option, so it is up to the operator whether or not to take advantage of this offer. In case you require such communication, please contact our sales department.

External database connection / external excel reports and contingency tables

External database connections outside of Winshop SQL cannot be monitored through Winshop SQL. Access to data is always protected by a username and password that is stored in the database with rights to see GDPR sensitive information. It is therefore up to the provider to decide which users they provide this username and password to, and therefore who will have access to such data. Winshop SQL strongly recommends a restriction on the provider side in the form of an internal regulation.

Service organization access at the SQL Server level

Each WinShop service support employee has unique access to the database of the assigned client with a valid service contract, with which they perform all service interventions, always only upon request and with the client's knowledge. Service support staff are trained and familiar with the internal directive that sets out the rules for providing service interventions in accordance with the provisions of the GDPR regulation and must make a manual log entry (via Winshop SQL application) to comply with the information obligation.