GDPR compliance in WinShop Std.
Implementation of modifications and new rules in WinShop Std. business system and services provided by WinShop software s.r.o., which ensure compliance with the provisions of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. Hereinafter referred to as (GDPR)
Changes in WinShop Std.
WinShop Std. system works with customer, supplier and customer dials in its databases. In the event that the records of these dials include natural persons, it is necessary to handle such records in accordance with the GDPR regulation. WinShop Std. may record the following Personal Data in its dials for natural persons:
- name and surname
- address
- residence
- delivery address
- date of birth
- birth number
- photographic record
- e-mail address
- phone number
- registration number
- TAX ID
- ID (ID card number)
- BN (birth number)
- the related recorded documents (especially information on individual purchases)
For WinShop system operators (in terms of the provisions of the GDPR, this is a personal data controller), modifications have been prepared in the new versions of WinShop system to reduce access to the above-mentioned data to authorized users only. A major modification is the creation of a new right in the user dialer, which divides users with access to these dialers into users authorised to view and edit all recorded personal data of an individual and users with the ability to view only the reduced list of personal data they need to perform their job. From the point of view of WinShop system operator, these users have a legitimate interest in consulting the reduced list of personal data because of their work duties - for example, to check the data on the natural person before granting a discount or to issue a tax document with the necessary data on the natural person.
The list of necessary, displayed data about a natural person is optional and can only be set in WinShop system administration by the WinShop system administrator.
Another important modification is the possibility for users to set the "natural person" attribute when inserting or editing dial records. This attribute defines the set of subjects protected under the GDPR.
An equally important functionality in WinShop Std. system is the possibility of deleting personal data about a registered natural person in case of his/her request. The deletion completely removes all personal data from WinShop Std. system except for such data that are subject to other laws / for example, the Accounting Act / and are necessary to ensure the legal obligations of WinShop system operator. An example of this would be complete tax documents, so-called invoices, with the data of the individual customer filled in.
Users who use WinShop Std. connected to E-shop can now better work with customers who have chosen the option of ordering goods without registration when creating an order. WinShop Std. system automatically enrolled such a customer for the purpose of order processing only in the internal WinShop Std. evidence. The customer was not recorded in the E-shop records. Now such a customer is assigned the "Do not register" status in WinShop Std. system. A customer with this statut is "invisible" to WinShop Std. user, his record is only for the purpose of order processing and can only be further used for the purpose of resolving complaints. Only the user with the set "ADMINISTRATOR" right has access to the data of the customer marked in this way and can only use the data in the case of the above-mentioned legitimate interest.
The customer's right to obtain information recorded about a natural person and the right to portability of recorded information to another system can be realized by pressing tl.
An integral part of the recording of personal data of natural persons is the internal logging of operations with this data in WinShop system. The logged events include mainly:
- creation of a record
- change of a record
- view of a record
- export of a record
- printing of a record
- with data about date, time, user who triggered the event and the reason for the operation.
Changes to the rules for providing service interventions
WinShop system operators are advised to check all registered users of WinShop system before the GDPR takes effect (25.5.2018). In case there are records in the user dialer that are not active users of WinShop system, it is recommended to delete such users for system security reasons. Existing users must be checked for their current user rights settings, especially in accordance with the above changes. In order to maintain the possibility of providing possible service interventions directly by WinShop customer support staff, a service user with the name "SERVIS" and password will be automatically created on 25.5.2018 after the version update (GDPR ready), which will be generated based on the application license number and will be known only to authorized WinShop service staff. This service access will not have any permissions set to work in WinShop system. WinShop system operator will leave it up to WinShop system operator to decide whether to retain this service access to the WinShop system, set the appropriate permissions for basic WinShop system administration, and thus allow WinShop effective access to the system in the event of an authorized request, or delete the service access from the user dialer. If the SERVIS user is deleted, WinShop service personnel will have no other access to the WinShop system.
In the case of maintaining SERVIS service access and solely on the basis of the operator's call, in the form of an authorized request, to carry out a service intervention in WinShop system, WinShop system operator acknowledges the fact that the service worker has access to such a list of personal data that corresponds to the SERVIS user's permission settings for the necessary period of time during the service intervention. Upon completion of the service intervention, the service worker shall provide WinShop system operator with a log of the operations performed and, if the service intervention included an operation with personal data, a log of operations with such data, including a list of persons whose data was handled during the service intervention.