How To: Use the GDPR Compliance Add-on

Step 1. Install and Configure the Add-on

  1. In the Administration panel, go to Add-ons → Manage add-ons.

  2. Find the GDPR Compliance (EU) add-on and click Install next to it.

    The GDPR Compliance add-on first appeared in CS-Cart and Multi-Vendor 4.7.4.
  3. Once the add-on is installed, click on its name to open the add-on’s settings.

  4. On the General tab you’ll find the following settings:

    • Cookie consent—determines if customers will be notified about cookies, and whether or not they’ll have to accept the use of cookies before being allowed to use the site.

      • None—customers won’t be notified at all that the web-site uses cookies.

      • Implicit—customers will see an unobtrusive pop-up notifying them that the web-site uses cookies. Depending on what pages the customers visit, cookies may be set on their devices without their prior approval.

      • Explicit—before a customer can enter the web-site, he or she will see the a page with the information that the web-site uses cookies. Customers must give their consent before they can proceed to see the site. That way no cookies are set on customers’ devices before the consent is given.

        Note

        The ability to ask for explicit consent for the use of cookies first appeared in version 4.8.1. Until then, store owners could only ask for implicit consent under Settings → Security settings in the administration panel.

    The ability to ask for explicit consent for cookies first appeared in version 4.8.1.

    The add-on’s settings also have the GDPR tab; there you’ll be able to choose where to show the notifications about personal data processing, and edit the texts of those notifications. We’ll do it later, in step 3.

  5. Click Save.

Step 3. Check and Update the Privacy Notices

The settings of the GDPR Compliance (EU) add-on have the GDPR tab. It contains the list of places where checkboxes for requesting consent will be displayed. For each place, you can choose whether or not you want a checkbox for requesting consent to appear.

The notices about personal data processing can be edited separately from each other.

Every checkbox for requesting consent is accompanied by a notice about personal data processing. The texts of these notifications and checkboxes can be accessed and edited separately from each other. These texts are in fact language variables, so the same rules apply when you translate or edit them.

The texts may have [email] or [company] in them. These are placeholders that will be automatically replaced with actual data when customers see the notifications.

If you only have one storefront (or if you use Multi-Vendor), the data for the placeholders will be taken from Settings → Company. If you have multiple storefronts in CS-Cart, then the data will be taken from the settings of the storefront that a customer visits:

  • [company] will be taken from Company name.
  • [email] will be taken from User department e-mail address.

We tried our best to make the default personal data processing notifications as informative as possible. However, we can’t guarantee that they fully comply with the GDPR, especially since the practices regarding personal data differ in every company. That’s why we ask you to review and edit these notifications as you and your lawyers see fit.

Hint

If you don’t want the notification to be too long, add a link to your Privacy Policy to all of them, and describe everything in the Privacy Policy. However, we can’t guarantee that this practice is GDPR-compliant, so you’d have to consult your lawyer regarding this.

Step 4. See How the Add-on Works

  1. Check the storefront. Make sure that the notifications about personal data processing appear in every place where you collect personal data.

    A notification about personal data processing on the storefront.

    For example, the add-on doesn’t automatically add notifications about personal data processing to forms created with Form Builder. That’s because the checkbox can be created via the Form Builder itself.

    In that case the consent for personal data processing won’t be stored in the database, but rather in an email you receive, alongside the data that the customer may’ve provided via the form.

  2. Test the workflow of granting consent. Register as a new customer and give consent for personal data processing in various places. If you completed the optional step 2, try using the buttons for requesting personal data or the removal of data.

  3. Open your database to see the consent logs in the cscart_gdpr_user_agreements table.

    A table in the database that stores customers' consent for personal data processing.
  4. As an administrator, try exporting personal data and anonymizing a customer.

    Note

    Customers would have to contact you to request their personal data or anonymization. For example, they can do it via email that you provide in the notices about personal data processing in step 2.

    The personal data of a user in the admin panel.

Step 5. Make Sure You Comply with GDPR

The add-on by itself won’t make you GDPR-compliant. We recommend familiarizing yourself with the GDPR and looking into other measures that you may need to take.

For example, you may want to review and update your legal documents to address the requirements of the GDPR. For your online store, those documents could be:

  • Privacy Policy. It exists by default under Website → Pages in the Administration panel, unless you have deleted it. You can edit it like any other content page in your store.
  • Terms of Service. They appear at checkout if you ask customers to agree to terms & conditions during checkout under Settings → Checkout. The text can be edited under Administration → Languages → Translations in the following language variable: terms_and_conditions_content.