The GDPR affects everyone who processes personal data of EU citizens: Online retailers as well as brick and mortar retailers, service providers, social clubs, bloggers, etc. It is also relevant for actors outside the EU when they offer services and goods here. All trade and purchasing associations have therefore been working intensively on the topic for months and are currently giving their members active support in the implementation of the new data protection regulations - the Intersport Association, which was also surveyed, was therefore unable to comment by the editorial deadline
Anyone listening to data processing first thinks of digital data and sees online trade as the first duty. But that's not true. "Even purely stationary retailers have to deal with the regulation, as personal data is also processed and stored in purely stationary companies," says Peter Gerleit, head of the legal department of the Anwr Group, parent company of Sport 2000, which includes customer data - such as regular customer cards - as well as the data of employees and applicants. Stationary retailers must also check whether a data protection officer must be appointed.
The relevance of the regulation becomes even clearer for stationary retailers who have installed video surveillance in their stores - whether for security reasons or to be able to measure customer behavior in the store. How this form of customer tracking and profiling can be carried out in the future has not yet been conclusively clarified.
In addition to the points mentioned above, it is particularly important for online merchants that "the data protection declaration on the website is adapted to the regulations of the GDPR and the new BDSG," explains Perter Gerleit. Also important is the declaration of consent when sending out newsletters, where in future the recipient will demonstrably have to give his consent if the company wants to continue to send him newsletters. The recipient must also be informed that he/she has a right of withdrawal and must be informed of the purpose for which the data is processed. In the absence of such consent, no messages may be sent.
Anyone who makes mistakes in the data protection declaration on the website and in the newsletter distribution list bears the highest risk, because these areas are easy to check. At the same time, the changes are comparatively easy to implement. And what about mail? "We assume that no special consent is generally required for direct postal marketing," the lawyer continues.
As a matter of principle, in future everyone will be accountable for compliance with data protection regulations. In order to be able to prove this, experts recommend that all data protection-relevant processes and protective measures be documented in detail
The right to data transfer is new. Georg Grünhoff, lawyer and data protection expert at Handelsverband Deutschland (HDE) e.V., explains that "customers have the right to obtain the data concerning them in order to take them with them to another provider.” A customer may also request the deletion of his data and obtain information about which data is collected. Although it is unlikely that in practice many customers will make use of the right to data portability in connection with loyalty cards, "retailers must be technically capable of carrying out a transfer of loyalty cards at the customer's request," says Grünhoff. A customer may also demand the deletion of his data and obtain information about which data is collected.
In addition, all data processing processes adhere to the principle of data economy, which has now become important. Thus, only those data may be collected which are necessary for the specific processing.
Strictly speaking, this is only the e-mail address for subscribing to the newsletter. Data requested in the background must also comply with this principle of economy. This makes it almost impossible to collect the IP address, experts say.
It is already becoming apparent that the legal evaluation of customer tracking online and offline is controversial. "The data protection supervisory authorities have just adopted a position that requires consent for online tracking from 25 May," says Georg Grünhoff of the HDE. However, it is still unclear whether this also applies to offline tracking. Offline tracking means the recording of smartphones in stores using frequency measuring devices or WLAN.
This enables retailers to measure how customers move across the sales floor, where they stop and for how long. Modern systems can even interpret facial expressions. These tracking technologies are supported by many merchants precisely because they help stationary retailers to catch up with online trading, which is much more advanced in terms of customer analysis. If the consumer's consent were also required for offline tracking, this could be the end of such measurement methods. Grünhoff: "From the HDE's point of view, consent for offline tracking is hardly to be obtained in practice".
Doing nothing can be expensive: Serious violations could result in fines of up to four percent of annual sales or up to 20 million Euros. In the case of moderately serious violations, half is still due. “Sales-based penalties for retailers with their low margins are particularly critical," says Georg Grünhoff. No wonder, then, that the new regulation is currently worrying many people.
If an infringement is discovered, the persons concerned must be notified. Whether the fines will then actually be imposed in such a drastic manner remains to be seen. But nobody should take the chance. It is clear that the Regulation leaves many practical questions open for the application of the new rules, which should only be clarified in the coming months and years by the supervisory authorities and the judiciary.
The new regulation was drafted with regard to the large international data processors à la Amazon, Facebook, Google, Apple, etc. Especially the free social networks earn their money by collecting and evaluating user data ("data is the new gold"), they have long been required to regulate more strictly.
However, the GDPR now pushes sweat beads onto the forehead of all those who process data and binds many resources in the process. The fact that the regulation is not always clear is seen as particularly problematic; there are many legal uncertainties that require considerable consultation. At the moment this is more of a hindrance than helpful for the trade. In the long run, however, this will be clarified.
Although the regulation is still causing problems at the moment, it is an investment in consumer-retailer confidence. In view of the current data scandals, this is more important than ever.