Customer Personal Data Erasure
Right to Personal Data Erasure
Customers must enter their personal data to place an order for products in the cart.
Personal data includes any information that allows an individual to be identified: name, surname, email, address, phone number, and payment data.
Collection, processing and storage of personal data is carried out taking into account the local and international legislation regulations of the countries where Noventiq is present.
Personal data protection laws aim to protect such data, and are intended to empower customers to control how their data is being used by third parties.
Legislation regulations of different countries give customers who are natural persons the right to make a request to delete their personal data. In most cases, the company will be obliged to erase such data. Exceptions include such cases when the purpose of processing personal data is not completed, e.g., offer agreement terms are not fully met, or it is necessary to save documents for taxation and accounting purposes in accordance with legislation regulations.
Here are the personal data protection laws used in several countries where Noventiq Chechout is present:
- European Economic Area: General Data Protection Regulation, or GDPR of 27 April 2016.
- Brazil: Lei Geral de Proteção de Dados Pessoais, or LGPD of 16 August 2020 (General Data Protection Law with penalties applicable since 1 August 2021).
- Russian Federation: Federal Law of 27 July 2006 No. 152-FZ on Personal Data.
- Ukraine: Law No. 2297-VI of 1 June 2010 on Protection of Personal Data.
Personal Data Collection
When placing an order, the customer transfers their data that is then used to pay for the order, obtain license information and deliver it to the customer.
In some cases, the data transferred can also be used for marketing communication, e.g., newsletters.
The form fields for collecting customers' data depend on a customer type (natural/legal person), a delivery method (electronic/physical), and a payment method. Regional differences are also taken into account. E.g., in some countries customers have to enter their VAT Number (NIP) required for correct order taxation.
No excessive information is requested.
Personal Data Processing
Processing of personal data is carried out on a lawful basis in relation to applicable laws. In some regions, the customer must give consent to personal data processing when placing an order (otherwise, no order can be placed). The consent text is pre-prepared for the cart. If necessary, it is possible to make adjustments to the text for a particular cart.
The text of the line concerning consent is determined for natural and legal persons separately. The text content also depends on a sale region.
In some cases, additional options may be needed to customize the consent text line.
- An account is automatically created for the customer on your server when license information for their order is generated.
- The customer is suggested to subscribe to the newsletters of your website.
- Changing consent text for products.
If there is a specific product in the cart, then it is possible to display a different consent text line for it. The text will take into account all the characteristics of this product.
- Customizing checkbox display next to consent.
By default, a checkbox is displayed next to the consent text line. The checkbox must be enabled to continue the order placement process. It is possible to:
- Hide the checkbox (in this case, the text of the consent line must be paraphrased, for instance, like the following "continuing the order placement, I agree…").
- Set a default checkbox value (enabled/disabled). This setting can be done for the customer type and the sales region separately.
- Obtaining additional consent (optional).
Allows displaying the second consent line when placing orders. This second line is optional, i.e. the customer will be able to finish the checkout process if they do not confirmed their agreement with the text of the consent line. This functionality can be used, for instance, to agree to subscribe to the email newsletters.
Personal Data Erasure (Data Anonymization)
One of the fundamental rights any customer has is the right to personal data erasure.
Personal data legislation regulations in the countries where Noventiq is present give customers the right to request deletion of their personal data from the systems of Noventiq:
- GDPR – articles 12, 17, recitals 59, 65-66;
- LGDP – articles 5, 16, 18;
- 152-FZ – clause 2, article 9;
- № 2297-VI - subclause 11, clause 2, article 8.
- Customers who are natural persons and place at least one order through Noventiq.
- Customer's personal data, including payment data (card number mask, validity period, type, subtype).
- When personal data is erased, the subscription gets cancelled (AR, PMR). For subscriptions having automatic license renewal (AR), the customer will receive a standard email containing a cancellation notice.
Data erasure results:
- The customer's orders remain in the system but having anonymized personal data.
- After erasure, the customer's personal data in the order is replaced with the deleted value. They will be displayed this way when exporting orders or when receiving information on orders through the API. No order refunds take place.
- No customer data erased can be recovered.
- After erasure, the customer can place a new order in the cart (in this case, they will need to provide consent to personal data processing).
Here is the result of personal data erasure using the example of how an order is viewed via the ESupport portal.
Please note that the record about the customer's data anonymization is added to the order change history: 02.07.2021 09:38 - Personal data is anonymized
Actions when Receiving Requests to Delete Data
If the customer sends you a request to delete their personal data, you have to:
- Conduct an audit of all the personal data this user provided to you.
- Erase the data processing purposes of which have been fulfilled.
- Inform all the third parties (including Noventiq), to whom this data is transferred, about the receipt of the user's request for personal data deletion.
You have to contact your account manager (or write to firstname.lastname@example.org) to notify Noventiq of such user requests.
If the customer sends a request to delete their personal data to Noventiq, then Noventiq:
- Conducts an audit of all the personal data this user provided and erases all the data, processing purposes of which have been fulfilled.
- Informs you about the receipt of the user's request.
Next, you have to process the request on your side and inform Noventiq about the result obtained.