Lesson 10
The GDPR and Digistore 24 - your question, our answers
In this chapter we would like to answer your most burning questions about working together with Digistore24 as a vendor or affiliate.
Digistore24 and GDPR
Digistore24 has been actively dealing with GDPR since spring 2017. We do this because we value our customers’ privacy rights while ensuring that our vendors and affiliates on Digistore24 have a GDPR compliant partner.
In order to protect your company and your customer data as well as possible, we go the extra mile for you.
This means that we operate all technical and operational measures to comply 100 percent with the requirements of the GDPR. Our procedure is privacy by default (privacy by data protection-friendly default settings). We offer you and your business the highest possible privacy level.
This claim is not only aimed at our operational and technical areas, but also towards our employees. Every employee receives appropriate training to be optimally prepared for the newest requirements.
It is important to us that, as a vendor and affiliate, you can continue to rely on Digistore24 in the future. Therefore, below you will find information that is important for you for your collaboration with Digistore24.
Should you have any further questions that have not been answered here, please contact us via datenschutz@digistore24.com.
GDPR and Digistore24 - Frequently Asked Questions
Erasure requests are one of the most sensitives requests for businesses. They are based on the so-called “right to be forgotten”, which is now directly enforced by the GDPR.
In the event of an erasure request, it is therefore important that you prepare and implement an erasure concept in advance. These are fixed processes by which all personal data in your company is deleted. You can legally handle requests for erasure only on this basis.
However, be aware that erasure must not only be made when a customer requests it from you. Even without a specific request, customer data must be deleted if the applicable time limits have expired. This means you always have to act regularly.
For this reason, we strongly recommend that you develop an erasure concept together with your lawyer. It is individual to you and depends on the way you handle data.
Digistore24 is not a payment service provider. We are sellers and contract partners of end customers (reseller model). We then give the customer data to our vendors to fulfill the purchasing contract. Therefore, vendors don’t have to enter into a separate data processing agreement contract with us. However, it is important that you enter into a data processing agreement with every third-party (e.g. email marketing providers) to whom personal data is given. In addition, consent from the end customer must be obtained for all processes that lie outside of the mere fulfillment of the purchasing contract.
Yes - you have to enter into a data processing agreement with every third party provider with whom you work as you transfer your customers personal data to them.
As a general rule, an agreement must be reached with each processor as soon as you submit personal data to them. In lesson 4, we listed the key vendors who are willing to sign such an agreement with you. If your desired provider isn’t on the list, you must contact them personally and clarify whether they will enter into a corresponding agreement with you.
If you use a plugin and run it on your own server (e.g. Digimember, Wishlist), you don’t need a data processing agreement as personal data is not transferred to a third party provider. However, it is important to note that in this case, an agreement must be made with the server operator as they receive personal data from you.
Your data protection policy should include at least the following:
Details of the controller
Contact details
The data protection officer’s name
Legal basis of data processing
Erasure periods
Data source
Reference to user rights
Therefore, we strongly recommend talking to your lawyer as they can create a legally compliant data protection policy specifically for your company.
The most important reform is the so called “coupling prohibition”. The specification of an email address may no longer be used as a prerequisite for content, unless it is directly required for the provision of the service. In order to continue offering free content, two possibilities have emerged. Either the content is delivered by email (e.g. email course) or the customer has the option to pay for the product with money or with their email address. Consent (double opt-in) must be given in order to contact a customer by email and exact information about the content of the mail e.g. how data is processed must be given. Consent obtained through the opt-in process must be stored together with the information that is sent to the customer as well as the purpose of the data processing.
From now on it is essential to obtain valid consent (double opt-in) for all email contact. In addition, be sure to collect as few details as necessary during the email signup and describe exactly what kind of newsletter will be sent to the customer. The consent obtained from the opt-in process must be stored along with the information which is transferred to the customer as well as the purpose for processing the data. Therefore you can also use the Digistore24 order form to obtain customer consent to send the newsletter. Please follow the steps in this guide: https://docs.digistore24.com/knowledge-base/order-form-checkbox-for-newsletter-opt-in/?lang=en
You can now add a checkbox for newsletter opt-in on the order form. Your customers can tick this checkbox if they would like to be signed up to your email newsletter. The settings that the customer chooses here also determine how the IPN message is sent to your target system. This is how you ensure GDPR compliance. A detailed explanation as well as a step-by-step guide on how to activate the checkbox can be found in this help article: https://docs.digistore24.com/knowledge-base/order-form-checkbox-for-newsletter-opt-in/?lang=en
Our data and backups are stored on the server of one of the most renowned hosters in the world. This ensures that data protection and security requirements are fully adhered to.
Lawyer Mrs Marion Albrecht
Specialist lawyer for IT law
activeLAW lawyers
Hans-Böckler-Allee 26
30173 Hannover
Email: datenschutz@digistore24.com
Tel: +49 511 547470
Fax: +49 511 5474711
No. However it is recommended for every internet company to have a data protection officer. Namely, when it processes data regularly and predominantly.
If you use the Wordpress plugin or promolinks, you should mention this in your privacy policy. For this purpose, we have created sample texts which you can see at the end of our data protection agreement.
No. Joint venture partners don’t require data processing between one another. These are joint controllers and are in a contractual relationship with one another. Therefore, data is also allowed to be transferred.
With these 10 chapters, you have now received a quick overview of the legal changes. Through the GDPR, you have the chance to rethink and improve your business and structures, and then continue to grow at full speed.
So that you can really keep track of this important topic, we have put together another summary of all important information at the end.
This course will be updated at regular intervals.
Follow us on Facebook to keep up to date with any course updates.
We now wish you good luck with implementation
Downloads / Learning materials
Final checklist for the changeover
Overview Lectures
Switch quickly and easily to all lessons of the course.
We would like to expressly point out that this online course in no way replaces legal advice from a specialist lawyer and has no claim to correctness or completeness.
