The GDPR and Digistore 24 - your question, our answers
In this chapter we would like to answer your most burning questions about working together with Digistore24 as a vendor or affiliate.
Digistore24 and GDPR
Digistore24 has been actively dealing with GDPR since spring 2017. We do this because we value our customers’ privacy rights while ensuring that our vendors and affiliates on Digistore24 have a GDPR compliant partner.
In order to protect your company and your customer data as well as possible, we go the extra mile for you.
This means that we operate all technical and operational measures to comply 100 percent with the requirements of the GDPR. Our procedure is privacy by default (privacy by data protection-friendly default settings). We offer you and your business the highest possible privacy level.
This claim is not only aimed at our operational and technical areas, but also towards our employees. Every employee receives appropriate training to be optimally prepared for the newest requirements.
It is important to us that, as a vendor and affiliate, you can continue to rely on Digistore24 in the future. Therefore, below you will find information that is important for you for your collaboration with Digistore24.
Should you have any further questions that have not been answered here, please contact us via email@example.com.
GDPR and Digistore24 - Frequently Asked Questions
Do I - as a vendor - need to enter into a data processing agreement with Digistore24?
Digistore24 is not a payment service provider. We are sellers and contract partners of end customers (reseller model). We then give the customer data to our vendors to fulfill the purchasing contract. Therefore, vendors don’t have to enter into a separate data processing agreement contract with us. However, it is important that you enter into a data processing agreement with every third-party (e.g. email marketing providers) to whom personal data is given. In addition, consent from the end customer must be obtained for all processes that lie outside of the mere fulfillment of the purchasing contract.
Do I need a data processing agreement with a third party provider?
Yes - you have to enter into a data processing agreement with every third party provider with whom you work as you transfer your customers personal data to them.
Which marketing providers can I work with since the GDPR came into force?
As a general rule, an agreement must be reached with each processor as soon as you submit personal data to them. In lesson 4, we listed the key vendors who are willing to sign such an agreement with you. If your desired provider isn’t on the list, you must contact them personally and clarify whether they will enter into a corresponding agreement with you.
Do I need a data processing agreement when I use plugins?
If you use a plugin and run it on your own server (e.g. Digimember, Wishlist), you don’t need a data processing agreement as personal data is not transferred to a third party provider. However, it is important to note that in this case, an agreement must be made with the server operator as they receive personal data from you.
What should be included in your data protection policy?
Your data protection policy should include at least the following:
- Details of the controller
- Contact details
- The data protection officer’s name
- Legal basis of data processing
- Erasure periods
- Data source
- Reference to user rights
Therefore, we strongly recommend talking to your lawyer as they can create a legally compliant data protection policy specifically for your company.
What has changed relating to freebies since 25 May 2018?
The most important reform is the so called “coupling prohibition”. The specification of an email address may no longer be used as a prerequisite for content, unless it is directly required for the provision of the service. In order to continue offering free content, two possibilities have emerged. Either the content is delivered by email (e.g. email course) or the customer has the option to pay for the product with money or with their email address. Consent (double opt-in) must be given in order to contact a customer by email and exact information about the content of the mail e.g. how data is processed must be given. Consent obtained through the opt-in process must be stored together with the information that is sent to the customer as well as the purpose of the data processing.
What are the consequences of the GDPR for email marketing?
From now on it is essential to obtain valid consent (double opt-in) for all email contact. In addition, be sure to collect as few details as necessary during the email signup and describe exactly what kind of newsletter will be sent to the customer. The consent obtained from the opt-in process must be stored along with the information which is transferred to the customer as well as the purpose for processing the data. Therefore you can also use the Digistore24 order form to obtain customer consent to send the newsletter. Please follow the steps in this guide: https://docs.digistore24.com/knowledge-base/order-form-checkbox-for-newsletter-opt-in/?lang=en
How can I obtain consent from my customers to send the newsletter on the order form?
You can now add a checkbox for newsletter opt-in on the order form. Your customers can tick this checkbox if they would like to be signed up to your email newsletter. The settings that the customer chooses here also determine how the IPN message is sent to your target system. This is how you ensure GDPR compliance.
A detailed explanation as well as a step-by-step guide on how to activate the checkbox can be found in this help article:
Where does Digistore24 host its data? What is being done to protect this data?
Our data and backups are stored on the server of one of the most renowned hosters in the world. This ensures that data protection and security requirements are fully adhered to.
Who is Digistore24’s data protection officer?
Lawyer Mrs Marion Albrecht
Specialist lawyer for IT law
Tel: +49 511 547470
Fax: +49 511 5474711
Do I have to hire a data protection officer?
No. However it is recommended for every internet company to have a data protection officer. Namely, when it processes data regularly and predominantly.
How does it work with the Wordpress plugin or promo link generator?
Do I need a data processing agreement with joint venture partners?
No. Joint venture partners don’t require data processing between one another. These are joint controllers and are in a contractual relationship with one another. Therefore, data is also allowed to be transferred.
With these 10 chapters, you have now received a quick overview of the legal changes. Through the GDPR, you have the chance to rethink and improve your business and structures, and then continue to grow at full speed.
So that you can really keep track of this important topic, we have put together another summary of all important information at the end.
This course will be updated at regular intervals.
We now wish you good luck with implementation
Downloads / Learning materials
Final checklist for the changeover
Switch quickly and easily to all lessons of the course.