When the plugin is installed and enabled, it introduces the ability to add contents in the page (managed in Admin) where businesses can specify the purpose of collecting personal information of the user. It has mentioned in the GDPR guidelines that the user should be informed why their personal information is being collected and how these will be used. In standard configuration of nopCommerce, the personal information constitutes of – first name, last name, email address, date of birth, gender, addresses (shipping and billing) and IP address. Some businesses might have customised the registration pages to capture additional personal information and those also need to be protected as per the guidelines.

The plugin also replaces the generic consent (newsletters) with an ability to provide specific consent for all purposes of communication to the user. The business can specify as many items of consents (managed in Admin) and by default the tick boxes will be un-ticked. These enhancements in the Registration page comply with the following guidelines of GDPR (ref. ICO website- ico.org.uk)

• Consent requires a positive opt-in. Don’t use pre-ticked boxes or any other method of default consent.
• Explicit consent requires a very clear and specific statement of consent.
• Keep your consent requests separate from other terms and conditions.
• Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
• Be clear and concise.
• Name any third party controllers who will rely on the consent.

The plug-in also enables the feature of nopCommerce by which user registration need to be authenticated by the user. At the time of registration, the user will receive an email to verify the user registration. Until then the user status will be InActive.

nopCommerce has in-built feature of enabling the cookies as per the European Cookies law. This plug-in switches this feature on.

The plugin will introduce the following sections in the My Account Page:

2.1 Consent:
In this section, the users can view what consents they had provided at the time of registration. They can change the consent at any time.

2.2 Consent history:
Whenever user provide a consent or changes it, on save, the audit trail of all changes are maintained. The user can view the content history.

2.3 Communication from this store:
nopCommerce sends emails to the user at different stages of order. All these emails are maintained in the ‘message queue’. Users can see the log of all this communication and view the messages in this section of Manage My Account page.

2.4 Communication from other source:
The plug-in also includes a feature by which the information related to all the email communication sent from other systems (such as MailChimp) can be maintained in nopCommerce (by Admin). This section of My Account Page enables users to view the log of such communication. This will help the users to link every communication received from your business with the consent they have provided.

2.5 Delete my personal info:
The GDPR guidelines define the right to erasure, also known as ‘the right to be forgotten’. As per these guidelines user should be provided with an ability to request the deletion of their personal information from the business system. The plug-in adds a functionality to the nopCommerce front-end by which user can directly process the deletion of their personal information. On clicking the button ‘Delete my personal info’, user is presented with relevant information on the deletion. If the user wants to proceed with deletion, the system will generate a token code, which the users can save in case they want to re-activate their user. This deletion feature will delete only the personal information of the user (including the email log) but will preserve their order transaction history and all other details. The database fields related to personal information will be updated with null value in the customer table. The transactions and other data can only be identified by the user id (primary key of the customer table). User status will be changed to InActive and users will not be able to login again. If the customers want to reactivate their user in the system, they have to contact the business and provide the token code. If the token code matches, the business will then ask for their personal information, save in the system and user will be reactivated. All user transactions and their consent history will be linked again.

In the standard configuration, this feature will delete the following information from the database:

- Gender

- First Name

- Last Name

- Date of Birth

- Email Address (which is also the userId)

- IP Address (which is automatically populated and visible to Admin)

- Addresses (shipping and billing addresses, added by the users at the time of checkout)

- Communication Log (emails contain personal information)

2.6 Download my personal info:
This feature enables the user to download their personal information in PDF or CSV format.

2.7 User Profile History:
Every time the users change their personal information, the audit trail is maintained (with date and time stamp) and can be viewed in this section of My Account page.

When the plugin is installed and enabled, it introduces a section (menu item) GDPR in the Admin section of nopCommerce. This enables the admin users to configure the GDPR related settings.

3.1 Consent

3.1.1 Create consent:
Admin can add and edit Consents. If a consent is no longer valid and should not be shown in the front-end, it can be switched to In-Active.

3.1.2 Consent status by user:
Admin can view the audit-trail of all the consents provides (or denied) by any user (filter on User Name and address). Admin can also filter the ‘current granted consents’ of users. There is a feature to download the data in excel.

3.1.3 Consent status by consent:
Admin can view the audit-trail of all the consents provides (or denied) by filter on the Consent. Admin can also filter the users by current granted consents, which might be required when Newsletters etc. to be sent out. There is a feature to download the data in excel.

3.2 Content Management:
This plugin adds content sections in the Registration Page and My Profile Page. These contents are maintained in topic pages. The Content Management section of the GDPR menu provides short cuts to these topic pages where Admin can modify and manage such contents.

3.3 Delete user info:
This feature works similar to the Delete My Personal Info feature of front-end (section 2.5 above). Here admin can delete the personal information of any user.

3.4 Reactivate user:
This functionality enables the Admin to reactivate the user. If the customers want to reactivate their user in the system, they have to contact the business and provide the token code. The admin inserts the Token Code. If the token code matches, the Admin will then ask for their personal information, save in the system and user will be reactivated. All user transactions and their consent history will be linked again.

3.5 External communication:
In this section, the admin can manage the information related to the communication sent to users from external applications such as MailChimp. The purpose of this feature is just to keep the users informed of the communication they are receiving from the business and how that is related to the consent they have provided. Admin will store only the basic information about the confirmation, e.g. email subject and date on which emails were sent. The admin can link the campaign to one of the Consents which are already in the system. The Admin can upload the list of email addresses of users to whom the emails were sent so that the information about this external communication can viewed by those users in their My Profile section. In future, we can enhance this feature to directly connect the third-party systems (such as MailChimp) to nopCommerce so that this information is automatically populated.

3.6 Breach Notifications:
As per GDPR guidelines, “The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible”. This feature enables the Admin the send such notifications to the users. The email template is used to compose the breach notification email and then Admin can select the users to whom the notifications is to be sent.

3.7 User Profile History:
Every time the users change their personal information, the audit trail is maintained (with date and time stamp) and can be viewed in this Admin section.

UnZip the downloaded file. It has further zip files for different versions of nopCommerce.

For nopCommerce Version 4.0

1. Go to Configuration -> Plugins and click the Upload plugin or theme button

2. A popup will appear asking you to choose a file to upload. Click on the Choose File button, navigate to the downloaded zip file (GDPRV1.1_NOP4.0.ZIP) and select it.

3. Click on the Upload plugin or theme button

4. Find GDPR plugin and click Install.

5. Your plugin is now installed and ready to be used.

For nopCommerce Version 3.7, 3.8 and NOP 3.9

1. Upload the plugin to the /plugins folder in your nopCommerce directory (please ensure that you upload the correct file, depending upon your version of nopCommerce. For 3.7 the file is GDPRV1.0_NOP3.7.ZIP, for 3.8 the file is GDPRV1.1_NOP3.8.ZIP and for 3.9 the file is GDPRV1.1_NOP3.9.ZIP)

2. Restart your application (or click 'Reload list of plugins' button).

3. Scroll down through the list of plugins to find the newly installed plugin.

4. Click on the 'Install' link to install the plugin.

5. Note: If you're running nopCommerce in medium trust, then it's recommended to clear your \Plugins\bin\ directory

• In case if the user installed the plugin several times and one version of it was incomplete the Content management subsections won't be doubled.
• While updating the consent, pressing "Save" button the log of email communication is picking the date in "UTC", in next release it will pick the local machine time.
• If Admin deletes the user info and save the token id and reactivate it after that, the updated info will be simply saved in the database, but if the admin changes the customer settings (i.e. tick some required fields) the info won't be stored in the database.

• In case if the user installed the plugin several times and one version of it was incomplete the Content management subsections won't be doubled.
• While updating the consent, pressing "Save" button the log of email communication is picking the date in "UTC", in next release it will pick the local machine time.
• If Admin delete the user info and save the token id and reactivate it after that, the updated info will be simply saved in the database, but if the admin changes the customer settings (i.e. tick some required fields) the info won't be stored in the database.

Q. What is the GDPR?

A. The General Data Protection Regulation is a new, European-wide law that replaces the Data Protection Act 1998 in the UK. It places greater obligations on how organisations handle personal data. It comes into effect on 25 May 2018.

Q. Where can I find detailed information on GDPR?

A. There is a lot of information available on the internet. You may refer to these websites:

• ICO: Guide to data protection
• Data Protection Commissioner: GDPR

Q. Do I need to comply with GDPR if my business is not located in any of the EU countries?

A. The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.

Q. What information does the GDPR apply to?

A. The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

Q. My company employs fewer than 250 people. Am I exempt from the GDPR?

A. You’ll have to comply with the GDPR regardless of your size, if you process personal data.

Q. What will the penalties be for failing to comply with GDPR?

A. The GDPR have introduced a tiered approach to fines, meaning that the severity of the breach will determine the fine imposed. The maximum fine a company can face is 4% of their annual global turnover, or €20 million, whichever is the highest. Less serious violations, such as having improper records, or failing to notify of any breaches, can be fined a maximum of 2% of their annual global turnover, or €10 million.

Q. Does GDPR impact the e-commerce business

A. Yes it does. Usually in e-commerce we collect personal information of customers are the time of Registration, shopping basket or checkout.

Q. Does this plugin for nopCommerce will make by application/business fully GDPR complaint?

A. Not necessarily. The GDPR guidelines are very comprehensive. You will need to follow the guidelines across all your business functions, get your processes audited by experts and do the gap analysis. This plugin enhances your nopCommerce based applications and incorporates a number of features that helps you to comply with a majority of the GDPR guidelines.

Q. How will this plugin work if I am using third party themes or if I have customised my pages?

A. You may need to adjust the CSS of your pages to include the features of this plugin. The plugin makes changes only in Registration and My Profile pages. If you collect additional (personal) information from the customers, that need to be included in the design and code of plugin. In such cases we recommend you to purchase the Source Code of this plugin and make required changes. Alternatively, we can work with you to do these changes in your application.