Customer rights
According to European privacy regulation, people have various rights that data controllers are required to respect. In the context of your relationship with customers, they may at any time exercise their rights:
Note
This documentation is written for informational purposes only and does not constitute legal advice. Please contact your legal counsel to receive adequate legal advice.
Data rectification
Right
A customer has the right to obtain rectification of their personal data if it is inaccurate with respect to the purposes for which it is processed.
How to proceed
If the customer is registered and the data to be rectified consists only of the billing address, it can be edited by the customer themselves by logging in to the site, if they are registered, or you can edit it in the relevant record in the admin.
If the data instead concerns a document, such as an order, then you can correct it in the admin under the Sales section.
If the customer wants to change their email address, then you can modify it in the record and possibly also in documents.
Before changing the email address, however, you should make sure the customer is who they claim to be (for example by sending a confirmation request email to the old email address) and that the new email address belongs to them (for example by sending a confirmation request email also to the new email address).
When data should not be rectified
Data should be rectified only if inaccurate with respect to the processing being carried out.
For example, if the processing of data has the purpose of legally maintaining an invoice, you might not be required to rectify this data because changing it would make it inaccurate with respect to the invoice already communicated to the tax authority.
For example, if a customer asks you to rectify a shipping address of an order already shipped, you might not be required to change it because the change would make it inaccurate with respect to the address to which it was actually shipped.
In any case you should always consult your legal counsel.
Withdrawal of consent
Right
A customer has the right to obtain the withdrawal of previously granted consent.
How to proceed
If the customer is registered then consents can be revoked directly by the customer once logged in to the site. The customer can revoke consents on their personal data and on individual orders and quotes. Alternatively you can revoke consent on their behalf.
Once consent is revoked, if you have no other legal basis on which to base the processing then you must stop it. If you do not carry out other lawful processing on these personal data then you should also delete the personal data. The customer still has the right to object to processing even if not based on consent within the terms provided by the regulation.
Data deletion
Right
A customer has the right to obtain deletion of their personal data.
How to proceed
Case by case you should verify which data to delete, which to limit processing of, and which others to refuse and continue processing.
If processing is lawful and still necessary to pursue the purposes for which they are processed and you have a contract in place or a legal obligation, then you can refuse deletion.
If instead you have consent or process for legitimate interest, then you should delete them upon the data subject's request.
If instead you no longer have any legal basis to process them or their processing is no longer indispensable for its purposes, then you should delete them without waiting to be asked.
You can delete customers, documents, and carts that contain the data subject's personal data.
Data portability
Right
A customer has the right to receive, in a structured, commonly used, and machine-readable format, the personal data concerning them.
How to proceed
To export a customer's personal data there is a specific function in the Open2b admin that allows you to export personal data from a customer record with the associated documents.
To use this function you should first ensure you have a record for the customer who made the request (creating a new one if not present or merging multiple records if duplicates) and then associate the customer's documents to the record if they are not already associated.
Personal data can be sent to the customer in the manner you consider most appropriate. However, to allow customer identification and secure data transmission, as required by regulation, Open2b allows you to send an address to the customer from which, once logged in to your site, they can securely download their personal data directly from the browser.
Objection to processing
Right
a) A customer has the right to object, for reasons related to their particular situation, to processing based on legitimate interest unless those legitimate reasons prevail over the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of a right in court.
b) A customer always has the right to object if data are processed for direct marketing purposes including related profiling.
Note
An objection request is different from a request for withdrawal of processing. It is up to you to understand the intent in the customer's request, if it is not precise, and guide them in proper formulation.
How to proceed
In case a) you should stop processing unless you have legitimate reasons that prevail over the rights of the data subject under the conditions provided by the regulation. You can continue processing only if you have other legal bases to continue it.
In case b) you must stop processing for direct marketing and related profiling. For example, you should no longer send commercial communications to the customer or profile the customer.
In both cases, if you stop processing and do not carry out other lawful processing on these personal data of the customer, then you must also delete them.
Note that even if the GDPR considers direct marketing a legitimate interest, Directive 2002/58 is still in force and requires explicit consent to receive commercial communications.