The Data Protection Act is a law in the United Kingdom (UK) that deals with how you handle personal customer information. You must register your business and comply with this act. You can register at http://ico.org.uk
The act applies to businesses of all sizes. There is an administration fee and failing to register or adhere to this law can result in penalty. Some of the rules that apply:
- You must only record data of a person what is pertinent to the needs of your business.
PinnacleCart, by default only asks for the information that ir required to bill and ship. You will be in compliance if you do not alter the checkout form in any way. If, however, you add additional custom fields asking for customer info, this may cause you to lose compliance.
- All personal data must be held in a secure way and provided or removed upon request from the individual.
In our systems we only collect basic data to complete a financial transaction and or contact information as needed to manage a customer's account. This limited information is not shared, transmitted, sold, rented and is only retained for use in managing the account by PinnacleCart. System access is restricted and logged. In addition, customer information can be removed at anytime by an administrator.
- Your terms and conditions on your website must indicate what you do with personal data and you must not then deviate from this.
This will be up to you as the merchant to be compliant. You can edit your Terms and Conditions text page and add this information. See Adding or Editing Custom Pages on Your Site for info on how to add and edit text pages.
- Data collected must not be taken out of the EU (even digitally via email) without permission from the individuals involved.
If you host with PinnacleCart, then your data is collected and stored on a database in the United States. You must either purchase a license and host the website in the EU, or add a line to your Terms and Conditions which states that the customer agrees their data can be held in the US, and provide information about how they can have data removed.
You must register under the Data Protection Act if you collect personal information about customers, employees or future customers.