Implementation CH-DSG / EU-GDPR

Introduction

Since May 25, 2018, the European General Data Protection Regulation (EU-GDPR) has been in effect. As of September 1, 2021, the revised Data Protection Act came into force in Switzerland. The new regulations apply to all companies and institutions that process personal data of persons based in Switzerland. What does this mean? Companies that have a presence in Switzerland, offer their goods or services to residents of Switzerland, or observe their behavior are affected. The same applies in reverse for the EU-GDPR, which then applies to companies that have a presence in the EU area, offer goods and services to residents of the EU, or observe their behavior.

When you are affected

• CH-DSG:
  • You have a branch, office, or subsidiary in Switzerland
  • You process personal data through a Swiss company
  • You deliberately offer services to persons residing in Switzerland
  • You observe the behavior of Swiss persons.1
• EU-GDPR:
  • You have a branch, office, or subsidiary in the EU
  • You process personal data through an EU company
  • You deliberately offer services to persons residing in the EU
  • You observe the behavior of EU persons.1

1 Google Analytics and similar tracking tools are primarily concerned here.

Settings in 21.Shop

We will now go through the individual settings in your webshop.

Cookies

As an operator of an online shop, you are legally obligated to transparently inform your visitors about the use of cookies. To meet the requirements of data protection and privacy by default, we recommend the following settings:

1. Activate cookie notification

• Go to “Settings” → “General” → “Shop Configuration” in the shop administration.

• Activate the option “Use Cookie Manager” there. This will display a cookie notification in the shop that informs users about the use of cookies and obtains their consent.

2. Only enable essential cookies by default

• Additionally activate the setting “Essential cookies by default”.
  • This means only technically necessary cookies are set on the first visit.
  • Additional cookies (e.g., for analytics or marketing) are only loaded after explicit user consent.

3. Mask IP address

• Also activate the option “Mask IP address”.

  • This function anonymizes visitors’ IP addresses, e.g., when using analytics services.
  • This contributes additionally to data minimization and protection of personal data.

These settings help you comply with legal requirements and improve your shop’s data protection standard – without requiring a third-party cookie banner.

Forms: Query of privacy policy and terms and conditions

If you process personal data in your system, appropriate consent should be obtained. Depending on the input forms in your online system, the terms and conditions and/or the privacy policy including a checkbox for acceptance will be displayed.

Recommended settings

Note on displaying terms and conditions in the order process

The general terms and conditions (T&C) are automatically displayed in the shop’s checkout process.

What happens during the order process?

• Customers see a notice about the T&C in the last step of the order.
• Additionally, a “checkbox” appears that must be actively confirmed to accept the T&C.
• The order can only be completed when this checkbox is activated – this ensures that the T&C have been effectively accepted.

This function is enabled by default in the shop system and meets the legal requirements for electronic commerce.

Flexible configuration options

21.Shop offers you flexible configuration options, depending on how you use the shop – for example as:

• Internal ordering system
• Closed B2B portal
• Or public online shop for end customers

The type of your product range can also influence which legal notices should be displayed.

Adjusting queries for T&C and privacy policy

You can control whether and when your customers must actively accept T&C and/or the privacy policy.

How to configure the queries:

1. Navigate to “Settings” → “General” → “Customer info / Withdrawal / T&C” in the shop administration
2. There you can individually activate or deactivate the following options:
   • Have T&C confirmed
   • Have privacy policy confirmed
   • Display and have withdrawal notice confirmed (if required)

These settings allow you to tailor the legal notices specifically to your target audience and the purpose of the shop.

Forms in the system

The following locations now offer the option to have customers confirm the privacy policy and T&C:

• Contact form

• Newsletter registration

• New customer registration

• Direct checkout without registration (during the order process)

• Company registration (in B2B/dealer mode)

Rights of your customers

View, export or anonymize stored data

It is mandatory to export customer data and make it available to them upon request. To do this, call up the desired customer via customer management and “edit” them. Scroll to the end of the page. Here you will now see the expandable mask “CH-DSG / EU-GDPR data management”.

View, export/download stored data

If the customer wants to view the data, you can export it here and send it in a machine-readable format. These are exported as a .json file and can be opened with a suitable editor or browser.

Deletion request: Anonymize stored data

If the customer wants to delete all their data and thus exercise their right to be forgotten, you can do this. Please note that no recovery is possible afterwards and all data will be irreversibly deleted!

The customer’s data will be anonymized in the shop, which means the customer’s data is no longer available. However, as the shop owner, you will still have the order, for example.

Note: Please read the text thoroughly before deletion to be aware of all consequences. Make sure you have deleted all of your customer’s accounts. Your customer may have multiple accounts, which must all be deleted upon request. 21.Commerce is not an accounting system (that’s what 21.AbaNinja is for)! Please note that you must first extract data that is subject to legal retention requirements before deleting all data! Once you have deleted the data, you cannot retrieve it again!

Anonymize customer data

From version 10 of the shop system, a new tab with the title “Anonymize customer data” is available in the “Customers/Orders” area.

Via this tab you have the following options:

1. Set up automatic anonymization
   • Define after which period customer data should be automatically anonymized – e.g., to fulfill legal retention and data protection requirements.
2. Perform one-time anonymization
   • Start a manual anonymization for selected or all available customer data.
3. Download affected records
   • Download an overview of records that are eligible for anonymization.

A “Help text” is available directly in the system for detailed information on the individual functions and their effects. You can access this via the information icon or a link within the tab.

Analytics

If you use add-on tracking tools like Google Analytics, it is important to transmit visitors’ IP addresses anonymously to meet data protection requirements.

How to activate IP anonymization:

1. Access shop administration
   • Go to “Modules” → “Analytics” in the shop administration.
2. Activate IP anonymization
   • Activate the option for “IP address anonymization” in the Google Analytics settings.
   • This setting ensures that website visitors’ IP addresses are anonymized before being stored in Google Analytics.

Adjust privacy policy

• Google Analytics in the privacy policy: The use of analytics services must be noted in your “Privacy Policy”. The “21.Commerce application” handles this addition automatically for you. You just need to ensure that the text under “Content” → “Pages” → “Privacy Policy” is supplemented.

• Addition: The notice will be inserted below the existing text about the “runtime of the system”.

Data processing agreement (DPA)

• Data protection laws require you to conclude a “Data Processing Agreement” (DPA) with Google if you use Google Analytics.

• To conclude such an agreement, it is sufficient to electronically confirm the “Data Processing Agreement” in the “Analytics settings”.

With these steps, you ensure that Google Analytics is used in compliance with data protection regulations and that you meet the legal requirements.

Privacy policy

21.Shop provides you with an empty template for a privacy policy that is automatically linked to the integrated Consent Manager.

How to add your privacy policy:

Go to: “Content” → “Pages” → “Privacy Policy” in the shop administration

1. Insert the text of your privacy policy.
   • If you don’t have your own privacy policy, you can use a template. A suitable template can be found, for example, in the “Data Protection Self Assessment Tool” at https://www.dsat.ch - Downloads.
2. Add cookie detail information:
   • 21.Shop automatically supplements the document at the end with “Cookie detail information” at system runtime.

Link in 21.POS Consent Manager:

• The privacy policy is automatically linked in the “21.POS Consent Manager” to comply with legal requirements.

Check link in footer (for older shops):

• If you operate an older shop, check whether the privacy policy is also linked in the “Footer”.

• If not, add the link to the privacy policy as follows:

  • Go to “Content” → “Pages” → “Footer” and make sure the link to the privacy policy is included there.

With these steps, you ensure that your privacy policy is correctly integrated and linked. This way, you meet the legal requirements regarding data protection and consent.

Further help

If you have any questions or problems, our support team will be happy to help. To do so, open a support ticket:

1. Go to the Swiss21 portal.
2. Click on your profile picture in the top right corner.
3. Click on “Support”.
4. Click on “Contact support”.
5. Fill out the form and our support team will get back to you as soon as possible.

Support opening hours: Monday – Friday I 8:00 a.m. – 12:00 p.m. I 1:30 p.m. – 5:00 p.m.