23/10/2020 Risk management
Christian Steiner

DSGVO: Protection against misuse of data in the purchase on account

From 25 May 2018, the Basic Data Protection Regulation (DSGVO) will enter into force after a two-year transitional period. It harmonises data protection standards within the EU and protects the fundamental rights and freedoms of natural persons even better. More importantly, however, it will result in greater obligations on data processors and data collectors. This article highlights what you as an online trader can now do to ensure that your customers are properly protected and what you should be aware of when buying on account.

Data theft and misuse raises consumer awareness

As if to underline the entry into force of the DSGVO, the first, and above all major, data scandals are already expected in 2018: five million credit and bank card data of the Kaufhof parent Hudson Bay Company have been offered for sale by hackers (1). The data of up to 87 million people were used illegally in the US election campaign, 310,000 of them from Germany (2). 150 million user data, such as email addresses and passwords, of the fitness app MyFitnessPal have been stolen (3). As far as horror reports on data theft are concerned, 2018 is so far presenting steep figures. Your customers are noticing this too. Everyone is talking about data protection. On the one hand, because people are increasingly attending data protection training courses in their role as employees of a company, and on the other hand because the current media presence is creating awareness of this topic. Consumers are beginning to deal with it more and more and are building up self-confidence in the subject. One could almost speak of a form of data protection education and awareness raising.

All of a sudden things are being questioned which were sometimes considered given or uninteresting:

  • Why can’t I pay you by invoice?
  • For what purpose do you collect my data?
  • What data have you collected about me?
  • To whom has my data been and will it be passed on?
  • What has been and will be done with my data?

This is only an excerpt of the questions that consumers will ask with growing self-confidence and sense of justice. Transparency in dealing with customer data is therefore the most important recommendation for action and should be a top priority for your business. It is advisable to consider who actually has control over your customers’ personal data at an early stage and what they actually think of the fact that their own data is passed on to external parties and processed there.

Who actually has control over their own data?

Particularly when you outsource invoice purchases, e.g. when you outsource the risk of non-payment via a payment service provider, you are transferring even the most sensitive customer data. This includes information about your customer’s name and address, information about the ordered shopping basket, payment histories and experiences from the customer relationship. This data then enters the control area of a third party, who is suddenly responsible for the security of your customer’s data. And then the data is processed by this party if necessary. An example of this further processing: the DSGVO talks about so-called profiling, also known as scoring. In this process, points are usually awarded on the basis of a mathematical procedure for the data provided, i.e. characteristics of your customers and their current and past purchasing behaviour. The resulting value makes your customers comparable with others and makes the risk arising from the customer relationship measurable and assessable. With the help of this profiling/scoring, automated decisions can be made, which are so important for time-sensitive e-business. According to the DSGVO, this procedure is not permitted in all cases.

At the latest now you should ask yourself important questions:

  • Does the provider guarantee adequate security of personal data, including protection against unauthorised or unlawful processing?
  • Are my customers’ personal data stored in such a way that they can only be identified for as long as necessary for the purposes of the processing?
  • Is the external third party taking appropriate technical and organisational measures to ensure a level of protection of your customers’ personal data commensurate with the risk?

And actually much more important:

  • What do your customers think about the fact that their personal information is given to third parties?

In combination with the fact that you may no longer be able to answer customer enquiries on the subject of “Why wasn’t I offered purchase on account?” beyond any doubt or even have to refer your customers to an external agency, this quickly leads to displeasure and even mistrust among new and existing customers. The resulting annoyance, even out of supposed trivialities, means loss of reputation and therefore cash money that you lose. This spreads well and gladly at breakneck speed via social media. And who likes to be the target of a so-called “shitstorm”?

Therefore, ask yourself whether you are able to provide the transparency your customers demand. Do you know how decisions are made and what happens to your customers’ data? Isn’t now a good time to take the helm yourself again?

Advantages of buying on account from your own hand

Our tip to be on the safe side in terms of data protection: Take the purchase on account back into your own hands. Prevent risks. Provide your customers with transparent and reliable information. Signal to your customers that you value their data and make sure that it is secure.

For example: With solutions such as SHS VIVEON proofitBOX, online retailers can determine themselves who is offered invoice purchases in their shop. The data used for this remains in the hands of the online shop. The proofitBOX supports this process with easy-to-understand and dynamically configurable sets of rules. The online retailer always maintains an overview and can provide his customers with transparent information about decisions made at any time. If an online shop also decides to host the solution via our cloud, it can call on the professional services of our ISO-27001 certified data centre and use a standard that has passed a Bafin audit even at industry-leading banks, thus meeting the highest standards. With proofitBOX you can easily comply with the rights of consumers, your customers, in accordance with the DSGVO.


The Basic Data Protection Regulation / DSGVO dsgvo-gesetz.de