Necessary elements for grant of a quality label in e-commerce from the point of view of the data protection law

The global character of electronic commerce (e-commerce) entails an intensive exchange of personal data that may infringe the privacy of the persons concerned. Consequently it is extremely important that the fundamental principles of data protection are also applied in the environment of e-commerce.

To strengthen user confidence in e-commerce - this is also a provision of the data protection law (DPL) - providers should process customer data transparently. They must inform the users on what personal data they want to process and for what purpose. On the basis of these considerations we welcome the creation of a quality label that, among other aspects, guarantees data protection conform processing of personal data and thus strengthens customer confidence in e-commerce.

Fundamental prerequisite for a quality label procedure is that the legal requirements for the protection of privacy are implemented by technical norming. The following requirements and test criteria must be taken into account for the efficacy of a quality label with respect to the data protection law:

Reliable procedure for grant of the quality label

Grant of the quality label may only be realised on the basis of a transparent awarding procedure with duplicable test criteria. That is why it is essential that the procedure for the grant of the quality label as well as the test criteria are defined clearly and set out in a binding norm. The clearly delineated certification procedure will then lead to award of the quality label by a suitable institution in the course of an auditing process.

Compliance with and implementation of the fundamental legal principles of data processing

Before awarding the quality label, compliance with the legal requirements for the processing of personal data must be appraised in the certification procedure. This is why the following requirements must be examined in particular:

  • Transparent information to users/customers (e.g. privacy policy).
  • Fulfilment of the legal requirements when processing the data (like criteria on storage, deletion and passing on of personal data).
  • Assurance of the right to information and viewing as well as the right to sue in the event of disputes or violations of privacy.
  • Assurance of a right of choice for users/customers for the utilisation of their data .
  • Assurance of data security by technical and organisational measures.

Binding control procedure with sanctions and measures in the event of non-compliance with the rules

After the award of the quality label the follow-up control must be assured, e.g. on an annual basis by implementation of a binding and reliable control procedure. Lastly, sanctions and measures must be foreseen, e.g. the withdrawal of the quality label in the event of non-compliance with the rules and requirements.

Taking the European requirements on data protection into account

The European legal requirements on the processing of personal data have to be integrated in the examination to ensure international reliability of the label.

[July 2001]