The General Data Protection Regulation (GDPR) is a new European privacy law that takes effect on May 25, 2018.
The GDPR affects not only European companies, but every company that processes data of EU nationals or can potentially process their data. So that’s basically every company in the world regardless of its location and the GDPR can affect your store even if it is not located in Europe.
The GDPR gives people more rights over their personal data. It specifically gives people the right to access, correct, delete, and restrict processing of their data, and sets out strict guidelines about how you need to get customers to agree that you can use their data (get their consent). If you collect or store any information that can be linked to an individual, that counts as personal data.
You can read the full text of the GDPR.
In this article:
According to the GDPR, the merchants who are based in Europe or who sell to the customers from the EU have to comply with the GDPR regulation.
Online store collects and processes personal data in a compliant manner however it is also your responsibility to comply with GDPR requirements when you collect and process personal data from your EU customers. Under the new regulation, personal data is defined as any information that can be used to directly or indirectly identify a person. This includes: a name, a photo, an email address, bank details, posts on social networking websites, medical information, IP address, random code that is assigned to users to track them for analytics and A/B testing and more.
Below are the key things that we recommend to implement in the first place.
Get a clear consent before collecting any data
In Online store you can require your customers to accept terms of service before checkout. To do it just enable the Show “I agree with Terms & Conditions” checkbox at checkout checkbox in your Control Panel → Settings → General → Legal Pages. As it is impossible to place an order without agreeing to Terms and Conditions, the fact that an order is placed is a confirmation of consent.
Provide customers with the right to access their data
This means that you have to provide your customers with a copy of their personal data in an easily readable and portable format. If you are requested to provide personal data, Online store can give you the information that it stores. Also, you should take into consideration the 3rd party services that you might use in your store and who may have access to your customers’ personal data.
Provide customers with the right to delete, edit, restrict certain data uses
As as well as with the access requests, Online store can help you to delete personal data that it stores on your behalf. There is also information you can delete yourself. If your customer asks to delete their order, you must do it according to the law.
You should also remember about the 3rd party services that you might use in your store.
Data breach notifications
Online store acts as Data processor and our merchants act as Data controllers. If your website is experiencing a data breach of any kind, you might be required to notify affected customers. Under the GDPR, a notification must be sent within 72 hours after you become aware of the breach. Data processors are also required to notify users as well as the Data controllers, immediately after becoming aware of a data breach.
Online store follows the GDPR guidelines on how to collect, store, process and share personal data and complies with the requirements of the GDPR in the following ways:
- we assigned the Data Protection Officer who is in charge of the Data Protection Policy;
- we started to deliver the GDPR-focused training to our key teams and personnel;
- we implemented a detailed procedure to deal with all data subject access requests, deletion requests, and government access requests;
- we work only with subprocessors who provide an adequate protection of the personal data through robust technical and organizational measures;
- we developed a reliable method to detect, report and investigate a personal data breach;
- we established the necessary records of data processing activities;
- we are certified under the EU - U.S. and Swiss - U.S. Privacy Shield frameworks, which are a legal mechanism to enable the transfer of personal data from the EEA and Switzerland to the US, where certified organisations guarantee to provide a level of protection in line with EU data protection law.