GDPR applies to all businesses who process information of individuals from the EU, even if the company handling the data is outside of the EU itself. Under GDPR, EU individuals have the right to request to obtain, manage and delete their personal data held by any company.
This article covers only some of the common aspects which are necessary to operate your online store within the requirements of GDPR. It is not the intention of this article to be an exhaustive guide to GDPR compliance. It is the responsibility of every business to ensure they seek their own appropriate legal advice, specific to their own business data processing needs in order to comply with GDPR.
ShopIntegrator has updated its Privacy Policy to comply with the latest GDPR principals.
GDPR is the General Data Protection Regulation, a European Union (EU) privacy regulation which governs the rights of consumers to control their personal data, ensuring companies obtain consent before storing and process a consumer's information. GDPR came into effect on Friday the 25th of May 2018.
To comply with GDPR, ShopIntegrator merchants that are selling to EU customers and processing the customer details of those EU citizens must operate within the GDPR guidelines, even if the merchant is based outside the EU they still have an obligation to comply with GDPR for any EU customer data they hold.
ShopIntegrator is the Data Processor, collecting and processing customer's personal details on behalf of the merchant for the operation of the merchant's online store. You as the merchant are acting as a Data Controller for your customer's data. As the merchant you are also responsible for compliance with GDPR for personal data collected from your customers in your online store. Personal data is information that may be used to identify an individual, either directly or indirectly, including such information as:
In your online store and your website it is recommended that you inform the customer about their rights and obtain consent from a customer before collecting and storing their data. To achieve this, it is recommended that you:
USA/EU Privacy Shield Certified Hosting Provider: Data stored outside the EU in the USA is considered by the EU as having "adequate" laws for the purpose of data protection under the USA/EU Privacy Shield program. Under the USA/EU Privacy Shield a company must certify that they will provide data protection safeguards aimed at complying with EU data protection requirements when transferring personal data between the European Union and the United States.
The ShopIntegrator checkout, by default, requires a mandatory customer acceptance checkbox for the generic set of terms and conditions of the ShopIntegrator ecommerce service which the customer must accept before they may complete the checkout.
A merchant may need more bespoke terms and conditions applicable to their business needs. It is possible to provide a custom link to the merchants own terms and conditions specific to your businesses operating practices which will then replace ShopIntegrator's general ecommerce terms and conditions in the checkout.
When the customer confirms they have read and agree to the GDPR compliant terms and conditions, they are consenting to their data being collected and stored for the purposes declared.
Customers are entitled to make a request to a merchant to obtain a copy of any personal data held by the merchant about them. The information must be supplied in an easy to understand and widely accessible document format.
A response must be given to the requestor within 20 days to inform them that their request has been received and:
If you have connected your store to any 3rd party services, such as email marketing solutions, you will also be accountable for making requests on behalf of your 3rd party services, and collating the responses for the customer.
If you receive a request from a customer to obtain their personal data in your store, please email a request as the store owner on behalf of the customer to ShopIntegrator Support (see store admin Help > Support), ensuring there is sufficient detail to identify the customer to clearly handle the request. The customer's details will be supplied back to the merchant within the 20 day period required by GDPR for handling such a request. It will be the responsibility of the merchant to make this information available to the customer and fulfil the final request along with all other data the merchant holds on the customer in other systems the merchant may be using.
Customers are entitled to make a request to a merchant to delete or modify the personal data held by the merchant about them.
A response must be given to the requestor within 20 days to inform them that their request has been received and:
If you have connected your store to any 3rd party services, such as email marketing solutions, you will also be accountable for the deletion or modification of this data with all your 3rd party services.
If you receive a request from a customer to delete or modify their personal data in your store, please email a request as the store owner on behalf of the customer to ShopIntegrator Support (see store admin Help > Support), ensuring there is sufficient detail to identify the customer to clearly handle the request. The customer's details will be deleted or modified, as appropriate, within the 20 day period required by GDPR for handling such a request. ShopIntegrator will inform the merchant once the request has been completed. It will be the responsibility of the merchant to update the customer once the request is completed for the store data and any other data the merchant holds on the customer in other systems the merchant may be using.
Personal data is collected from the merchant's customer to allow the merchant to receive and process the customer's order or to register an account with the merchant in their online store.
Customer order data will retained in the online store for the following time periods from the date the order is created, after which time the customer's personal data will be deleted:
Data transfer between the web browser and both the ecommerce shopping cart and merchant administration console is encrypted and secured by the latest industry standard security protocols to avoid data interception.
If personal data is exported out of the online store, physically or digitally, the merchant must take reasonable measures for the protection and safekeeping of that data. It is recommended that digital data is encrypted and protected with a strong password (minimum of 8 characters, containing upper case, lower case characters and at least one number), and physical documentation is stored in secure locked storage.
As the merchant, you are the Data Controller. If you experience a data breach you are responsible for notifying customers within 72 hours of becoming aware of the data breach.
ShopIntegrator is the Data Processor for your store's data. GDPR requires that a Data Processor must also notify users as soon as any data breach is identified in relation to the systems that ShopIntegrator is responsible for.
ShopIntegrator is the trading name of Virtuosity IT Ltd, who is registered with the UK Information Commissioner's Office (ICO) for the Data Protection Act - Click here for ShopIntegrator ICO Data protection register - entry details
ShopIntegrator has undertaken these steps for GDPR: