GDPR and ShopIntegrator ecommerce stores

Publish Date: 2018-07-17

GDPR and ShopIntegrator ecommerce stores

GDPR applies to all businesses who process information of individuals from the EU, even if the company handling the data is outside of the EU itself. Under GDPR, EU individuals have the right to request to obtain, manage and delete their personal data held by any company.

This article covers only some of the common aspects which are necessary to operate your online store within the requirements of GDPR. It is not the intention of this article to be an exhaustive guide to GDPR compliance. It is the responsibility of every business to ensure they seek their own appropriate legal advice, specific to their own business data processing needs in order to comply with GDPR.

ShopIntegrator has updated its Privacy Policy to comply with the latest GDPR principals.

General Data Protection Regulation Guidance

GDPR is the General Data Protection Regulation, a European Union (EU) privacy regulation which governs the rights of consumers to control their personal data, ensuring companies obtain consent before storing and process a consumer's information. GDPR came into effect on Friday the 25th of May 2018.

GDPR - How to get started with compliance?

To comply with GDPR, ShopIntegrator merchants that are selling to EU customers and processing the customer details of those EU citizens must operate within the GDPR guidelines, even if the merchant is based outside the EU they still have an obligation to comply with GDPR for any EU customer data they hold.

ShopIntegrator is the Data Processor, collecting and processing customer's personal details on behalf of the merchant for the operation of the merchant's online store. You as the merchant are acting as a Data Controller for your customer's data. As the merchant you are also responsible for compliance with GDPR for personal data collected from your customers in your online store. Personal data is information that may be used to identify an individual, either directly or indirectly, including such information as:

  • Customer name
  • Customer address
  • E-mail address
  • Bank account details
  • Medical information

In your online store and your website it is recommended that you inform the customer about their rights and obtain consent from a customer before collecting and storing their data. To achieve this, it is recommended that you:

1. Ensure you have a privacy policy for your website and online store that sets:

  • Reason why you need to collect their personal data and the purpose you intend to use their data
  • Method by which the customer may retract their consent and delete their data
  • Time period their data will be stored
  • That data will be transferred outside of the EU. ShopIntegrator's servers and data are hosted outside the EU in the USA at the Rackspace data center - Rackspace hosting services are certified for the EU-U.S. Privacy Shield Program

    USA/EU Privacy Shield Certified Hosting Provider: Data stored outside the EU in the USA is considered by the EU as having "adequate" laws for the purpose of data protection under the USA/EU Privacy Shield program. Under the USA/EU Privacy Shield a company must certify that they will provide data protection safeguards aimed at complying with EU data protection requirements when transferring personal data between the European Union and the United States.

2. Mandatory acceptance of your terms and conditions before checkout completion to capture consent for data collection:

The ShopIntegrator checkout, by default, requires a mandatory customer acceptance checkbox for the generic set of terms and conditions of the ShopIntegrator ecommerce service which the customer must accept before they may complete the checkout.

A merchant may need more bespoke terms and conditions applicable to their business needs. It is possible to provide a custom link to the merchants own terms and conditions specific to your businesses operating practices which will then replace ShopIntegrator's general ecommerce terms and conditions in the checkout.

  • This is achieved in the store admin from the Order Manager > Order and Checkout Settings tab > Checkout Settings section.

When the customer confirms they have read and agree to the GDPR compliant terms and conditions, they are consenting to their data being collected and stored for the purposes declared.


3. Give customers the right to request the data held about them:

Customers are entitled to make a request to a merchant to obtain a copy of any personal data held by the merchant about them. The information must be supplied in an easy to understand and widely accessible document format.

A response must be given to the requestor within 20 days to inform them that their request has been received and:

  • supply the information asked for;
  • or; inform them no information is held about the individual

If you have connected your store to any 3rd party services, such as email marketing solutions, you will also be accountable for making requests on behalf of your 3rd party services, and collating the responses for the customer.

If you receive a request from a customer to obtain their personal data in your store, please email a request as the store owner on behalf of the customer to ShopIntegrator Support (see store admin Help > Support), ensuring there is sufficient detail to identify the customer to clearly handle the request. The customer's details will be supplied back to the merchant within the 20 day period required by GDPR for handling such a request. It will be the responsibility of the merchant to make this information available to the customer and fulfil the final request along with all other data the merchant holds on the customer in other systems the merchant may be using.


4. Give customers the right to delete or modify their data and its use:

Customers are entitled to make a request to a merchant to delete or modify the personal data held by the merchant about them.

A response must be given to the requestor within 20 days to inform them that their request has been received and:

  • confirm the information has been deleted or updated as appropriate
  • or; inform them no information is held about the individual

If you have connected your store to any 3rd party services, such as email marketing solutions, you will also be accountable for the deletion or modification of this data with all your 3rd party services.

If you receive a request from a customer to delete or modify their personal data in your store, please email a request as the store owner on behalf of the customer to ShopIntegrator Support (see store admin Help > Support), ensuring there is sufficient detail to identify the customer to clearly handle the request. The customer's details will be deleted or modified, as appropriate, within the 20 day period required by GDPR for handling such a request. ShopIntegrator will inform the merchant once the request has been completed. It will be the responsibility of the merchant to update the customer once the request is completed for the store data and any other data the merchant holds on the customer in other systems the merchant may be using.


5. Data retention period:

Personal data is collected from the merchant's customer to allow the merchant to receive and process the customer's order or to register an account with the merchant in their online store.

Customer order data will retained in the online store for the following time periods from the date the order is created, after which time the customer's personal data will be deleted:

  • Free account: 3 months
  • Basic account: 12 months
  • Advanced account: 18 months
  • Premium account: 24 months
  • Ultimate account: 24 months


6. Data security:

Data transfer between the web browser and both the ecommerce shopping cart and merchant administration console is encrypted and secured by the latest industry standard security protocols to avoid data interception.

If personal data is exported out of the online store, physically or digitally, the merchant must take reasonable measures for the protection and safekeeping of that data. It is recommended that digital data is encrypted and protected with a strong password (minimum of 8 characters, containing upper case, lower case characters and at least one number), and physical documentation is stored in secure locked storage.


7. Notify customers in the event of a data breach:

As the merchant, you are the Data Controller. If you experience a data breach you are responsible for notifying customers within 72 hours of becoming aware of the data breach.

ShopIntegrator is the Data Processor for your store's data. GDPR requires that a Data Processor must also notify users as soon as any data breach is identified in relation to the systems that ShopIntegrator is responsible for.



What ShopIntegrator has done for GDPR?

ShopIntegrator is the trading name of Virtuosity IT Ltd, who is registered with the UK Information Commissioner's Office (ICO) for the Data Protection Act - Click here for ShopIntegrator ICO Data protection register - entry details

ShopIntegrator has undertaken these steps for GDPR:

  • Assignment of a Data Protection Officer responsible for co-ordinating ShopIntegrator Data Protection;
  • Set out a process for managing requests to obtain, modify and delete personal data held about an individual
  • Updated terms of service and privacy policy with GDPR principals
  • Documented its data processing activities