ITM Components is working to make sure that it will comply with the European Union’s General Data Protection Regulation (GDPR) when it takes effect on May 25, 2018. We would like to provide information for customers in regard to the new regulations.
The GDPR generally applies to the collection and processing of personal data. Under the GDPR, personal data means any information relating to a data subject. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:
The GDPR gives certain rights to identified or identifiable persons (referred to as data subjects), including buyers visiting our store. These include the right to request:
Under the GDPR, in most cases the merchant collects information from their buyers as a "controller". Generally, the ecommerce platform, (in this case, Shopify) acts as a "processor" for the merchant with respect to such buyer personal data.
To comply with the GDPR, generally the processor may only process personal data when authorised to do so by the controller. Where the ecommerce platform is a processor for a merchant, it processes personal data on documented instructions from merchants. For example, when a merchant clicks Fulfill items, they give Shopify the instruction to process the data necessary to perform that action. Similarly, when a merchant selects a particular payment processor, they give the ecommerce platform the instruction to transmit data to the relevant party.
The GDPR also places several other responsibilities on the processor, discussed below:
Processors must notify and obtain consent from their controller when transmitting personal data to a subprocessor. Shopify uses a number of subprocessors to provide the service, including to:
When a merchant signs up for the Shopify service, they consent to allow Shopify to use subprocessors. A list of subprocessors is available upon request from Shopify
Processors must notify the controller after becoming aware of a personal data breach resulting from a breach of the processor’s security. Shopify is committed to ensuring that its incident response program meets the requirements of the GDPR. The specifics of breach notification are handled through a merchant's contract with Shopify.
Processors must appoint a Data Protection Officer if they conduct certain types of personal data processing.
Shopify’s Data Protection Officer can be reached at firstname.lastname@example.org.
Under the GDPR, the controller has the following responsibilities:
Controllers are obligated to help data subjects exercise their rights.
We can do this by forwarding buyer requests to Shopify, as detailed in the Data subject rights section of this document.
When personal data is collected from a data subject, we must provide certain minimum information about the intended processing of the personal data, as well as information about how to contact us.
We are responsible for providing this information to our customers.
We are responsible for making sure that we comply with marketing and cookie regulations in the jurisdictions in which they operate.
We also make sure that our email marketing practices comply with applicable e-marketing or anti-spam requirements. We always ask for permission to send promotional emails to customers visiting our store. By default, our customers must positively consent to receive promotional emails, as outlined in the next section.
Personal data cannot be processed except under a recognized legal basis (unless an exemption applies). The GDPR sets out a list of possible legal bases under which personal data may be processed. These reasons include:
This agreement must be:
We, as controllers of our buyers’ personal data, are responsible for ensuring they have a proper legal basis for doing so, including keeping evidence of consent when processing is based on consent.
As its merchants’ processor, Shopify is not responsible for the merchants’ legal bases but only processes buyers’ personal data on behalf of and on the instructions of the merchant. In certain cases, however, the law may additionally require consent for certain types of processing (for example, when placing or retrieving cookies on a device). In such cases, the merchant is also responsible for obtaining appropriate consent.
Upon request, the ecommerce platform, (in this case, Shopify) will provide merchants with any reasonable information they require to obtain consent (for example, information about the categories of cookies placed when a buyer visits a storefront).
Personal data of residents of the EEA can only be transferred to recipients outside the EEA if the recipient has adequate protections in place. These protections may include:
Shopify has protections for personal data in every step of this data flow.
Shopify will never independently sell personal data for commercial purposes. However, Shopify does disclose personal data to third parties or allow third parties to access personal data to help provide services—for example, to store platform data
Additionally, Shopify may provide personal data, where permitted, to prevent, investigate, or respond to:
Shopify also provides information to third parties when legally required to do so. Where Shopify believes it is legally required to provide information, and not legally prohibited from disclosing the existence of the legal order, it will notify the data subject and give the data subject a chance to seek a protective order.
The GDPR provides data subjects (in this case, buyers) with certain rights over their personal data. Generally, data subject requests must be addressed within one month, unless they are exceptionally complex or numerous. The following rights are granted to data subjects:
Data subjects have the right to request that their personal data be erased in certain circumstances.
If a merchant receives a request from a buyer to delete their personal data, before forwarding the request to Shopify, the merchant should:
After a request is received, Shopify will ensure that the relevant personal data is erased. If erasing it is impossible, Shopify will let the merchant know to what degree it is impossible, and why.
In addition to contacting Shopify, the merchant should also work with any relevant third parties to make sure that they delete or anonymise the personal data.
When processing a request for erasure, Shopify will anonymise the personal data of the buyer, but keep non-personal data such as revenue information and order details. Order details that are retained include the gateway used to process payment, time of sale, amount paid, currency, subtotal, shipping cost, taxes added, shipping method, item quantity, item name, SKU, and payment method.
If no data erasure requests are received, Shopify will keep data for the lifetime of a store, and purge personal data within 90 days after a store is closed.
Controllers must, upon request, explain to data subjects how their personal data is processed and provide access to this personal data. If merchants cannot export data sufficient to fulfill the request from their admin, they can forward the request to Shopify. Similar to a request for erasure, if a buyer requests access to their personal data, the merchant should first validate the identity of the requester.
The merchant can then reach out to Shopify, either through Shopify's support system, or by emailing email@example.com.
When Shopify receives the request, it will:
Data subjects have the right to correct incomplete or inaccurate personal data held or processed by a controller. Shopify’s platform allows a merchant to change customer records directly.
Under the GDPR, controllers and processors are required to implement appropriate technical and organisational measures.
Shopify has implemented many of the controls and processes identified in the GDPR, including:
Shopify has a data protection program that is integrated with its information security program and includes several teams across the organisation. In particular, the data protection program includes a designated Data Protection Officer, who reports to senior management, as well as individuals from:
Shopify maintains system and application logs relating to events and access to certain systems used for the processing of personal data. These logs are stored on log servers for approximately a month, and then moved to offsite backup locations, where they remain available for at least 12 months.
Shopify encrypts data sent to and from merchants and buyers using the HTTPS protocol.
Shopify also encrypts any sensitive stored information, and salts and hashes merchant and buyer passwords using bcrypt.
Shopify and all online stores powered by Shopify are Level 1 PCI-DSS compliant.
Shopify uses third-party data centers with industry-standard certifications. Examples include:
SOC reports for all facilities, which include physical protections, can be provided to merchants on request under an appropriate NDA.