shopify使用GDPR時(shí)數(shù)據(jù)泄露和國(guó)際數(shù)據(jù)轉(zhuǎn)移的相關(guān)介紹-ESG跨境

數(shù)據(jù)泄露通知

如果 GDPR 適用于您并且您遇到泄露，則您可能需要通知受影響的用戶或特定的監(jiān)管機(jī)構(gòu)。

要特別注意的是，GDPR 要求在發(fā)生很可能對(duì)個(gè)人權(quán)利和自由產(chǎn)生不利影響的數(shù)據(jù)泄露時(shí)發(fā)出通知。

如果泄露的信息符合以下特征，則可能需要這樣做：

• 包括付款詳細(xì)信息。

• 可能會(huì)被用于泄露尷尬信息或個(gè)人信息。

• 可能會(huì)被用于訪問(wèn)個(gè)人的賬戶或服務(wù)。

在適用的情況下，您需要在發(fā)現(xiàn)違規(guī)行為后 72 小時(shí)內(nèi)盡快發(fā)出通知。

考慮以下問(wèn)題：

• 您是否曾咨詢過(guò)律師以確定在遇到數(shù)據(jù)泄露時(shí)您需要針對(duì)哪些所收集和處理的信息提供相關(guān)通知？

• 您是否有針對(duì)您業(yè)務(wù)的數(shù)據(jù)泄露響應(yīng)計(jì)劃，從而為此類事件做好準(zhǔn)備？

• 包括付款詳細(xì)信息。

• 可能會(huì)被用于泄露尷尬信息或個(gè)人信息。

• 可能會(huì)被用于訪問(wèn)個(gè)人的賬戶或服務(wù)。

GDPR 對(duì)使用第三方供應(yīng)商和服務(wù)提供商來(lái)處理其用戶的個(gè)人數(shù)據(jù)的所有公司提出了要求。

Shopify 使用多個(gè)分支處理機(jī)構(gòu)來(lái)處理客戶的數(shù)據(jù)。有關(guān) 的分支處理機(jī)構(gòu)的更多信息，請(qǐng)參閱 Shopify 的分支處理機(jī)構(gòu)。

請(qǐng)考慮以下問(wèn)題：

• 您是否審查過(guò)您使用的供應(yīng)商和服務(wù)提供商（包括 Shopify）的隱私保護(hù)措施，從而確保您對(duì)他們?nèi)绾伪Ｗo(hù)您客戶的個(gè)人數(shù)據(jù)感到滿意？

第三方應(yīng)用

GDPR 要求您采取一些與您和您的第三方服務(wù)提供商收集和使用個(gè)人數(shù)據(jù)相關(guān)的肯定步驟。其中包括 Shopify，以及您可能用于 Shopify 商店的第三方應(yīng)用。

Shopify 已采取措施，讓您更容易了解您安裝的應(yīng)用可以訪問(wèn)哪些個(gè)人數(shù)據(jù)。

步驟：

1. 在 Shopify 后臺(tái)中，點(diǎn)擊應(yīng)用。

2. 在要查看其權(quán)限的應(yīng)用上點(diǎn)擊查看詳細(xì)信息。

在應(yīng)用商店的安裝屏幕上安裝應(yīng)用之前，您還可以查看應(yīng)用權(quán)限。

此外，針對(duì)每個(gè)應(yīng)用，應(yīng)用商店中還有一個(gè)鏈接到隱私政策的部分，更詳細(xì)地解釋了應(yīng)用開(kāi)發(fā)者正在收集什么數(shù)據(jù)，以及他們將如何使用這些數(shù)據(jù)。

Shopify 希望使您盡可能輕松地評(píng)估您選擇安裝的應(yīng)用的數(shù)據(jù)實(shí)踐，但您需要確保使用的是符合 GDPR 的第三方應(yīng)用。

請(qǐng)考慮以下問(wèn)題：

• 基于您的地點(diǎn)、您客戶的地點(diǎn)、您應(yīng)用開(kāi)發(fā)人員的地點(diǎn)以及每個(gè)應(yīng)用的實(shí)現(xiàn)情況，您是否使用的是符合 GDPR 的第三方應(yīng)用？如果您對(duì)特定應(yīng)用的數(shù)據(jù)實(shí)踐是否涉及其他考慮事項(xiàng)或是否能使您符合 GDPR 存在疑問(wèn)，請(qǐng)咨詢律師。

國(guó)際數(shù)據(jù)轉(zhuǎn)移

除非個(gè)人數(shù)據(jù)得到充分保護(hù)，否則 GDPR 禁止將歐洲人員的個(gè)人數(shù)據(jù)輸出到歐洲外部。

Shopify 按照 GDPR 的要求保護(hù)個(gè)人數(shù)據(jù)，在數(shù)據(jù)轉(zhuǎn)移至美國(guó)和加拿大并在這些地方進(jìn)行處理的過(guò)程中，對(duì)其進(jìn)行保護(hù)。

Shopify 已對(duì)自身的數(shù)據(jù)流進(jìn)行了設(shè)置，從而滿足商家的這些需求。如 Shopify 隱私政策中所述，所有歐洲的個(gè)人數(shù)據(jù)最初均接收自商家，并由 Shopify 位于的子公司 Shopify International Ltd. 在愛(ài)爾蘭進(jìn)行處理。Shopify 隨后將根據(jù) GDPR 的規(guī)定傳輸此類數(shù)據(jù)。

有關(guān) Shopify 如何按照 GDPR 標(biāo)準(zhǔn)和信息安全最佳做法接收和處理來(lái)自歐洲經(jīng)濟(jì)區(qū) (EEA) 和英國(guó)的個(gè)人數(shù)據(jù)的詳細(xì)信息，請(qǐng)參閱 Shopify 的 GDPR 白皮書(shū)（英文版）。

請(qǐng)考慮以下問(wèn)題：

您是否確保您向其轉(zhuǎn)移數(shù)據(jù)的其他方將在遵守 GDPR 的情況下跨國(guó)際邊境轉(zhuǎn)移該數(shù)據(jù)？要實(shí)現(xiàn)此目的，您可以查看第三方應(yīng)用、渠道、支付網(wǎng)關(guān)或其他供應(yīng)商的隱私政策，了解其是否說(shuō)明了將如何保護(hù)歐盟數(shù)據(jù)。

下載 Shopify 的 GDPR 白皮書(shū)

有關(guān) Shopify 如何遵守 GDPR 并確保您在使用 Shopify 時(shí)能夠遵守 GDPR 的詳細(xì)信息，請(qǐng)下載 Shopify 的 GDPR 白皮書(shū)文檔（英文版）。

Data breach notification

If the GDPR applies to you and you experience a data breach, then you might be required to notify affected users or specific regulatory bodies.

In particular, the GDPR requires notice where a data breach is likely to cause a high risk of adversely affecting individuals’ rights and freedoms.

This is likely to be the case if the breached information:

• Includes payment details.

• Could be used to reveal embarrassing or personal information.

• Could be used to access an individual’s accounts or services.

Where applicable, you're required to provide notice as quickly as 72 hours after you become aware of the breach.

Think about the following questions:

• Have you spoken with a lawyer to determine what information you collect and process might require you to provide notice if you experience a data breach?

• Do you have a data breach response plan for your business so you are prepared for such an incident?

• Includes payment details.

• Could be used to reveal embarrassing or personal information.

• Could be used to access an individual’s accounts or services.

The GDPR imposes requirements on any company that uses third-party vendors and service providers to process the personal data of its users.

Shopify uses a number of subprocessors to process your customers’ data. For more information about Shopify's subprocessors, see Shopify's subprocessors.

Think about the following question:

• Have you ed the privacy practices of the vendors and service providers that you use, including Shopify, to make sure that you are comfortable with how they protect your customers’ personal data?

Third-party apps

The GDPR requires that you take a number of affirmative steps relating to your and your third-party service providers’ collection and use of personal data. This includes Shopify, but also any third-party apps that you might use in connection with your Shopify store.

Shopify has taken action to make it easier for you to understand what personal data the apps you install have access to.

Steps:

1. From your Shopify admin, click Apps.

2. Click View details on the app you want to review permissions for.

You can also review app permissions before you install an app on the install screen in the app store.

Additionally, there is a section of the app store for each app to link to a privacy policy that explains in more detail exactly what data app developers are collecting and how they are using it.

While Shopify wants to make it as easy as possible for you to assess the data practices of the apps you choose to install, it is up to you to ensure that you are using third-party apps in a way that complies with the GDPR.

Think about the following question:

• Based on your location, your customers' locations, your app developers' locations, and your implementation of each app, are you using third-party apps in a way that complies with the GDPR? Consult with a lawyer if you have questions about whether a particular app’s data practices may require additional consideration or work on your part to ensure compliance with the GDPR.

International data transfers

The GDPR prohibits exporting the personal data of Europeans outside of Europe unless that information will be adequately tected.

Shopify protects personal data according to the requirements of the GDPR as it is transferred to and processed in the United States and Canada.

Shopify has set up its data flows to take care of these requirements for merchants. As described in Shopify's Privacy Policy, all European personal data is initially received from merchants and processed in Ireland by Shopify's Irish affiliate Shopify International Ltd. Shopify then transfers that data onward in compliance with the GDPR.

For more information about how personal data from the European Economic Area (EEA) and United Kingdom is received and processed by Shopify according to GDPR standards and information security best practices, see Shopify’s GDPR whitepaper (in English).

Think about the following question:

Have you ensured that other parties you transfer data to will transfer that data across international borders in a way that complies with the GDPR? You can do this by looking at the privacy policies of your third-party apps, channels, payment gateways, or other vendors, and seeing if they explain how they protect European data.

Download Shopify's GDPR whitepaper

For more information about how Shopify complies with the GDPR, and to make sure that you will be in a position to comply in relation to your use of Shopify, download Shopify's GDPR whitepaper document (in English).

特別聲明：以上文章內(nèi)容僅代表作者本人觀點(diǎn)，不代表ESG跨境電商觀點(diǎn)或立場(chǎng)。如有關(guān)于作品內(nèi)容、版權(quán)或其它問(wèn)題請(qǐng)于作品發(fā)表后的30日內(nèi)與ESG跨境電商聯(lián)系。