《通用數據保護條例》(GDPR) 要求 Shopify 對其平臺和內部隱私計劃進行以下更改:
《通用數據保護條例》(GDPR) 要求 Shopify 對其平臺和內部隱私計劃進行以下更改:
重新組織隱私團隊,記錄并保存 Shopify 所做的某些與隱私相關的決策,以便 Shopify 對其隱私相關做法承擔責任。
確保 Shopify 能夠尊重歐洲商家和客戶對其個人數據的權利,并在使用 Shopify 的服務時,商家也能做到這一點。
當 Shopify 使用第三方分支處理機構提供服務時,向商家做出某些協議承諾并獲得某些協議承諾。
Shopify 為 GDPR 做了哪些準備?
Shopify 還采取了哪些措施來遵守 GDPR?
Shopify 會與商家簽訂數據處理協議嗎?
Shopify 針對 GDPR 做了以下方面的準備:
根據 GDPR 第 13 條和第 14 條的要求,更新了 Shopify 的隱私政策,以包含有關 GDPR 擴展的權利的詳細信息,以及有關 Shopify 如何處理個人數據的詳細信息。
根據 GDPR 第 28 條的要求,向 Shopify 的在線服務條款中添加了數據處理附錄。
準備了一份白皮書(英文版),以幫助商家和合作伙伴了解 Shopify 如何解釋和履行 GDPR 規(guī)定的義務。
根據 GDPR 第 13 條和第 14 條的要求,更新了隱私政策生成器,以包括商家需要在他們的隱私政策中包含的一些信息。
為 Shopify 平臺添加了功能,使商家能夠獲得獨立的同意來實現營銷目的,并且能夠根據他們的需求選擇是否要預先選中同意復選框。
更新后的 Shopify 應用商店將會顯示,以便應用開發(fā)者可鏈接到隱私政策,其中準確解釋應用將收集和處理的個人數據。
為應用開發(fā)者提供了模板隱私政策,以便幫助他們起草隱私政策,其中包括商家根據 GDPR 要求更新自己的隱私政策所需的信息類型。
指定一位經驗豐富的數據保護官來監(jiān)督 Shopify 的數據保護計劃和 GDPR 實施計劃。
按照 GDPR 第 30 條的要求,為我們的數據處理活動準備了一份注冊表。
根據 GDPR 第 35 條和第 91 條要求,實現了數據保護影響評估。
記錄了 Shopify 用于提供其平臺和其他服務的分支處理機構,并已開始審查與這些分支處理機構的合同安排,以確保它們能夠滿足通過強大的技術和組織措施來保護個人數據的要求。
已啟動申請批準約束公司規(guī)則的流程以支持 Shopify 的數據處理操作。
已經開始對關鍵團隊和人員進行以 GDPR 為重點的培訓,以便他們了解法律要求并且能夠在考慮到隱私的情況下設計 Shopify 產品和商業(yè)計劃。
除了上述準備事項外,Shopify 還將推出以下功能:
用于代表客戶通過 后臺請求 Shopify 持有的所有客戶信息的工具,適用于商家收到符合 GDPR 的主體申請訪問的情況。
用于請求 Shopify 通過 Shopify 后臺刪除與特定客戶相關的所有個人信息的工具,適用于商家收到符合 GDPR 的刪除請求的情況。當商家使用此工具請求刪除時,Shopify 還會將此請求轉發(fā)給商家在請求客戶個人信息訪問權限獲批時安裝的應用。
更強大的 Cookie 策略,其中包括 Shopify 存放的 Cookie(不僅存放在 Shopify 自己的在線資產上,還通過 Shopify 店面和移動應用存放)的類別相關特定信息,以確保商家獲得所需信息,便于在存放提供服務所需的 Cookie 時獲得 Shopify 的有效同意。
對于按照在線服務條款規(guī)定使用 Shopify 服務的商家,Shopify 對條款進行了修訂,已將數據處理附錄納入在內。
您無需簽署此文檔,因為它已附加到服務條款,您繼續(xù)使用 Shopify 服務即表示您同意此條款。這符合 GDPR 第 28(3) 條的要求。Shopify 無法與每個商家簽署單獨協議。
對于 Shopify Plus 商家,Shopify 制定了一份涵蓋其個人數據處理事項的數據處理協議。有關詳細信息,請聯系 Shopify Plus 客服。
有關 Shopify 如何遵守 GDPR 并確保您在使用 Shopify 時能夠遵守 GDPR 的詳細信息,請下載 Shopify 的 GDPR 白皮書文檔(英文版)。
How does the GDPR affect Shopify?
The General Data Protection Regulation (GDPR) requires Shopify to make the following changes to its platform and internal privacy program:
Reorganize the privacy team, and document and keep records of certain privacy-related decisions made by Shopify so that Shopify is accountable for its privacy practices.
Make sure that Shopify is able to honor the rights of European merchants and customers over their personal data, and that when using Shopify's services, merchants are able to do the same.
Make certain contractual commitments to merchants and get certain contractual commitments when Shopify uses a third-party subprocessor to provide services.
On this page
What has Shopify done to prepare for the GDPR?
What else is Shopify doing to comply with GDPR?
Will Shopify enter into Data Processing Agreements with its merchants?
What has Shopify done to prepare for the GDPR?
Shopify has been preparing for the GDPR in the following ways:
Policies and documentation
Updated Shopify's privacy policy to include more information about the rights extended by the GDPR, as well as more detailed information about how Shopify processes personal data, as required by Articles 13 and 14 of the GDPR.
Added a data processing addendum to Shopify's online terms of service, as required by Article 28 of the GDPR.
Implemented a detailed procedure to deal with data subject access requests, deletion requests, and government access requests.
Prepared a whitepaper (in English) to help merchants and partners understand how Shopify interprets and has been approaching its obligations under the GDPR.
duct features
Updated the privacy policy generator to include some of the information merchants will need to include in their privacy policies, as required by Articles 13 and 14 of the GDPR.
Added functionality to the Shopify platform so that merchants are able to obtain independent consent for marketing purposes, and can choose whether or not to pre-check the consent checkbox depending on their requirements.
Updated abandoned cart notifications to allow merchants to be able to tie them to whether or not a customer has opted in to marketing communications.
App store
Updated Shopify App Store displays so that app developers can link to a privacy policy that explains exactly what personal data the app collects and processes.
Provided app developers with a template privacy policy to help them draft a privacy policy that will include the types of information merchants will need to be able to update their own privacy policies, as required by the GDPR.
Corporate governance
Appointed an experienced Data Protection Officer to oversee Shopify's data protection program and GDPR implementation plan.
Prepared a registry of our data processing activities, as required by Article 30 of the GDPR.
Implemented a Data Protection Impact Assessment process, as required by Articles 35 and 91 of the GDPR.
Documented the subprocessors that Shopify uses to deliver its platform and other services, and started to review the contractual arrangements with these subprocessors, to make sure that they are required to protect personal data through robust technical and organizational measures.
Began the process of applying for approval of Binding Corporate Rules to support Shopify's data processing operations.
Started to deliver GDPR-focused training to key teams and personnel, so that they are aware of the law’s requirements and can design Shopify products and business plans with privacy in mind.
What else is Shopify doing to comply with GDPR?
In addition to the preparations listed above, Shopify is rolling out the following features:
Tool to request all of the information Shopify holds about a customer on their behalf through the Shopify admin, in case the merchant receives a subject access request under the GDPR.
Tool to request that Shopify delete all personal information associated with a particular customer through the Shopify admin, in case the merchant receives an erasure request under the GDPR. When a merchant uses this tool to request erasure, Shopify will also forward this request to apps the merchant has installed at the time of the request that were granted access to customer personal information.
More informative channel installation process that tells merchants exactly what personal data the channel will have access to after it is installed.
More robust Cookie Policy that includes specific information about the categories of cookies that Shopify places, not just on its own online properties but also through Shopify storefronts and mobile apps, to make sure that merchants have the information they need to get effective consent for Shopify to place the cookies necessary to provide service.
More transparent process through which merchants install apps so that merchants can fully understand exactly what personal data an app is requesting access to before installing the app.
More descriptive listings for already-installed apps so that merchants can check specific app data access permissions at any time.
Will Shopify enter into Data Processing Agreements with its merchants?
For merchants who use Shopify's services subject to the online terms of service, Shopify has revised its terms to incorporate a data processing addendum.
You don't have to sign this document, because it is appended to the terms of service and you agree to it by continuing to use Shopify services. This fulfills the requirement of Article 28(3) of the GDPR. Shopify is not able to sign an individual agreement with each merchant.
For Shofy Plus merchants, Shopify has a data processing agreement to cover its processing of personal data. Contact Shopify Plus Support for more details.
Download Shopify's GDPR whitepaper
For more information about how Shopify complies with the GDPR, and to make sure that you will be in a position to comply in relation to your use of Shopify, download Shopify's GDPR whitepaper document (in English).