GDPR

 GDPR

Whitepaper

 

Disclaimer

Please note that this document is provided for informational purposes only. Its contents may be subject to change over time. The information in this whitepaper does not modify existing contractual arrangements and may not be construed as legal advice.

Introduction

Shopify believes strongly in protecting your and your customers’ personal data, and understands that doing so is critical to help you preserve the trust and confidence of your customers. This whitepaper presents Shopify’s approach to GDPR preparation and compliance.

Terms

BCRs: Binding Corporate Rules.
Controller: Party that determines how and for what purposes personal data is processed.

Customer: Person visiting a store hosted by Shopify.
Data subject: Person about whom personal data relates.
DPIA: Data Protection Impact Assessment.

EEA: European Economic Area. EEA and European Union countries currently include Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hun- gary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.

GDPR: General Data Protection Regulation.
Merchant: Party using Shopify to host their store.
NDA: Non-disclosure Agreement
Partner: Party that creates Shopify stores on behalf of merchants.
Personal data: Any information relating to an identified or identifiable person.

PIPEDA: Personal Information Protection and Electronic Documents Act.

Processor: Party that processes personal data on behalf of the controller

Global GDPR application Who does the GDPR apply to?

Shopify The GDPR applies to any company that handles the personal data of residents in the European Eco- nomic Area (EEA). Because Shopify works with merchants who serve customers in the EEA, and serves customers in the EEA directly, the GDPR applies to these elements of its business. However, because Shopify believes strongly in data protection and privacy, it gives all of its merchants and partners the ability to offer their customers the rights afforded by the GDPR to control their per- sonal data, wherever they live. Additionally, Shopify provides tools and processes for its merchants to fulfill GDPR-related requests from their customers regardless of the customer’s location.

 

2

Merchants and partners Separate from the way in which the GDPR applies to Shopify, the regulation also applies to Shopify’s merchants and partners who operate in the EEA or offer goods or services to residents of the EEA. Each merchant is ultimately responsible for ensuring that their business complies with the laws of the jurisdictions in which they operate or have customers. Using Shopify alone does not guarantee that a merchant or partner complies with the GDPR - merchant and customers must analyse their own business practices to ensure their compliance.

Customers The GDPR also gives certain rights to identified or identifiable persons (referred to as data subjects), in- cluding customers visiting stores belonging to Shopify merchants. These include the right to request:

• Deletion(erasure)oftheirpersonaldata

• Correction(rectification)oftheirdata
• Accesstotheirdata
• Anexportoftheirdatainacommon(
portable)format
This topic is discussed more fully in the Data subject rights section.
What data does the GDPR apply to?
The GDPR generally applies to the collection and processing of personal data. Under the GDPR, per- sonal data means any information relating to a data subject. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:
• Name
• Identificationnumber
• Locationdata
• Onlineidentifier(suchasIPaddressorcookieID)
1
Controller vs. processor status
The GDPR separates data protection responsibilities into two categories: controllers and processors. 2 Under the GDPR, in most cases the merchant collects information from their customers as a controller. Generally, Shopify acts as a processor for the merchant with respect to such customer personal data (or, if the merchant acts as a processor, Shopify acts as a subprocessor): 1General Data Protection Regulation, Article 4(1). 2General Data Protection Regulation, Article 4(7). 3General Data Protection Regulation, Article 4(8).
Controller: The party that determines for what purposes and how personal data is processed. 3
Processor: The party that processes personal data on behalf of the controller.
3
The one exception is for customers with whom Shopify has a direct existing relationship.
For example, customers who use Shopify’s Shop Pay service, which allows the customer to store their payment information with Shopify for use across different Shopify stores, track packages, and find new Shopify stores near them.
Although in such cases the merchant may also separately be a controller of the customer’s personal data, Shopify processes the personal data of these customers as a controller, as indicated in the following diagram:
4
Processor obligations
To comply with the GDPR, generally the processor may only process personal data when authorised to do so by the controller.
Where Shopify is a processor for a merchant, it processes personal data on documented instructions from merchants. For example, when a merchant clicks Fulfill items, they give Shopify the instruction 4
Similarly, when a merchant selects a particular payment processor, or installs an application through the Shopify App Store, they give Shopify the instruction to transmit data to the relevant party. T
he GDPR also places several other responsibilities on the processor, discussed below:
Subprocessing
Processors must notify and obtain consent from their controller when transmitting personal data to a subprocessor. Shopify uses a number of subprocessors to provide the service, including to:
• Storeplatformdata
• OperatetheforumsandotherportionsofShopify’swebsite
• Respondtoandmanagesupportinquiries
When a merchant signs up for the Shopify service, they consent to allow Shopify to use subprocessors. 5 Shopify is formalising the process for conducting data protection impact assessments (DPIAs) any time a change in processing procedure occurs that is likely to result in a high risk to individuals’ privacy rights. Shopify will help answer reasonable questions a merchant has about Shopify’s processing activities.
Personal data breach reporting
Processors must notify the controller after becoming aware of a personal data breach resulting from a breach of the processor’s security.
Shopify is committed to ensuring that its incident response program meets the requirements of the GDPR. The specifics of breach notification are handled through a merchant’s contract with Shopify.
Appointment of a Data Protection Officer
Processors must appoint a Data Protection Officer if they conduct certain types of personal data processing.
Shopify’s Data Protection Officer can be reached at privacy@shopify.com. Merchants should consider 6 4See section 2.2.1 of Shopify’s Data Processing Addendum: https://www.shopify.com/legal/dpa. 5See: https://help.shopify.com/manual/your-account/GDPR/subprocessors
6General Data Protection Regulation, Article 37.
to process the data necessary to perform that action.
A list of subprocessors is published in Shopify’s Help Center.
Data protection impact assessments
whether they also need to appoint a Data Protection Officer.
5
Controller obligations
Under the GDPR, the controller has the following responsibilities:
Facilitating requests
7 Shopify’s merchants can do this easily from their admin as detailed in the Data subject rights section of this document.
Posting a privacy notice When personal data is collected from a data subject, controllers must provide certain minimum in- formation about the intended processing of the personal data, as well as information about how to 8 Merchants are responsible for providing this information to their customers. Shopify provides this information in the Shopify Privacy Policy where it is a controller, and encourages merchants to provide 9 Shopify collects the following elements of personal data from customers on behalf of merchants:
  • Name
  • Shippingandbillingaddresses
  • IPaddress
  • Customeremailorphonenumber(ifrequiredbymerchant)
  • Companyname(ifrequiredbymerchant)
  • Information from cookies, stored temporarily as per Shopify’s Cookie Policy (for example, which landing page the customer arrived from, how many times the customer has visited the site, device and browser used, and products stored in the cart)10
  • InformationabouttheorderscustomersinitiatesothatShopifymayfulfillthoseorders. If a customer contacts Shopify for customer support, Shopify also collects the following information: Telephone support Shopify collects:
    • Phonenumber
    • Callaudio • Otherpersonalinformationprovidedduringthecall
    In accordance with Shopify’s Terms of Service, Shopify may request additional documentation during
    11 7General Data Protection Regulation, Article 12(2). 8General Data Protection Regulation, Article 13. 9See: https://www.shopify.com/legal/privacy. 10See: https://www.shopify.ca/legal/cookies. 11See: https://www.shopify.com/legal/terms.
Controllers are obligated to help data subjects exercise their rights.
contact and identify the controller.
this information in their own privacy policies. Customers
the call to verify identity.
6
Chat support
Shopify collects:
• Name
• Emailaddress
• Informationaboutthedeviceandbrowserused
• Networkconnection
• IPaddress
• Chattranscript
• Otherpersonalinformationprovidedduringthechat
In accordance with our Terms of Service, Shopify may request additional documentation during the 12
• Emailaddress
• WebsiteURL
• Otherpersonalinformationtheusermaypost
Complying with marketing and cookie regulations
Controllers are responsible for making sure that they comply with marketing and cookie regulations in the jurisdictions in which they operate. Merchants with EU customers should make sure that they obtain appropriate consent for the use of cookies—the ePrivacy Directive generally requires some form of consent in order to use tracking 13
All merchants should similarly make sure that their email marketing practices comply with applicable e-marketing or anti-spam requirements. 14 When offering goods or services online directly to children under 16 years of age, the controller is 15 Merchants are responsible for assessing whether they need to obtain a higher level of consent for certain customers.
12See: https://www.shopify.com/legal/terms.
13 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal
data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communica-
tions). Will be replaced by the ePrivacy Regulation.
14See: https://www.shopify.ca/legal/cookies.
15General Data Protection Regulation, Article 8. Individual member states may lower the age of consent.
chat to verify identity. Forums Shopify collects: • Name
technologies.
Information on how Shopify handles cookies can be found in our Cookie Policy.
Obtaining consent to process children’s data
responsible for obtaining verifiable consent from the child’s parents for processing their data.
7
Legal basis for processing
Personal data cannot be processed except under a recognized legal basis (unless an exemption ap- plies). The GDPR sets out a list of possible legal bases under which personal data may be processed. These reasons include:
  • Consent
  • Contractualobligations
  • Legalobligations
  • Thepublic’sinterests
  • Legitimate interests of the controller or third party, balanced against the rights of the data subject1                                 Consent of the data subject means the data subject has agreed to the processing of their personal 17 Merchants, as controllers of their customers’ personal data, are responsible for ensuring they have a proper legal basis for doing so, including keeping evidence of consent when processing is based on 18 As its merchants’ processor, Shopify is not responsible for the merchants’ legal bases but only pro- cesses customers’ personal data on behalf of and on the instructions of the merchant. In certain cases, however, the law may additionally require consent for certain types of processing (for example, when placing or retrieving cookies on a device). In such cases, the merchant is also responsible for obtaining appropriate consent. Upon request, Shopify will provide merchants with any reasonable information they require to obtain 19 Personal data of residents of the EEA can only be transferred to recipients outside the EEA if the recipient has adequate protections in place. These protections may include: • AdherencetodomesticlawsthathavebeendeemedadequatebytheEuropeanCommission • Negotiatedagreements(suchastheEU-U.S.PrivacyShield)
    • Contractualprotections
    • Approvedsetsofinternalpolicies(BindingCorporateRules)
    • Approvedcodesofconductorcertifications 16General Data Protection Regulation, Article 6. 17General Data Protection Regulation, Article 4(11). 18General Data Protection Regulation, Article 7(1). 19See: https://www.shopify.ca/legal/cookies.
data with a clear affirmative action. This agreement must be: • Freelygiven
• Specific
• Informed
• Unambiguous
consent.
consent. Information on the cookies that Shopify places can be found in our Cookie Policy.
Data transfers
8
Shopify has protections for personal data in every step of its data flow, as described below. The following diagram illustrates Shopify’s data transfer structure:
Within EEA
EEA personal data is received and initially processed by Shopify’s Irish entity, Shopify International Ltd.
EEA to Canada Data is exported from the EEA to Shopify’s Canadian parent entity, Shopify Inc. This export takes place within Shopify’s corporate structure. Data within Shopify Inc. is protected under PIPEDA, Canada’s private sector privacy legislation, which 20 Shopify Inc. uses a combination of data centers and cloud service providers to store this personal data in the United States and Canada. When personal data is transferred to the United States, it is done through contractual data protection addenda (DPAs) with third-party service providers. Additionally, Shopify is in the process of applying for approval of Binding Corporate Rules (BCRs) by the Irish Data Protection Commissioner. After they are approved, Shopify will rely on these BCRs to protect the personal data that is transferred between Shopify’s corporate entities worldwide. 20Pursuant to the European Commission’s adequacy decision 2002/2/EC. Commission Decision of 20 December 2001 pur- suant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (notified under document number C(2001) 4539), online at: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002D0002&qid=1415699250815.
is considered adequate under the GDPR.
United States
9
Disclosures to third parties
Shopify will never independently sell personal data for commercial purposes. However, Shopify does disclose personal data to third parties or allow third parties to access personal data to help provide services—for example, to:
• Storeplatformdata
• OperatetheforumsandotherportionsofShopify’swebsite
• Respondtoandmanagesupportinquiries Additionally, Shopify may provide personal data, where permitted, to prevent, investigate, or respond to:
• Potentialfraud
• Illegalconduct
• Physicalthreats
• ViolationsofanyagreementswithShopify
Shopify also provides information to third parties when legally required to do so. Where Shopify be- lieves it is legally required to provide information, and not legally prohibited from disclosing the exis- tence of the legal order, it will notify the data subject and give the data subject a chance to seek a protective order. More information on when Shopify discloses personal data will soon be provided on Shopify’s website under the heading Guidelines for Legal Requests for Merchant or Customer Data.
Shopify ecosystem If a merchant agrees to use a third-party service provider such as a payment processor, a sales channel, or an app that is not controlled by Shopify, the respective service provider’s use of personal data is controlled by the merchant’s agreement with the provider. Shopify is not responsible for the data practices of these third-party service providers, and merchants should carefully evaluate these service providers as they would any third party. Shopify recognises that it might be difficult for some merchants to obtain enough information from these service providers to conduct a careful evaluation. Shopify is working with these providers to make sure that they make information available to merchants about their data practices.
10
App Store disclosures
Similarly, Shopify is requiring all apps on the Shopify App Store to post disclosures about how the app handles personal data, but Shopify is not responsible for any app’s data collection or use, or for how the merchant uses the app. The merchant is responsible for reviewing these disclosures and to ensure that their use of the app complies with the laws of the jurisdictions in which the merchant operates or where it has customers.
Data subject rights The GDPR provides data subjects (in this case, customers) with certain rights over their personal data. Generally, data subject requests must be addressed within one month, unless they are exceptionally 21
complex or numerous.
Erasure
The following rights are granted to data subjects.
Data subjects have the right to request that their personal data be erased in certain circumstances. If a merchant receives a request from a customer to erase their personal data the merchant should:
• Verifythattherequesteristhesameasthedatasubject(thatis,therequesterisnotaskingto erase someone else’s personal data)
• Confirmthereisnolegalreasontopreservethisdata If both conditions are satisfied, the merchant should navigate to the customer’s page in their admin, and click “Remove Personal Data”. This button is available to the Account Owner only. After a request is received, Shopify will ensure that the relevant personal data is erased. Shopify will also send requests to the apps and channels that the merchant has installed to similarly redact that customer’s data. If erasing it is impossible, Shopify will let the merchant know to what degree it is impossible, and why. In addition to contacting Shopify, the merchant should also work with any relevant third parties to make sure that they delete or anonymise the personal data. Shopify will email the merchant once the redaction is complete. The merchant can then notify the customer.
Timing
Once an erasure request is submitted, the merchant has a ten day grace period in which to cancel the request. To cancel the request, the merchant can email privacy@shopify.com and specify which customer’s redaction request should be cancelled. Personal data will not be erased from Shopify if the customer has made an order within the last 180 days (the usual window in which a customer can make a chargeback). However, Shopify will log the erasure request, and automatically erase the data once this time has passed. If a merchant wishes to override this 180 day hold, they may email privacy@shopify.com to waive the waiting period. If the customer makes another purchase after their information has been redacted, a new customer account will be created. 21General Data Protection Regulation, Article 12(3).
11
Scope
When processing a request for erasure, Shopify will anonymise the personal data of the customer, but keep non-personal data such as revenue information and order details. Order details that are retained include the gateway used to process payment, time of sale, amount paid, currency, subtotal, shipping cost, taxes added, shipping method, item quantity, item name, SKU, and payment method. Shopify will also not redact any text that has been entered manually by the merchant into free-form text boxes, such as comments on a customer’s timeline or notes on orders. Merchants may edit or delete this text themselves at any time.
If no data erasure requests are received, Shopify will keep data for the lifetime of a store, and purge personal data within 90 days after a store is closed.
Access Controllers must, upon request, explain to data subjects how their personal data is processed and provide access to this personal data. If merchants cannot export data sufficient to fulfill the request from their admin, they can request the information from Shopify. Similar to a request for erasure, if a customer requests access to their personal data, the merchant should first validate the identity of the requester. To submit a request, the merchant can navigate to the customer’s page in their admin, and click “Send Customer Data”.
When Shopify receives the request, it will:
• ConfirmwhetherpersonaldataaboutacustomerisbeingprocessedbyShopify
• ConfirmwhatcategoriesofdataarebeingprocessedbyShopify
• ProvidethecustomerormerchantwiththerelevantinformationfromShopifysystems
Data portability
Controllers who process data using automation must, in limited circumstances, provide data subjects with their personal data upon request. This data must be provided in a commonly used and machine- readable format. Merchants may export some data directly from their store’s admin page. Many data types can be exported to common formats such as Excel or CSV with one click:
• Transactionhistories
• Payouts
• Productlists
• Customerlists
In addition, if a merchant contacts Shopify to request copies of processed data, Shopify will make the data available in a common format.
12
Rectification
Data subjects have the right to correct incomplete or inaccurate personal data held or processed by 22
Shopify’s platform allows a merchant to change customer records directly from their store admin.
Automated decision-making Data subjects have the right to object to processing based solely on automated decision-making (which includes profiling), when that decision-making has a legal effect on the data subject or oth- 24 Shopify does not currently engage in fully automated decision-making that has a legal or otherwise significant effect using customer data. Services that include elements of automated decision-making are highlighted in the table below:

Data protection and security

Under the GDPR, controllers and processors are required to implement appropriate technical and or- 25

  • Anonymisingandencryptingpersonaldata

  • Ensuringconfidentiality,integrity,availability,andresilienceofprocessingsystems
  • Restrictingwhomayaccesspersonaldata
  • Ensuringavailabilityandaccesstopersonaldataintheeventofaphysicalortechnicalincident
  • Performingregulartesting,assessments,andevaluationoftechnicalandorganisationalsecu- rity measures 22General Data Protection Regulation, Article 16. 23However, current orders cannot be modified. 24General Data Protection Regulation, Article 21. 25General Data Protection Regulation, Article 25, 32.
ganisational measures.
Shopify has implemented many of the controls and processes identified in the GDPR, including:
13
Organisational measures
Shopify has a robust, cross-functional data protection program that is integrated with its information security program and includes several teams across the organisation. In particular, the data protection program includes a designated Data Protection Officer, who reports to senior management, as well as individuals from:
• InternalSecurity
• Legal
• LegalOperations
• ProductionSecurity
• ProcessingIntegrity
Technological measures
Monitoring and logging
Controllers—and where applicable, their representative—must maintain records of the personal data processing activities for which they are responsible. Shopify maintains system and application logs relating to events and access to certain systems used for the processing of personal data. These logs are stored on log servers for approximately a month, and then moved to offsite backup locations, where they remain available for at least 12 months.
Security controls Shopify encrypts data sent to and from merchants and customers using the HTTPS protocol. Shopify also encrypts any sensitive stored information, and salts and hashes merchant and customer passwords using bcrypt. Merchants can also set up additional security features. An account holder can take the following actions from their Shopify admin:
• Enablemulti-factorauthenticationforstaff
• Define,toacertainextent,whatpersonaldataiscollectedfromcustomers
• Viewcertainactivitylogs,includingrecentloginactivitybystaff
• Setrole-basedpermissionsforstaffaccounts
Security standards and certifications
Shopify and all online stores powered by Shopify are Level 1 PCI-DSS compliant.
Shopify uses third-party data centers with industry-standard certifications. Examples include:
• TierIII
• ISO27001
• PCI-DSS
26See: https://www.shopify.ca/pci-compliant.26
14

Contractual agreements and data pro- cessing addenda

Shopify’s Terms of Service, Data Processing Addendum, Privacy Policy, and Acceptable Use Policy can be found online at https://www.shopify.com/legal.

Shopify plans

For merchants whose relationship with Shopify is governed by Shopify’s online Terms of Service, Shopify has automatically incorporated a Data Processing Addendum, which will apply to its process- ing of personal data. Just as Shopify is not able to negotiate its Terms of Service, it is not able to negotiate this Data Processing Addendum.

Shopify Plus plans

For Shopify Plus merchants, their negotiated contract will govern their relationship with Shopify. Mer- chants can sign a Data Processing Addendum to address their needs. Shopify Plus merchants that have not already signed a Data Processing Addendum with Shopify and would like to do so should reach out to their Merchant Success Managers. Shopify Plus merchants that do not sign a Data Pro- cessing Addendum will be governed by Shopify’s online Data Processing Addendum (which is incor- porated by reference into our online Terms of Service).

Accountability and transparency Shopify’s annual Transparency Report can be found at the following link: https://www.shopify.com/ security/transparency- report.

15

tag: