How Do I comply with the EU Global Data Protection Regulation (GDPR)?
As a Shift4Shop merchant, you will need to make sure your store is compliant with the European Union’s Global Data Protection Regulation enforced by the European Union Parliament as of May 25th 2018
This regulation provides certain individual rights to citizens of the EU when it comes to the protection and handling of their data privacy.
Expansion of Individual Rights:
Shift4Shop can help you promptly respond to requests from your EU based customers or contacts pursuant to their expanded individual rights under the GDPR.
- Right to be forgotten:
You may delete individual subscribers upon their request at any time. More about deleting lists can be found here. It is important to remember that Shift4Shop customer’s accounts work independently across online stores, and deleting a customer from one online store does not ensure that same customer account will also be deleted from other online stores where it may be present.
- Right to object:
You may opt out of inclusion of specific contacts’ data from your website’s emails and mailing list. This process is explained here, under the “Delete Newsletter Subscriptions” sub-heading.
- Right to rectification:
You may access and update your subscriber/contact lists within your Shift4Shop account to correct or complete subscriber/customer information upon their request at any time. More about updating customer records can be found here.
- Right of access:
- Right of portability:
You may export any of your customers, or selected information within your store, at any time (prior to deletion) by accessing your Shift4Shop account.
Stricter Consent and Processing Requirements:
You must lawfully obtain and process email addresses and other personal data from your subscribers and contacts
- The personal data of your customers and contacts may be collected and transferred to Shift4Shop via the checkout form and other forms made available in our application. These forms must adhere to GDPR compliance. You can customize the checkout form with the use of checkout questions to have customers acknowledge the privacy requirements for GDPR compliance.
- You should carefully adjust each of these forms to make sure that language in the body and/or footer is clear, specific, and covers all possible reasons for using the information being solicited. Be very specific about the intended use of the information you are collecting.
- While the information you collect via these forms is presumably being transferred to your online store hosted with Shift4Shop, it is your responsibility to ensure that you obtain consent from your customers and contacts to send their information to your online store for processing, so you should ensure that all of your forms, etc. include language that provides this consent.
- The ability of your customers and contacts to withdraw consent or change preferences should be easily accessible. Shift4Shop’s mailing list “unsubscribe” options can help.
- An “unsubscribe” option is automatically included in the footer of every campaign sent through your Shift4Shop online store. This allows any contacts to easily unsubscribe from your Shift4Shop subscriber list, thereby helping you comply with your GDPR obligations when a subscriber withdraws his or her consent to receive marketing emails.
- Make sure that you are frequently updating any information stored within your Shift4Shop online store that relates to your subscribers or contacts, such as name and contact information, when requested to do so by a subscriber or contact.
- You should also ensure that you are keeping accurate records, especially of your customers’ and contacts’ consent permitting you to send them marketing emails, store and use their personal data, and any other processing activities which you are undertaking. Shift4Shop tools can help you obtain proof of consent and will store a record of your customers’ consent in your Shift4Shop online store. In your online store’s checkout Shift4Shop records the email address, IP address, and timestamp associated with every contact who completes and submits an order, providing you with easy-to-access proof of consent.
- Keep in mind that any consent you obtain from your customers and contacts must comply with the GDPR requirements, irrespective of when that consent was obtained. However, Recital 171 of the GDPR indicates that you may continue to rely on any existing consent which meets the GDPR standards for consent. This means that it is not necessary to re-request consent from your customers or contacts when the GDPR goes into effect so long as you met all of the requirements of the GDPR when you initially obtained consent. We recommend consulting with local counsel to determine if consents obtained prior to the GDPR comply with its requirements, or whether you should instead contact your customers and contacts to re-request consent in accordance with the GDPR requirements, or rely on a different lawful basis for your processing under the GDPR.
- You should review any integrations or add-ons that you are using (or plan to use) in your online store, and any terms associated with those, to ensure that you have adequately disclosed potential data processing activities associated with your use of those services to your subscribers and contacts.
- You should review the privacy statement and practices applicable to your organization and ensure that they provide proper notice that the personal data of your customers or contacts will be transferred and processed by your online store. For example, you may want to consider updating your privacy statement to include language that specifically identifies your online store as one of your processors and delineates the applicable processing activities performed by it, such as the collection and storage of personal data (e.g., within your Shift4Shop account in order to allow you to create and use distribution lists, send marketing email campaigns, and place online advertisements), and the transfer of personal data to certain third-party apps.
These actions will allow you to remain GDPR compliant for your customers in the EU.
This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In other words, please do not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.