客户同意
根据 GDPR 的规定,您可能需要取得同意才能处理客户的个人资料,或更改您目前取得此同意的方式。
例如,如果您要向客户发送营销消息,或者您正在使用在线广告或重定向应用,则可能需要获得客户的同意。
针对您需要获得同意的情况,GDPR 规定必须满足以下条件:
自愿给予:必须是完全自愿的行为,不应与其他商品或服务捆绑在一起。
具体:必须要有明确解释的用例。
知情:只有为数据主体提供了足够的个人数据信息,数据主体才表示同意。
明确:必须通过商家的肯定行为来证明(即,不仅仅是继续使用服务)。
这意味着需要向客户提供关于特殊用例的详细信息,并需要客户执行一些支持操作来表示同意。
最后,如果您为客户提供同意的机会,GDPR 还要求您的客户有撤回同意的途径。这通常可通过取消订阅功能来实现。如果您对应在何时以及如何获取收集个人数据的同意存在疑问,或者对您的客户被允许撤回同意的程度存在疑问,则您应咨询资深数据保护法律师。
但是,同意只是 GDPR 中可以对处理个人数据进行证明的众多法律基础之一。您还可以处理个人数据以履行合同要求,或者按法律要求对数据进行处理。
一些欧洲监管机构指出,如果您第一次征求同意但客户拒绝了,或者客户同意之后又撤回了同意,那么您可能无法再依靠其他法律依据来处理个人数据。因此,如果您不打算(或需要)依靠其他法律依据来处理个人数据,您只依靠同意即可。
备注:您可以在英国信息专员网站上阅读有关支持数据处理的不同法律依据的详细信息。
考虑以下问题:
您使用或处理客户数据的每种不同的方式是否有其法律依据?您处理数据前是否获得了客户的同意?您处理数据的目的是履行对客户的合同义务,还是增加自己的合法商业利益?您应该将法律依据记录为数据实践映射的一部分,如收集个人数据中所述。
如果您依赖于客户同意,您获得的同意是否与您提供的商品或服务捆绑在一起?例如,按照 GDPR 的要求,可能不再允许使用
by purchasing these goods, you agree to our use of your personal information这样的语句。您是否提供了有关您将如何使用相关个人数据的详细信息,从而足以确保征得客户的同意?
是否已记录并存储客户的同意信息?
您是否需要获得同意以向您的客户发送营销信息?如果您不需要根据 GDPR 获得同意,当地法律可能要求/不要求您获得同意才能/即可向客户发送营销信息。与律师讨论可能适用于您商店的具体要求。
如果您认为您需要获得同意才能发送营销传播信息,那么针对您商店的营销同意复选框是否默认为未选中?考虑设置您的店面,使向客户提供的营销同意复选框默认为不会预先选中,从而确保您的客户需要自己肯定以提供同意。
父母同意
针对处理 16 岁以下用户(某些国家/地区的这一年龄可能更低)的个人数据,GDPR 包括特定的父母同意要求。
请考虑以下问题:
您是否需要更改处理客户数据的方式,更改为停止处理 16 岁以下用户的数据,或者要获得家长同意?要实现这一点,您可以使用 Shopify 应用商店中限制年龄的应用来禁止 16 岁以下的用户访问您的站点,或者让访客确认自己超过法定成年年龄。
自动决策
如果您要将客户的个人信息用于进行任何自动决策,GDPR 要求您通知这些客户。
自动决策表示使用算法来确定个人是否符合使用某些服务或优惠的条件、是否应按特定价格付费,或者是否可能对某些类型的产品或服务感兴趣。
如果您使用的任何流程包含将对客户产生重大法律效力的完全自动决策(即没有任何人为干预),那么您需要得到客户的同意。
| 处理 | 要求 |
|---|---|
| 自动决策 | 通知 |
| 具有重大法律效力的完全自动决策 | 同意 |
通常情况下,Shopify 不参与对客户个人数据的完全自动决策。
Shopify 进行风险和欺诈筛查时是唯一的例外情况,Shopify 可能会在特定次数的失败付款尝试后自动锁定付款卡号或 IP 地址。Shopify 认为这不会对客户产生重大的法律影响,因为自动锁定仅持续很短时间。
考虑以下问题:
您是否在隐私政策中包含了以下内容:Shopify 的风险和欺诈筛选可能会使用客户的个人信息进行自动决策?您可以在隐私政策的第 13 部分中阅读有关 Shopify 自动决策实践的详细信息。您还应根据您的具体情况向律师确认此服务对您的客户没有重大法律效力。
您是否在使用可能参与自动决策的第三方应用?您应该特别注意审核是否存在任何第三方风险或是否正在使用与店面相关的欺诈服务,或者是否存在可能生成个人资料或者针对您的客户群的任何类型的营销或广告应用。
如果您使用涉及到自动决策的第三方应用,那么您是否需要通知您的客户或获得他们的同意才能使用这些应用?
Shopify商户官网原文详情:
Customer consent
Under the GDPR, you might need to obtain consent to process the personal data of your customers or change how you currently obtain that consent.
For example, you might need to obtain consent from your customers if you are sending your customers marketing messages, or if you are using online advertising or retargeting apps.
Where you need to obtain consent, the GDPR says that it must be:
Freely given: it must be entirely voluntary, and should not be bundled with other goods or services.
Specific: it must be tied to clearly explained use cases.
Informed: it can only be given if the data subject is provided enough information about the personal data that will be collected and used.
Unambiguous: it must be demonstrated by an affirmative act by the merchant (that is, not simply by continuing to use the services).
This means that the customer needs to be given detailed information about the particular use case, and some affirmative action needs to be taken by the consumer to show consent.
Finally, if you offer your customers the opportunity to provide consent, the GDPR also requires that your customers have a way to withdraw consent. This can often be accomplished through an unsubscribe functionality. If you have questions about when and how you should obtain consent for collection of personal data, or the extent to which your customers should be allowed to withdraw their consent, then you should speak with a lawyer familiar with data protection laws.
However, consent is only one of many legal bases in the GDPR that can justify processing of personal data. You might also process personal data to fulfill contractual requirements, or if you are required by law to process data.
Some European regulators have suggested that if you at first ask for consent and your customer declines or agrees but then withdraws their consent, then you may no longer be able to rely on any other legal basis to process personal data. As a result, you should only rely on consent where you do not intend to (or need to) rely on another legal basis to process personal data.
Think about the following questions:
For each different way that you use or process your customers’ data, what is the legal basis for doing so? Are you processing based on their consent? Are you processing to fulfill a contractual obligation to the customer? Are you processing to further your legitimate business interests? You should record the legal basis as part of your map of your data practices, described in Collecting personal data.
Where you are relying on consent, is the consent you are getting bundled with the goods or services you are offering? For example, statements like
by purchasing these goods, you agree to our use of your personal informationmay no longer be allowed under the GDPR.Are you providing enough details about how you will be using the personal data at issue to make sure that the customer’s consent is informed?
Is the customer’s consent recorded and stored somewhere?
Do you require consent to send marketing communications to your customers? Even if you do not need consent under the GDPR, local laws may or may not require you to obtain consent to send marketing communications to your customers. Speak with a lawyer about the specific requirements that might apply to your store.
If you believe you require consent to send marketing communications, then is the marketing consent checkbox for your store unchecked by default? Consider setting your storefront up so that the marketing consent checkbox presented to customers is not pre-checked by default to ensure that your customers have to act affirmatively to provide consent.
Parental consent
The GDPR includes specific parental-consent requirements for processing the personal data of users under the age of 16 (although this age can be lower in certain countries).
Think about the following question:
Do you need to change how you process customer data to either stop processing the data of those users under the age of 16, or to get parental consent? You might do this by prohibiting users under the age of 16 from accessing your site using an age-gating app from Shopify's App Store, or by asking visitors to confirm that they are over the age of majority.
Automated decision-making
The GDPR requires you to notify customers if you are using their personal information to engage in any automated decision-making.
Automated decision-making means using automatic algorithms to make a decision about whether an individual is eligible for certain services or offers, should be charged a particular price, or is likely interested in certain types of goods or services.
If you are using any processes that include fully automated decision-making (that is, without any human intervention) that will have a significant legal effect on the customer, then you need the customer’s consent.
Process Requirement Automated decision making Notification Fully automated decision making with significant legal effect Consent In general, Shopify does not engage in fully automated decision-making with your customers’ personal data.
The one exception is Shopify's risk and fraud screening, where Shopify might automatically block a payment card number or IP address after a certain number of unsuccessful payment attempts. Shopify does not believe this has a significant legal effect on customers because the automated blocking lasts only for a short period of time.
Think about the following questions:
Have you included in your privacy policy that Shopify's risk and fraud screening might use customers' personal information for automated decision-making? You can read more about Shopify's automated decision-making practices in Section 13 of the Privacy Policy. You should also confirm with a lawyer based on your particular circumstances that this service doesn't have a significant legal effect on your customers.
Are you using any third-party apps that might be engaged in automated decision-making? You should pay particular attention to reviewing any third-party risk or fraud services you are using in connection with your storefront, or any types of marketing or advertising apps that might build profiles or that target segments of your customers.
If you use third-party apps engaged in automated decision-making, then do you need to notify your customers or gather consent to use these apps?
文章内容来源:Shopify商户官方网站
