数据泄露通知

如果 GDPR 适用于您并且您遇到数据泄露,则您可能需要通知受影响的用户或特定的监管机构。

要特别注意的是,GDPR 要求在发生很可能对个人权利和自由产生不利影响的数据泄露时发出通知。

如果泄露的信息符合以下特征,则可能需要这样做:

  • 包括付款详细信息。

  • 可能会被用于泄露尴尬信息或个人信息。

  • 可能会被用于访问个人的账户或服务。

在适用的情况下,您需要在发现违规行为后 72 小时内尽快发出通知。

考虑以下问题:

  • 您是否曾咨询过律师以确定在遇到数据泄露时您需要针对哪些所收集和处理的信息提供相关通知?

  • 您是否有针对您业务的数据泄露响应计划,从而为此类事件做好准备?

  • 包括付款详细信息。

  • 可能会被用于泄露尴尬信息或个人信息。

  • 可能会被用于访问个人的账户或服务。

GDPR 对使用第三方供应商和服务提供商来处理其用户的个人数据的所有公司提出了要求。

Shopify 使用多个分支处理机构来处理客户的数据。有关 Shopify 的分支处理机构的更多信息,请参阅 Shopify 的分支处理机构

请考虑以下问题:

  • 您是否审查过您使用的供应商和服务提供商(包括 Shopify)的隐私保护措施,从而确保您对他们如何保护您客户的个人数据感到满意?

第三方应用

GDPR 要求您采取一些与您和您的第三方服务提供商收集和使用个人数据相关的肯定步骤。其中包括 Shopify,以及您可能用于 Shopify 商店的第三方应用。

Shopify 已采取措施,让您更容易了解您安装的应用可以访问哪些个人数据。

步骤:

  1. 在 Shopify 后台中,点击应用

  2. 在要查看其权限的应用上点击查看详细信息

在应用商店的安装屏幕上安装应用之前,您还可以查看应用权限。

此外,针对每个应用,应用商店中还有一个链接到隐私政策的部分,更详细地解释了应用开发者正在收集什么数据,以及他们将如何使用这些数据。

Shopify 希望使您尽可能轻松地评估您选择安装的应用的数据实践,但您需要确保使用的是符合 GDPR 的第三方应用。

请考虑以下问题:

  • 基于您的地点、您客户的地点、您应用开发人员的地点以及每个应用的实现情况,您是否使用的是符合 GDPR 的第三方应用?如果您对特定应用的数据实践是否涉及其他考虑事项或是否能使您符合 GDPR 存在疑问,请咨询律师。

国际数据转移

除非个人数据得到充分保护,否则 GDPR 禁止将欧洲人员的个人数据输出到欧洲外部。

Shopify 按照 GDPR 的要求保护个人数据,在数据转移至美国和加拿大并在这些地方进行处理的过程中,对其进行保护。

Shopify 已对自身的数据流进行了设置,从而满足商家的这些需求。如 Shopify 隐私政策中所述,所有欧洲的个人数据最初均接收自商家,并由 Shopify 位于爱尔兰的子公司 Shopify International Ltd. 在爱尔兰进行处理。Shopify 随后将根据 GDPR 的规定传输此类数据。

有关 Shopify 如何按照 GDPR 标准和信息安全最佳做法接收和处理来自欧洲经济区 (EEA) 和英国的个人数据的详细信息,请参阅 Shopify 的 GDPR 白皮书(英文版)。

请考虑以下问题:

您是否确保您向其转移数据的其他方将在遵守 GDPR 的情况下跨国际边境转移该数据?要实现此目的,您可以查看第三方应用、渠道、支付网关或其他供应商的隐私政策,了解其是否说明了将如何保护欧盟数据。

下载 Shopify 的 GDPR 白皮书

有关 Shopify 如何遵守 GDPR 并确保您在使用 Shopify 时能够遵守 GDPR 的详细信息,请下载 Shopify 的 GDPR 白皮书文档(英文版)。

Shopify商户官网原文详情:

Data breach notification

If the GDPR applies to you and you experience a data breach, then you might be required to notify affected users or specific regulatory bodies.

In particular, the GDPR requires notice where a data breach is likely to cause a high risk of adversely affecting individuals’ rights and freedoms.

This is likely to be the case if the breached information:

  • Includes payment details.

  • Could be used to reveal embarrassing or personal information.

  • Could be used to access an individual’s accounts or services.

Where applicable, you're required to provide notice as quickly as 72 hours after you become aware of the breach.

Think about the following questions:

  • Have you spoken with a lawyer to determine what information you collect and process might require you to provide notice if you experience a data breach?

  • Do you have a data breach response plan for your business so you are prepared for such an incident?

  • Includes payment details.

  • Could be used to reveal embarrassing or personal information.

  • Could be used to access an individual’s accounts or services.

The GDPR imposes requirements on any company that uses third-party vendors and service providers to process the personal data of its users.

Shopify uses a number of subprocessors to process your customers’ data. For more information about Shopify's subprocessors, see Shopify's subprocessors.

Think about the following question:

  • Have you reviewed the privacy practices of the vendors and service providers that you use, including Shopify, to make sure that you are comfortable with how they protect your customers’ personal data?

Third-party apps

The GDPR requires that you take a number of affirmative steps relating to your and your third-party service providers’ collection and use of personal data. This includes Shopify, but also any third-party apps that you might use in connection with your Shopify store.

Shopify has taken action to make it easier for you to understand what personal data the apps you install have access to.

Steps:

  1. From your Shopify admin, click Apps.

  2. Click View details on the app you want to review permissions for.

You can also review app permissions before you install an app on the install screen in the app store.

Additionally, there is a section of the app store for each app to link to a privacy policy that explains in more detail exactly what data app developers are collecting and how they are using it.

While Shopify wants to make it as easy as possible for you to assess the data practices of the apps you choose to install, it is up to you to ensure that you are using third-party apps in a way that complies with the GDPR.

Think about the following question:

  • Based on your location, your customers' locations, your app developers' locations, and your implementation of each app, are you using third-party apps in a way that complies with the GDPR? Consult with a lawyer if you have questions about whether a particular app’s data practices may require additional consideration or work on your part to ensure compliance with the GDPR.

International data transfers

The GDPR prohibits exporting the personal data of Europeans outside of Europe unless that information will be adequately protected.

Shopify protects personal data according to the requirements of the GDPR as it is transferred to and processed in the United States and Canada.

Shopify has set up its data flows to take care of these requirements for merchants. As described in Shopify's Privacy Policy, all European personal data is initially received from merchants and processed in Ireland by Shopify's Irish affiliate Shopify International Ltd. Shopify then transfers that data onward in compliance with the GDPR.

For more information about how personal data from the European Economic Area (EEA) and United Kingdom is received and processed by Shopify according to GDPR standards and information security best practices, see Shopify’s GDPR whitepaper (in English).

Think about the following question:

Have you ensured that other parties you transfer data to will transfer that data across international borders in a way that complies with the GDPR? You can do this by looking at the privacy policies of your third-party apps, channels, payment gateways, or other vendors, and seeing if they explain how they protect European data.

Download Shopify's GDPR whitepaper

For more information about how Shopify complies with the GDPR, and to make sure that you will be in a position to comply in relation to your use of Shopify, download Shopify's GDPR whitepaper document (in English).

文章内容来源:Shopify商户官方网站