处理 GDPR 数据请求
GDPR 扩展了个人访问和控制其个人数据的权利。本页介绍:
这些权利的细分。
如何使用 Shopify 的平台来处理针对每项权利的请求。
针对您收到的各项权利的请求,您可能需要独立于 Shopify 执行哪些操作。
本页相关主题
了解主体申请访问和便携性请求
处理主体申请访问和便携性请求
处理删除请求
了解主体申请访问和便携性请求
在某些情况下,GDPR 为个人提供请求公司当前处理的其个人数据的副本的权利。
因此,GDPR 要求您能够以下列格式向您的客户提供他们个人数据的副本:
常用
易于阅读
便携
这允许客户将他们的数据用于不同的服务提供商。Shopify 允许您直接从后台以 CSV 或 Excel 格式导出大部分数据(例如,订单、款项、产品和客户信息)。
通常,您应在 30 天内回复请求。如果请求特别难以实现,可延长回复时长。
处理主体申请访问和便携性请求
如果您收到访问或便携性请求,您首先需要验证请求者的身份(以便您不会无意中向他人提供您客户的私人信息)。
步骤:
在 Shopify 后台中,点击客户。
点击想请求其日志的客户的姓名。
点击请求客户数据。
备注:只有店主才能提交获取客户数据的请求。
客户信息将通过电子邮件发送给店主,以提供给提出请求的客户。
GDPR 第 15 条还要求您提供有关如何使用您提供的数据的其他背景信息,包括:
处理客户数据的目的。
接收此数据的第三方。
任何相关的保留期。
此信息的收集来源(如果不是直接来源于客户)。
数据是否用作任何自动决策的一部分。
此外,您还需要能够确保:
客户请求更正或擦除信息的权利。
客户反对其信息处理方式的权利。
客户向监管机构投诉的权利。
备注:有关如何响应申请访问的详细信息,您可以阅读英国信息专员办公室撰写的这篇文章。
考虑以下问题:
您是否能够应客户要求提供与其数据相关的所有必要背景信息?尝试通过维护您(或您使用的服务提供商,如 Shopify)存储的所有客户个人数据的映射,提前针对请求进行规划。
您是否考虑过使用可能有权访问客户个人数据的其他服务提供商?这些服务提供商可能包括第三方应用、渠道和支付网关。
您是否拥有您使用的且可能存储客户个人数据的所有第三方服务的联系信息?
处理删除请求
GDPR 赋予个人在某些情况下要求删除个人数据或要求公司限制处理个人数据的权利。
“个人数据”指可用于识别个人的任何数据,包括:
名称
地址
IP 地址
信用卡号。
个人数据不包括单纯的财务信息以及无法关联至个人的信息,例如:
特定产品的出售次数
您的商店收入
备注:当您收到符合 GDPR 的请求时,您无需完全透露或删除纯粹的财务信息。事实上,某些司法管辖区的法律可能不允许这样做,由于税收或其他法律原因,您可能需要维护订单记录。
如果您收到删除请求(有时称为编校或删除),应先验证客户的身份。您还应该确保没有任何理由需要保存客户的数据(例如,如果客户也是员工)。
步骤:
在 Shopify 后台中,点击客户。
点击您要为其请求删除的客户的名称。
点击删除个人数据。
备注:只有店主才能请求删除客户的数据。
您通过后台请求删除之后,Shopify 会在您发出请求的同时将删除请求提交到您已安装的所有应用,这些应用可能具有该客户数据的访问权限。
一旦您在后台中请求删除,将有 10 天的缓冲期,在此期间您可取消请求,防止您不小心提出了请求。若要取消待处理的删除请求,请联系 Shopify 支持,并提供您的商店信息和相关的客户 ID。
当您请求删除时,Shopify 将仅编辑个人信息(例如姓名和地址)。您的匿名订单信息将保持不变,以防您需要这些信息用于会计用途。删除相关的个人数据后,我们将立即向您发送一封确认电子邮件。
默认情况下,如果客户在过去的 6 个月(180 天)内下过订单,Shopify 将不会删除个人数据,以防出现退款的情况。如果您在该时间范围内提交删除请求,则请求将处于待处理状态,Shopify 会在合理的时间后对其执行操作。您不需要再次提交请求。
如果您想跳过此延迟时间(不考虑退款风险),请联系 Shopify 支持。
考虑以下问题:
您将所有客户数据都存储在自己的个人计算机上还是通过硬拷贝存储?
您是否可能需要联系第三方(例如渠道或支付网关)以请求他们删除客户个人信息?
是否有任何当地规定(如税法)可能要求即使在客户要求删除其个人信息的情况下,您仍需保留这些信息?请考虑咨询当地的数据保留要求资深律师来帮助回答这一问题。
下载 Shopify 的 GDPR 白皮书
有关 Shopify 如何遵守 GDPR 并确保您在使用 Shopify 时能够遵守 GDPR 的详细信息,请下载 Shopify 的 GDPR 白皮书文档(英文版)。
Shopify商户官网原文详情:
Processing GDPR data requests
The GDPR expands on an individual's right to access and control their personal data. This page includes:
A breakdown of those rights.
How you can use Shopify’s platform to address requests for each right.
What you may need to do independently from Shopify if you receive a request for each right.
On this page
Understand subject access and portability requests
Process subject access and portability requests
Process erasure requests
Understand subject access and portability requests
The GDPR gives individuals the right, in certain circumstances, to request a copy of their personal data being processed by a company.
The GDPR therefore requires that you be able to provide your customers with a copy of their personal data in a format that is:
Common
Easily readable
Portable
This allows customers to use their data with a different service provider. Shopify allows you to export most data in CSV or Excel formats right from your admin (for example, order, payout, products, and customer information).
Generally, you should respond to a request within 30 days. Extensions are allowed if the request is exceptionally difficult to fulfill.
Process subject access and portability requests
If you receive an access or portability request, then you will first need to verify the identity of the requester (so that you do not inadvertently provide someone else your customer’s private personal information).
Steps:
From your Shopify admin, click Customers.
Click the name of the customer you want to request a log for.
Click Request customer data.
The customer's information will be emailed to the store owner to provide to the requesting customer.
Article 15 of the GDPR will also require you to provide additional context around how you use the data you are providing, including:
The purposes for which the customer’s data was processed.
The third-parties that received this data.
Any relevant retention periods.
Where the information was collected from (if not directly from the customer).
Whether or not the data was used as part of any automated decision-making.
Additionally, you need to be able to ensure:
The customer’s right to request information be corrected or erased.
The customer’s right to object to how their information was processed.
The customer’s right to complain to a regulator.
Think about the following questions:
Are you able to provide all of the required context around a customer's data if they ask for it? Try to plan for a request in advance by maintaining a map of all of the personal data you (or the service providers you use, like Shopify) store about your customers.
Have you considered other service providers that you might use who may have access to your customers’ personal data? These could include third-party apps, channels, and payment gateways.
Do you have contact information for all of the third-party services you use that might store your customers’ personal data?
Process erasure requests
The GDPR gives individuals the right, in certain circumstances, to ask that their personal data be erased, or that a company restrict the processing of their personal data.
"Personal data" means any data that can be used to identify an individual, including:
Name
Address
IP address
Credit card number.
Personal data does not include information that is purely financial and cannot be linked to an individual, such as:
How many times a specific product has sold
How much revenue your store has made
If you receive a request for erasure (sometimes called redaction or deletion), then you should first verify the customer’s identity. You should also make sure there is no reason you need to keep the customer's data (for example, if the customer is also an employee).
Steps:
From your Shopify admin, click Customers.
Click the name of the customer you want to request an erasure for.
Click Erase personal data.
After you request an erasure through your admin, Shopify will transmit your erasure request to all apps you have installed at the time you make the request that might have access to that customer’s data.
Once you request an erasure within your admin, a 10 day buffer period will begin during which you can cancel the request in case you made the request accidentally. To cancel a pending erasure request, contact Shopify Support, and include your store information and the relevant customer ID.
When you request an erasure, Shopify will only redact personal information (such as name and address). Your anonymized order information will remain intact in case you need it for accounting purposes. Once the relevant personal data has been erased, we will send you a confirmation email.
By default, Shopify will not erase personal data if the customer has made an order in the last 6 months (180 days), in case a chargeback occurs. If a request for erasure is submitted in that time frame, then it will sit pending, and Shopify will action it once the appropriate time has passed. You do not need to submit another request.
If you would like to override this time delay (regardless of the risk of chargeback), contact Shopify Support.
Think about the following questions:
Are you storing any customer data on your own personal computers or in hard copy?
Are there other third parties, such as channels or payment gateways that you may need to contact to request they erase a customer's personal information?
Are there any local requirements, such as tax laws, that might require you to retain your customers’ personal information even if they request deletion? Consider consulting with a local lawyer familiar with data retention requirements to help answer this question.
Download Shopify's GDPR whitepaper
For more information about how Shopify complies with the GDPR, and to make sure that you will be in a position to comply in relation to your use of Shopify, download Shopify's GDPR whitepaper document (in English).
文章内容来源:Shopify商户官方网站