GDPR 常见问题解答

了解与 GDPR 相关的常见问题。这些解释仅供参考,不构成专业法律建议。若要获取特定于您所在国家/地区和情况的信息,请咨询并获取独立的法律建议。

本页相关主题

  • Shopify 为何在结账时未设置“同意条款和条件以及隐私政策”复选框?

  • 为什么我不能与 Shopify 签署数据处理协议 (DPA)?

  • 如果我还有其他关于 GDPR 或当地隐私法的疑问,该怎么办?

  • 我可以联系谁来获取更多有关 Shopify 做法的信息?

  • 如果我使用 Shopify 托管商店,我的业务是否符合 GDPR?

  • Shopify 会签署标准合同条款吗?

Shopify 为何在结账时未设置“同意条款和条件以及隐私政策”复选框?

Shopify 详细研究了 GDPR 并设计了自有平台,以便为商家提供符合 GDPR 等隐私和数据保护法律的一流商务体验。

获得客户明确、肯定的同意来处理他们的数据。如果实施得当,将有助于提高透明度并获得客户的信任。但是如果实施不当,复选框可能会使客户感到困惑,产生不匹配的期望,甚至可能会为商家带来 GDPR 相关的法律问题。出于这些原因,我们选择不修改结账工作流,不在结账时包含“同意条款和条件以及隐私政策”。

要特别注意的是,GDPR 明确表示商家可以出于多种原因收集和处理客户个人数据,包括客户已表示知情同意的情况。但是 GDPR 发现,在很多情况下,需要单独处理个人数据,而不需要客户的同意,例如:

  • 执行合同。

  • 为了履行法律义务。

  • 为促进一方的合法利益,平衡客户基本隐私权的任何风险。

商家可能会依赖多种法律依据以采用不同的方式对他们客户的数据进行处理。例如,商家可能需要使用客户的邮寄地址来实际发货订单并发货商家与客户之间的合同。同样,商家可能会按照法律要求对个人数据进行处理,从而回应传票或用于务稽核。并且商家可能会因其他诸多的正当权益而对个人数据进行处理。

同时,欧洲监管机构已表明,在这些不同的正当理由中,获得同意是最重要的一项。要特别注意的是,监管机构已表示,商家征求同意以出于特殊目的处理数据后,他们可能无法再依靠上述法律依据(例如合同或正当权益)。此外,监管机构警告称,同意不能作为接收商品或服务的条件。

为什么这一切都很重要?让我们考虑一下,如果商家在结账时添加了“同意条款和条件以及隐私政策”复选框会发生什么情况。如果客户不选择同意(或者,如果客户同意然后撤回其同意 - 这是 GDPR 赋予个人的权利),那么商家可能无法再依赖于上面列出的其他理由。因此,按照 GDPR 规定,商家可能不能合法地处理客户的个人数据以处理或发货订单。同时,如果商家修改结账,使此复选框成为完成交易的强制要求,那么同意将是接收商品或服务的先决条件,这样的情况在 GDPR 规定下可能一开始就是无效的。

这种复杂性导致了许多监管机构向在可能不合适的情况下而要求或依赖同意的做法发出了警告。例如,英国信息专员办公室提出过建议:

“如果您能向人们提供真正的选择并让其控制您使用其数据的方式,而且您想建立他们的信任感和参与感,则应该获得同意。但是,如果您无法提供真正的选择,则不应要求同意。如果您会在未获得同意的情况下仍然处理个人数据,请求同意会产生误导,并且这种行为本身就是不公平的。

如果您将同意作为使用一项服务的前提条件,则可能不存在最合适的法律依据。

对个人拥有一定权力的公共机构、雇主和其他组织应该避免依赖同意,除非他们确信他们可以证实同意是自愿给予的。”

我们希望尽最大努力支持商家,并帮助他们避免严重的法律后果。但与此同时,我们也了解商家需要最终获得客户的信任才能感到放心。在这种情况下,您可以聘请 Shopify 专家来帮助您在购物车页面(而不是结账页面)添加接受条款和条件复选框。

为什么我不能与 Shopify 签署数据处理协议 (DPA)?

GDPR 要求数据处理方与每个数据控制方签订书面合同(包括电子格式的合同),以便处理个人数据。这些合同应规定将会处理哪些个人数据,以及处理方和控制方的义务和权利。这些合同通常称为数据处理协议 (DPA)。从本质上来说,在 DPA 协议的约束下,Shopify 只会按照商家指定的方式处理提供给它的个人数据,因为商家是数据的控制方。

为满足这一要求,Shopify 在服务条款中增加了数据处理附录。(之所以称为“附录”而不是“协议”,是因为它被添加到服务条款中,且不是一项单独的协议。)

作为商家,当您注册 Shopify 的服务时,即表示您同意服务条款以及数据处理附录;继续使用服务即表示您同意服务条款的任何更新内容(例如,我们通过更新增加了数据处理附录)。

请务必注意,服务条款受安大略省法律约束,而不是您所在辖区法律的约束。因此,虽然其他地区法律(如 GDPR)可能确实涵盖您的业务以及您处理数据的方式,并且可能要求您与服务提供商(如 Shopify)签订具有约束力的合同,但是这些地区法律并不一定能判定合同是否具有约束力。以您与我们之间的合同为例,应通过参考安大略省法律来判定 DPA 是否是具有约束力的合同。

因此,即使您的司法管辖区要求签署合同(如 DPA),也可能与您的 DPA 无关。根据安大略省法律,我们认为,在更新条款后继续使用我们的服务,即表示 Shopify 和您都将受到新的、修改后的服务条款的约束。当您继续使用 Shopify 时,我们认为您已与我们签订了具有约束力的合同,其中包括我们根据 GDPR 要求提供的数据处理附录。

如果我还有其他关于 GDPR 或当地隐私法的疑问,该怎么办?

联系当地的隐私或数据保护法专业律师。

我可以联系谁来获取更多有关 Shopify 做法的信息?

联系 Shopify 支持,了解关于 Shopify 做法的详细信息。

如果我使用 Shopify 托管商店,我的业务是否符合 GDPR?

不一定符合。尽管 Shopify 的运作符合 GDPR,并且 Shopify 将提供工具来帮助商家符合 GDPR,但确保业务符合运营所在地的辖区法律是每个商家的责任。

仅使用 Shopify 的平台并不能保证公司遵守 GDPR。

Shopify 会签署标准合同条款吗?

不会。正如白皮书(英文版)的“数据传输”部分所述,Shopify 已构建了数据流,以便商家将数据传输给位于欧洲的 Shopify 爱尔兰子公司。因此,标准合同条款不适用于此情况,因为它们被批准用于欧洲方和非欧方之间的数据传输。

此外,对于直接转移给 Shopify Inc. 的情况,Shopify 将依赖欧盟委员会关于加拿大隐私法的充分性决定,该法律可延伸至加拿大公司 Shopify Inc.。

Shopify商户官网原文详情:

GDPR FAQ

Learn about frequently asked questions related to GDPR. These explanations are for informational purposes only, and do not constitute professional legal advice. Consult independent legal advice for information specific to your country and circumstances.

On this page

  • Why does Shopify not include an 'Agree to Terms and Conditions and Privacy Policy' checkbox at checkout?

  • Why can't I sign a Data Processing Agreement (DPA) with Shopify?

  • What do I do if I have more questions about the GDPR or my local privacy laws?

  • Who can I contact for more information on Shopify's practices?

  • If I use Shopify to host my store, does my business comply with GDPR?

  • Will Shopify sign Standard Contractual Clauses?

Why does Shopify not include an 'Agree to Terms and Conditions and Privacy Policy' checkbox at checkout?

Shopify has thought about the GDPR very carefully and we have designed our platform to provide our merchants with a best-in-class commerce experience that can comply with privacy and data protection laws like the GDPR.

Obtaining explicit, affirmative consent from customers to process their data can, when implemented properly, be a helpful way to provide transparency to and gain the trust of the customer. But when not implemented appropriately checkboxes can be confusing to the customer, can create mismatched expectations, and can even create legal issues for merchants under the GDPR. We have chosen not to modify our checkout workflow to include an "Agree to Terms and Conditions and Privacy Policy" checkbox during checkout because of these concerns.

In particular, the GDPR makes clear that merchants can collect and process customer personal data for many reasons, including if the customer has provided their informed consent. But the GDPR recognizes that there may be many circumstances in which personal data might need to be processed separate and apart from the customer's consent, such as:

  • To perform a contract.

  • To fulfill a legal obligation.

  • To promote a legitimate interest of a party, balanced with any risks to the customer's fundamental right to privacy.

Merchants are likely to rely on many of these legal grounds with respect to the different ways that they might process their customers' data. For example, a merchant might need to use a customer's shipping address to actually fulfill the order and satisfy the merchant's contract with the customer. Similarly, a merchant may be legally required to process personal data to respond to a subpoena or in the context of a tax audit. And a merchant may process personal data for any number of other legitimate interests.

At the same time, European regulators have made clear that consent is the most important of these different justifications. In particular, regulators have suggested that, once a merchant asks for consent to process data for a particular purpose, they may no longer be able to rely on the legal grounds above (such as contracts or legitimate interests). Additionally, regulators have cautioned that consent cannot be made a condition to receiving goods or services.

Why does all of this matter? Let's think about what would happen if a merchant did add an "Agree to Terms and Conditions and Privacy Policy" checkbox at checkout. If the customer does not choose to consent (or, if the customer consents and then withdraws their consent -- which is a right provided to individuals under the GDPR), then a merchant may no longer be able to rely on the other justifications listed above. So the merchant may be in a position where under the GDPR the merchant cannot legally process the customer's personal data to process or fulfill an order. At the same time, if the merchant modifies checkout so this checkbox was mandatory to complete the transaction, consent would be a precondition to receiving the goods or services and so may not be valid under the GDPR in the first place.

This complexity has led a number of regulators to caution against asking for or relying on consent where it may not be appropriate. For example, the UK Information Commissioner's Office has advised:

"Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.

If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis.

Public authorities, employers and other organizations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given."

We want to do our best to support our merchants and help them avoid problematic legal consequences. But at the same time, we understand that merchants ultimately need to feel comfortable that they have the trust of their customers. In this case, you can hire a Shopify expert to help you to put an Accepts Terms and Conditions checkbox on the Cart page (not the Checkout page).

Why can't I sign a Data Processing Agreement (DPA) with Shopify?

The GDPR requires that data processors be bound by a contract in writing (which includes contracts in electronic formats) to each data controller in order to process personal data. These contracts should specify what personal data is being processed, and the obligations and rights of the processor and controller. These contracts are often called Data Processing Agreements (DPA). In essence, a DPA is an agreement that Shopify will only process the personal data given to it in the manner that the merchant specifies, because the merchant is the controller of the data.

To fulfill this requirement, Shopify has added a Data Processing Addendum to our Terms of Service. (It is called an 'Addendum' and not an 'Agreement' because it is added on to the Terms of Service, and isn't an agreement on its own.)

As a merchant, you agree to the Terms of Service and, by extension, the Data Processing Addendum, when you sign up for Shopify's services, and you agree to any updates to the Terms of Service (for example, our update which added the Data Processing Addendum) by continuing to use the services.

It is important to note that the Terms of Service are governed by Ontario law, and not the law of the jurisdiction in which you reside. So while other regional laws, like the GDPR, may certainly cover your business and how you process data, and may require you to have a binding contract with your service providers (like Shopify), those other regional laws do not necessarily dictate whether a contract is binding or not. In case of your contract with us, that question of whether the DPA is a binding contract is determined by reference to Ontario law.

As a result, even if your jurisdiction requires that a contract (like the DPA) be signed, that may not matter with respect to your DPA. Under Ontario law, we believe that by continuing to use our service once our terms are updated, both Shopify and you are bound by the new, modified Terms of Service. When you continue to use Shopify, we believe you have entered into a binding contract with us that includes our Data Processing Addendum, as required by the GDPR.

What do I do if I have more questions about the GDPR or my local privacy laws?

Contact a local lawyer who specializes in privacy or data protection law.

Who can I contact for more information on Shopify's practices?

Contact Shopify Support for more information on Shopify's practices.

If I use Shopify to host my store, does my business comply with GDPR?

Not automatically. While Shopify's operations will comply with the GDPR, and Shopify will provide tools to help its merchants comply, it is the responsibility of each merchant to ensure that its business is compliant with the laws of the jurisdiction in which it operates.

Using Shopify's platform alone does not guarantee that a company complies with the GDPR.

Will Shopify sign Standard Contractual Clauses?

No. As described in the Data transfers section of our whitepaper (in English), Shopify has structured its data flows so that merchants transfer data to Shopify's Irish affiliate within Europe. For that reason, Standard Contractual Clauses are not appropriate, as they are approved for transfers between a European party and a non-European party.

In addition, regarding transfers directly to Shopify Inc., Shopify would rely in such cases on the European Commission's adequacy decision regarding Canada's privacy law, which extends to Shopify Inc. as a Canadian corporation.

文章内容来源:Shopify商户官方网站


(本文内容根据网络资料整理,出于传递更多信息之目的,不代表连连国际赞同其观点和立场)