GDPR Compliance Guideline

The General Data Protection Regulation (GDPR) is a new European privacy law that takes effect on May 25, 2018.

The GDPR gives people more rights over their personal data. Specifically, it provides the right to access, correct, delete, and restrict the processing of consumer data, and it sets strict guidelines for user consent. If you collect or store any information that can be linked to an individual, that counts as personal data.

You can read the full text of the GDPR here.

Table of contents:

How it Affects You?

Conditions

According to the GDPR, companies must comply with the regulation if they are based in the EU or sell to EU customers.

Ecwid collects and processes personal data in a compliant manner. However, it is your responsibility to comply with the GDPR requirements when you collect and process personal data from your EU users. Under the new regulation, personal data is defined as any information that can be used to directly or indirectly identify a person.

This includes: a name, a photo, an email address, an IP address, bank details, posts on social networking websites, medical information, and even random codes that are assigned to users to gather analytics, conduct A/B tests, and more.

Requirements

Here are the requirements to comply with the new rules:

  • Get clear consent before collecting any data;
  • Provide its clients with the right to access their data;
  • Provide customers with the right to delete, edit, restrict certain data uses;
  • Implement data breach notifications.

How to comply with the new rules

Check the steps below that we recommend to comply with the GDPR requirements for Ecwid app developers after the May, 25th 2018.

Get clear consent before collecting any data

Obtain consent to process your customers’ personal data. Prepare a clear privacy policy specifying why you collect personal data, explaining what data is retained and offering a right to withdraw consent. If you don’t have a privacy policy, check out this website for examples.

Provide customers with the right to access their data

The developer must provide their customers with a copy of their personal data in an easily readable and portable format. For example, create a separate section in your app interface where this data can be accessed by a merchant by submitting a request or a download process.

Provide customers with the right to delete, edit, restrict certain data uses

Provide an easy flow for users to edit their data in the section of your app interface, dedicated to user data management.

Define a clear lifespan of how long user data is stored on your servers. The deletion of user data can be done after the app uninstallation — subscribe to webhooks to get notified about it. For example, after a merchant decides to remove the app, you can’t contact them via the email address you got from the Ecwid API, unless you got their email in some other way on your website, etc.

We recommend storing data digitally. Encrypted data protected with a password of minimum recommended strength — or protected by means of a password generator — offer a secure option compared to printed invoices.

Data breach notifications

Ecwid acts as a data processor while the merchants act as data controllers. If your website or your merchant’s website is experiencing a data breach of any kind, you might be required to notify affected customers.

Under the GDPR, a notification must be sent within 72 hours from the time you become aware of the breach. Data processors are also required to notify users as well as the data controllers immediately after becoming aware of a data breach.

Recommendations for merchants

Check out our recommendations for Ecwid merchants that can be useful for you and your clients in the Ecwid Blog: https://www.ecwid.com/blog/the-gdpr-what-every-e-commerce-merchant-needs-to-know-before-may-25th.html

What Ecwid has done to comply with the GDPR

Ecwid collects, stores, processes, and shares personal data based on the GDPR guidelines and complies with the GDPR requirements in the following ways:

  • we have assigned a Data Protection Officer who is in charge of the Ecwid Data Protection Policy;
  • we have started to deliver GDPR-focused training to our key teams and personnel;
  • we have implemented a detailed procedure to deal with all data subject access requests, deletion requests, and government access requests;
  • we work only with subprocessors who provide an adequate protection of personal data through robust technical and organizational measures;
  • we have developed a reliable method to detect, report, and investigate a personal data breach;
  • we have established the necessary records of data-processing activities;
  • we are certified under the EU  U.S. and Swiss — U.S. Privacy Shield frameworks; this arrangement calls for certified organizations to guarantee a level of security in line with the EU data protection law regarding the transfer of personal data from the EEA and Switzerland to the U.S.