Shopify 為 GDPR 做了哪些準(zhǔn)備和措施？

shopify新聞

2022-03-28

1027

《通用數(shù)據(jù)保護條例》(GDPR) 要求 Shopify 對其平臺和內(nèi)部隱私計劃進(jìn)行以下更改：

GDPR 如何影響 Shopify？

《通用數(shù)據(jù)保護條例》(GDPR) 要求 Shopify 對其平臺和內(nèi)部隱私計劃進(jìn)行以下更改：

重新組織隱私團隊，記錄并保存 Shopify 所做的某些與隱私相關(guān)的決策，以便 Shopify 對其隱私相關(guān)做法承擔(dān)責(zé)任。
確保 Shopify 能夠尊重歐洲商家和客戶對其個人數(shù)據(jù)的權(quán)利，并在使用 Shopify 的服務(wù)時，商家也能做到這一點。
當(dāng) Shopify 使用第三方分支處理機構(gòu)提供服務(wù)時，向商家做出某些協(xié)議承諾并獲得某些協(xié)議承諾。

本頁相關(guān)主題

Shopify 為 GDPR 做了哪些準(zhǔn)備?
Shopify 還采取了哪些措施來遵守 GDPR？
Shopify 會與商家簽訂數(shù)據(jù)處理協(xié)議嗎？

Shopify 為 GDPR 做了哪些準(zhǔn)備?

Shopify 針對 GDPR 做了以下方面的準(zhǔn)備：

政策和文檔

根據(jù) GDPR 第 13 條和第 14 條的要求，更新了 Shopify 的隱私政策，以包含有關(guān) GDPR 擴展的權(quán)利的詳細(xì)信息，以及有關(guān) Shopify 如何處理個人數(shù)據(jù)的詳細(xì)信息。
根據(jù) GDPR 第 28 條的要求，向 Shopify 的在線服務(wù)條款中添加了數(shù)據(jù)處理附錄。
實現(xiàn)了處理數(shù)據(jù)主體申請訪問權(quán)限、刪除申請和政府申請訪問權(quán)限的詳細(xì)過程。
準(zhǔn)備了一份白皮書（英文版），以幫助商家和合作伙伴了解 Shopify 如何解釋和履行 GDPR 規(guī)定的義務(wù)。

產(chǎn)品功能

根據(jù) GDPR 第 13 條和第 14 條的要求，更新了隱私政策生成器，以包括商家需要在他們的隱私政策中包含的一些信息。
為 Shopify 平臺添加了功能，使商家能夠獲得獨立的同意來實現(xiàn)營銷目的，并且能夠根據(jù)他們的需求選擇是否要預(yù)先選中同意復(fù)選框。
更新了通知，以允許商家能夠?qū)⑦@些通知與客戶是否選擇接收營銷信息聯(lián)系起來。

應(yīng)用商店

更新后的 Shopify 應(yīng)用商店將會顯示，以便應(yīng)用開發(fā)者可鏈接到隱私政策，其中準(zhǔn)確解釋應(yīng)用將收集和處理的個人數(shù)據(jù)。
為應(yīng)用開發(fā)者提供了模板隱私政策，以便幫助他們起草隱私政策，其中包括商家根據(jù) GDPR 要求更新自己的隱私政策所需的信息類型。

公司管控

指定一位經(jīng)驗豐富的數(shù)據(jù)保護官來監(jiān)督 Shopify 的數(shù)據(jù)保護計劃和 GDPR 實施計劃。
按照 GDPR 第 30 條的要求，為我們的數(shù)據(jù)處理活動準(zhǔn)備了一份注冊表。
根據(jù) GDPR 第 35 條和第 91 條要求，實現(xiàn)了數(shù)據(jù)保護影響評估。
記錄了 Shopify 用于提供其平臺和其他服務(wù)的分支處理機構(gòu)，并已開始審查與這些分支處理機構(gòu)的合同安排，以確保它們能夠滿足通過強大的技術(shù)和組織措施來保護個人數(shù)據(jù)的要求。
已啟動申請批準(zhǔn)約束公司規(guī)則的流程以支持 Shopify 的數(shù)據(jù)處理操作。
已經(jīng)開始對關(guān)鍵團隊和人員進(jìn)行以 GDPR 為重點的培訓(xùn)，以便他們了解法律要求并且能夠在考慮到隱私的情況下設(shè)計 Shopify 產(chǎn)品和商業(yè)計劃。

Shopify 還采取了哪些措施來遵守 GDPR？

除了上述準(zhǔn)備事項外，Shopify 還將推出以下功能：

用于代表客戶通過后臺請求 Shopify 持有的所有客戶信息的工具，適用于商家收到符合 GDPR 的主體申請訪問的情況。
用于請求 Shopify 通過 Shopify 后臺刪除與特定客戶相關(guān)的所有個人信息的工具，適用于商家收到符合 GDPR 的刪除請求的情況。當(dāng)商家使用此工具請求刪除時，Shopify 還會將此請求轉(zhuǎn)發(fā)給商家在請求客戶個人信息訪問權(quán)限獲批時安裝的應(yīng)用。
更具信息性的渠道安裝流程，更準(zhǔn)確地告知商家該渠道在安裝后將能訪問哪些個人數(shù)據(jù)。
更強大的 Cookie 策略，其中包括 Shopify 存放的 Cookie（不僅存放在 Shopify 自己的在線資產(chǎn)上，還通過 Shopify 店面和移動應(yīng)用存放）的類別相關(guān)特定信息，以確保商家獲得所需信息，便于在存放提供服務(wù)所需的 Cookie 時獲得 Shopify 的有效同意。
商家安裝應(yīng)用的過程更加透明，以便在安裝應(yīng)用之前，商家可以完全了解應(yīng)用申請訪問的確切個人數(shù)據(jù)。
為已安裝應(yīng)用提供更多描述性清單，以便商家可以隨時查看特定應(yīng)用數(shù)據(jù)訪問權(quán)限。

Shopify 會與商家簽訂數(shù)據(jù)處理協(xié)議嗎？

對于按照在線服務(wù)條款規(guī)定使用 Shopify 服務(wù)的商家，Shopify 對條款進(jìn)行了修訂，已將數(shù)據(jù)處理附錄納入在內(nèi)。

您無需簽署此文檔，因為它已附加到服務(wù)條款，您繼續(xù)使用 Shopify 服務(wù)即表示您同意此條款。這符合 GDPR 第 28(3) 條的要求。Shopify 無法與每個商家簽署單獨協(xié)議。

對于 Shopify Plus 商家，Shopify 制定了一份涵蓋其個人數(shù)據(jù)處理事項的數(shù)據(jù)處理協(xié)議。有關(guān)詳細(xì)信息，請聯(lián)系 Shopify Plus 客服。

下載 Shopify 的 GDPR 白皮書

有關(guān) Shopify 如何遵守 GDPR 并確保您在使用 Shopify 時能夠遵守 GDPR 的詳細(xì)信息，請下載 Shopify 的 GDPR 白皮書文檔（英文版）。

How does the GDPR affect Shopify?
The General Data Protection Regulation (GDPR) requires Shopify to make the following changes to its platform and internal privacy program:
Reorganize the privacy team, and document and keep records of certain privacy-related decisions made by Shopify so that Shopify is accountable for its privacy practices.
Make sure that Shopify is able to honor the rights of European merchants and customers over their personal data, and that when using Shopify's services, merchants are able to do the same.
Make certain contractual commitments to merchants and get certain contractual commitments when Shopify uses a third-party subprocessor to provide services.
On this page
What has Shopify done to prepare for the GDPR?
What else is Shopify doing to comply with GDPR?
Will Shopify enter into Data Processing Agreements with its merchants?
What has Shopify done to prepare for the GDPR?
Shopify has been preparing for the GDPR in the following ways:
Policies and documentation
Updated Shopify's privacy policy to include more information about the rights extended by the GDPR, as well as more detailed information about how Shopify processes personal data, as required by Articles 13 and 14 of the GDPR.
Added a data processing addendum to Shopify's online terms of service, as required by Article 28 of the GDPR.
Implemented a detailed procedure to deal with data subject access requests, deletion requests, and government access requests.
Prepared a whitepaper (in English) to help merchants and partners understand how Shopify interprets and has been approaching its obligations under the GDPR.
duct features
Updated the privacy policy generator to include some of the information merchants will need to include in their privacy policies, as required by Articles 13 and 14 of the GDPR.
Added functionality to the Shopify platform so that merchants are able to obtain independent consent for marketing purposes, and can choose whether or not to pre-check the consent checkbox depending on their requirements.
Updated abandoned cart notifications to allow merchants to be able to tie them to whether or not a customer has opted in to marketing communications.
App store
Updated Shopify App Store displays so that app developers can link to a privacy policy that explains exactly what personal data the app collects and processes.
Provided app developers with a template privacy policy to help them draft a privacy policy that will include the types of information merchants will need to be able to update their own privacy policies, as required by the GDPR.
Corporate governance
Appointed an experienced Data Protection Officer to oversee Shopify's data protection program and GDPR implementation plan.
Prepared a registry of our data processing activities, as required by Article 30 of the GDPR.
Implemented a Data Protection Impact Assessment process, as required by Articles 35 and 91 of the GDPR.
Documented the subprocessors that Shopify uses to deliver its platform and other services, and started to review the contractual arrangements with these subprocessors, to make sure that they are required to protect personal data through robust technical and organizational measures.
Began the process of applying for approval of Binding Corporate Rules to support Shopify's data processing operations.
Started to deliver GDPR-focused training to key teams and personnel, so that they are aware of the law’s requirements and can design Shopify products and business plans with privacy in mind.
What else is Shopify doing to comply with GDPR?
In addition to the preparations listed above, Shopify is rolling out the following features:
Tool to request all of the information Shopify holds about a customer on their behalf through the Shopify admin, in case the merchant receives a subject access request under the GDPR.
Tool to request that Shopify delete all personal information associated with a particular customer through the Shopify admin, in case the merchant receives an erasure request under the GDPR. When a merchant uses this tool to request erasure, Shopify will also forward this request to apps the merchant has installed at the time of the request that were granted access to customer personal information.
More informative channel installation process that tells merchants exactly what personal data the channel will have access to after it is installed.
More robust Cookie Policy that includes specific information about the categories of cookies that Shopify places, not just on its own online properties but also through Shopify storefronts and mobile apps, to make sure that merchants have the information they need to get effective consent for Shopify to place the cookies necessary to provide service.
More transparent process through which merchants install apps so that merchants can fully understand exactly what personal data an app is requesting access to before installing the app.
More descriptive listings for already-installed apps so that merchants can check specific app data access permissions at any time.
Will Shopify enter into Data Processing Agreements with its merchants?
For merchants who use Shopify's services subject to the online terms of service, Shopify has revised its terms to incorporate a data processing addendum.
You don't have to sign this document, because it is appended to the terms of service and you agree to it by continuing to use Shopify services. This fulfills the requirement of Article 28(3) of the GDPR. Shopify is not able to sign an individual agreement with each merchant.
For Shofy Plus merchants, Shopify has a data processing agreement to cover its processing of personal data. Contact Shopify Plus Support for more details.
Download Shopify's GDPR whitepaper
For more information about how Shopify complies with the GDPR, and to make sure that you will be in a position to comply in relation to your use of Shopify, download Shopify's GDPR whitepaper document (in English).