Under the General Data Protection Regulation ((EU) 2016/679) (the "GDPR"), everyone has rights relating to how their personal information is handled.
We provide a B2B eCommerce plugin which assists our clients in selling online goods and services to their customers. Most of our clients are based in the US but we do have a few clients based in the EU. We therefore sometimes operate as data processors on behalf of our EU clients.
The types of personal data we process about our clients' customers are the following:
We are responsible for ensuring that we comply with the GDPR and this Policy is therefore necessary to implement appropriate practices, processes and controls and to demonstrate such compliance.
"data controller": means the person or organisation that determines the purposes for which, and the manner in which, any personal data is processed. The data controller is responsible for establishing practices and policies in line with the GDPR. Our clients will be the data controller.
"data processor": means any person who processes personal data on behalf of a data controller. We will be the data processor on behalf of our clients
"data subject": means a living, identified or identifiable individual about whom we hold personal data. All data subjects have legal rights in relation to their personal data.
"personal data": means any information relating to a living individual who can be identified from that data alone or in combination with other identifiers we possess or can reasonably access. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour.
"personal data breach": means any act or omission that compromises the security, confidentiality, integrity or availability of personal data or the physical, technical, administrative or organisational safeguards that we or our third-party service providers put in place to protect it. The loss, or unauthorised access, disclosure or acquisition, of personal data is a personal data breach.
"processing or process": means any activity that involves the use of personal data. It includes obtaining, recording, holding or storing the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal data to third parties.
Under the GDPR, personal information must not be retained for longer than is necessary for the purposes for which the data is processed.
Except as otherwise permitted or required by applicable law, we will only retain personal information for as long as necessary to fulfil the purposes we hold it for, or as required to satisfy any legal, accounting, or reporting obligations.
Under the GDPR, a Data Protection Officer must be appointed where the core activities of a data controller or a data processor involve: (i) processing operations which require regular and systematic monitoring of data subjects on a large scale; or (ii) processing of sensitive personal data on a large scale.
It is clear that we do not carry out processing operations which involve regular and systematic monitoring of data subjects on a large scale. Accordingly, we are not required to appoint a Data Protection Officer.
We will ensure that appropriate technical and organisational data security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss or destruction of, or damage to, personal data.
The GDPR requires us to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction or erasure.
We must maintain data security by protecting the confidentiality, integrity and availability of personal data, defined as follows:
Our data security procedures include, but are not limited to, the following:
We will regularly evaluate and test the effectiveness of these safeguards to ensure the security of our processing of personal data. Each employee is responsible for protecting the personal data which we hold and must therefore comply with and not attempt to circumvent the administrative, physical and technical safeguards we implement and maintain in accordance with the GDPR to protect such data.
The GDPR imposes a duty on data controllers to notify a personal data breach to the Information Commissioner's Office ("ICO") within 72 hours after becoming aware of it, unless the relevant personal data breach is unlikely to result in a risk to the rights and freedoms of the relevant data subject. In addition, if a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the data controller must communicate the breach to the relevant data subject without undue delay. As data processors, we will notify the data controller as soon as we become aware of the breach.
We recognise that a personal data breach will be any data security incident that has affected the confidentiality, integrity or availability of personal data. There will be a personal data breach in the following circumstances: (i) whenever any personal data is lost, destroyed, corrupted or disclosed; (ii) if someone accesses the data or passes it on without proper authorisation; or (iii) if the data is made unavailable and this unavailability has a significant negative effect on individuals.
If any individual employee knows or suspects that a personal data breach has occurred, he or she must immediately notify us. He or she must preserve all evidence relating to the potential personal data breach.
Upon becoming aware of a personal data breach, we shall immediately contain the breach and shall assess the potential adverse consequences for the data subjects affected by the breach. Following such assessment, we will determine the risk to the rights and freedoms of the data subjects affected by the breach and will immediately notify the data controller of the breach.
We shall maintain a written record of: (i) all personal data breaches which occur (including those which are not reported to the ICO); and (ii) all decisions made by us in relation to such breaches.
The GDPR restricts data transfers to countries outside the EEA in order to ensure that the level of data protection afforded to individuals by the GDPR is not undermined. Please note that personal data originating in one country is deemed to be "transferred" across borders if it is transmitted or sent to a different country or viewed, accessed or stored in a different country. In this case we access personal data of our clients' customers based in the EU. It is the responsibility of our clients as data controllers to ensure that personal data of their customers is not sent to the US without adequate protection measures being in place. We have obtained certification under the US Privacy Shield.
Under the GDPR, data subjects have certain rights in relation to their personal data. We will ensure that personal data held by us is processed in accordance with the exercise of data subjects' rights.
The GDPR provides data subjects with the following rights:
(i) The right to request access to any personal data held about them by the data controller. This is known as a subject access request ("SAR").
(ii) The right to object to or challenge processing which has been justified on the basis of the data controller's legitimate interests.
(iii) The right to ask the data controller to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed. This is known as the "right to be forgotten".
(iv) The right to ask the data controller to rectify inaccurate data or to complete incomplete data.
(v) The right to restrict processing of personal data in specific circumstances.
(vi) The right to object to decisions about them based solely on automated processing, including profiling.
(vii) The right to object to the data controller using the personal data held about them for direct marketing purposes.
(viii) In limited circumstances, the right to receive or ask for a copy of the personal data held about them to be transferred to a third party in a structured, commonly used and machine readable format. This is known as the right to "data portability".
(ix) The right to withdraw consent at any time to the processing of any data which has been processed by the data controller on the basis of consent.
(x) The right to receive certain information about the data controller's processing activities. This is achieved by providing the data subject with a Privacy Notice.
(xi) The right to prevent processing that is likely to cause damage or distress to the data subject or anyone else.
(xii) The right to request a copy of an agreement under which personal data is transferred outside of the EEA.
(xiii) The right to make a complaint to the ICO. In the event that a data subject submits a request to a client to exercise any of the above rights, we shall provide all reasonable assistance to our client to respond to the request within the statutory timescales.
When an individual submits a SAR for a copy of personal information held about them we shall take the following steps:
Unless a relevant exemption applies (e.g. refusal of the SAR is necessary to safeguard the enforcement of civil law claims), we shall provide the individual with a copy of the personal information processed by us within 1 month of receipt of the SAR. If the request is complex, or there are a number of requests, we may extend the period for responding by a further 2 months. If we extend the period for responding we shall inform the member within 1 month of receipt of the SAR and explain the reasons for the delay.
Before providing personal data to an individual in response to a SAR, we shall review the information to be disclosed to ascertain whether the data includes personal data relating to other individuals. If it does, we may redact the personal data of those other individuals, unless those individuals have consented to disclosure of their personal data.
If the SAR is manifestly unfounded or excessive, for example, because of its repetitive character, we may charge a reasonable fee, taking into account the administrative costs of providing the personal data, or refuse to comply with the request.
If we are not going to respond to the SAR we shall inform the individual of the reasons for not taking action. We will also notify the member of the option available to the member to lodge a complaint with the ICO.
We will inform the data controller of any SARs and how we have complied with such requests.
Under the GDPR, data subjects have the right, in certain circumstances, to request that we erase their personal data. We will be required to erase the personal data without undue delay if one of the following circumstances applies:
In most cases, we will not be required to comply with such a request if it is necessary for us to continue processing the relevant personal data for the purposes of our business.
In the situation where an individual submits a request for erasure and it is clear that at least one of the above circumstances applies, we shall, unless there is a relevant exemption, take the steps set out below:
If the request is manifestly unfounded or excessive, for example, because of its repetitive character, we may charge a reasonable fee, taking into account the administrative costs of erasure, or refuse to act on the request.
If we are not going to respond to the request we shall inform the individual of the reasons for not taking action. We will also notify the individual of the option available to the individual to lodge a complaint with the ICO.
As data processors, we are responsible for implementing appropriate technical and organisational measures in an effective manner to ensure compliance with data protection principles. Under the GDPR, we are now also required to demonstrate compliance with the data protection principles at all times.
We will therefore put in place adequate resources and controls in order to document compliance with the GDPR, including but not limited to:
Under the GDPR, we are required to keep full and accurate records of all our data processing activities. This includes maintaining a record of: (i) all decisions in relation to the processing of personal data; (ii) all personal data breaches; and (iii) the exercise of data subjects' rights.
As data processors we are required to maintain a document known as a "Record of Processing Activities". As a minimum, this document must include the following: (i) name and contact details of the data controllers; (ii) purposes of data processing; (iii) categories of data subjects; (iv) categories of persona data; (v) third party recipients of personal data; (vi) details of international data transfers; (vii) retention periods for personal data; and (viii) a description of the data security measures in place.
We must undergo adequate training to enable us to comply with our obligations as data processors under the GDPR. This should include training on data subjects' rights, consent, legal basis for processing, DPIAs and responding to personal data breaches. We will maintain records of all such training.
We must also regularly test and audit our systems and processes to assess compliance with the GDPR. In particular, we must check to ensure that adequate controls and resources are put in place to ensure the proper use and protection of individuals' personal information.
We do not share personal data with any third parties in the course of our business. We will only share such data with third parties where it is necessary to do so.
Where we are required by law to share personal data of clients' customers with any third party, we shall put in place appropriate controls to ensure that the sharing of such data will be documented, regularly reviewed and verified to make sure that the data sharing is in fact required by law.
We reserve the right to review and amend this Policy from time to time to ensure that it is consistent with the requirements of the GDPR and all other applicable data protection laws. We recognise that this Policy does not override the GDPR or any other applicable data protection laws or requirements.