shopify卖家任何使用GDPR任命数据保护官和处理数据-ESG跨境

shopify卖家任何使用GDPR任命数据保护官和处理数据

shopify新闻

2022-03-28

743

GDPR（尤其是第 12 至 14 条）要求您向您处理其数据的个人提供特定信息，通常采用隐私声明或隐私政策的形式。

隐私声明

GDPR（尤其是第 12 至 14 条）要求您向您处理其数据的个人提供特定信息，通常采用隐私声明或隐私政策的形式。

您可使用 Shopify 的隐私政策生成器来帮助您制定隐私政策。您可在“结账”或在线下的设置中找到它。

请考虑以下问题：

您的网站上是否有隐私政策，其中包含您需要根据法规提供的所有信息？它是否至少包括客户如何就隐私问题与您联系，以及客户如何行使其权利（例如删除或更正（修改或更正）其数据的权利以及访问该数据的权利）的相关信息？
您的隐私政策是否包括 Shopify 如何将您客户的个人数据用于自动的风险和欺诈评分？您（或您的服务提供商）将客户信息用于自动决策时，GDPR 要求您披露这些信息。Shofy 使用您客户的个人信息，通过自动决策阻止某些看似有欺诈性质的交易。Shopify 的隐私政策生成器包含此信息。有关此系统的详细信息，请参阅自动决策。

任命数据保护官

数据保护官 (DPO) 监督组织收集和处理个人数据的方式。如果公司的核心活动涉及大规模的在线跟踪，则 GDPR 要求您任命 DPO 并在隐私政策中提供 DPO 的联系信息。

GDPR 包括 DPO 需要完成的特定任务，例如，在您的组织更改其收集和处理个人数据的方式时，进行数据保护影响评估。DPO 可以由在 GDPR 和保护要求方面具有专业知识的内部人员担任，但您也可考虑与顾问或公司合作，由他们担任外部 DPO。

考虑以下问题：

有多少人受到您店面跟踪技术的影响？这些可能包括行为广告应用，甚至重定向应用。受影响的人数是否为“大规模”是一项法律决策，您应根据您的具体情况咨询律师。
您应主动任命 DPO 吗？即使法律上不要求您指定 DPO，如果您在欧洲占据举足轻重的地位，您可能希望主动这样做以确保您充分保护客户的数据。

数据处理协议

作为 GDPR 适用的数据控制方，第 28 条要求您在通过数据处理方（如 Shopify）处理客户数据时，您应对其可能使用和处理该数据的方式规定严格的协议要求。这通常通过数据处理附录或 (DPA) 完成。

Shopify 已自动将数据处理协议 (https://www.shopify.com/legal/dpa) 纳入服务条款，从而满足第 28 条要求。

对于 Shopify Plus 商家，他们与 Shopify 之间的关系将由他们的协商合同决定。Shopify Plus 商家可签署数据处理附录以满足他们的需求。未签署数据处理附录的 Shopify Plus 商家将受 Shopify 在线数据处理附录的监管。

考虑以下问题：

您在 Shopify 外部使用的其他数据处理者是否依照协议承诺保护您客户的数据？许多第三方应用、渠道、支付网关或其他数据处理者也会自动将数据处理协议纳入他们的条款中。您是否就这些事宜咨询过这些第三方？
您是具有协商合同的 Shopify Plus 商家吗？如果您想签署数据处理附录，请联系 Plus 客服。他们可以为您提供 Shopify 的模板 DPA 以进行签署。

Privacy notice
The GDPR (and particularly Articles 12 to 14) requires that you provide specific information to individuals whose data you are processing, generally in the form of a privacy notice or privacy policy.
You can use Shopify's privacy policy generator to get you started. You can find it in your settings under Checkout or online.
Think about the following question:
Do you have a privacy policy on your site that includes all of the information that you are required to provide under the regulation? At minimum, does it include how customers can get in contact with you about privacy questions and how customers can exercise their rights, for example the rights to erasure (deletion) or rectification (modification or correction) of their data and the right to access it?
Does your privacy policy include how Shopify may use your customers' personal data for automated risk and fraud scoring? The GDPR requires you to disclose when you (or your service providers) use their information in connection with automated decision-making. Shopify uses your customers’ personal information to block rtain transactions that appear to be fraudulent through automated decision-making. Shopify's Privacy Policy Generator includes this information. For more information about this system, see Automated decision-making.
Appointing a Data Protection Officer
A Data Protection Officer (DPO) oversees how your organization collects and processes personal data. If your business’s core activities include large scale online tracking, the GDPR requires that you appoint a DPO and provide contact information for the DPO in your Privacy Policy.
The GDPR includes specific tasks that a DPO needs to do, such as conducting data protection impact assessments when your organization changes how it collects and processes personal data. The DPO can be an internal person who has expertise in the GDPR and data protection requirements, but you can also consider working with an consultant or firm to serve as an external DPO.
Think about the following questions:
How many people are affected by tracking technologies on your storefront? These can include behavioral advertising apps, or even retargeting apps. Whether or not the number of people affected is “large scale” is a legal decision, and you should consult with a lawyer depending on your circumstances.
Should you voluntarily appoint a DPO? Even if you are not legally required to appoint a DPO, if your presence in Europe is large enough, you may Wish to do so voluntarily to make sure that you adequately protect your customers’ data.
Data processing agreements
As a data controller under the GDPR, Article 28 requires that when you engage a data processor (like Shopify) to cess your customers’ data, you impose strict contractual requirements on how they may use and process that data. This is typically done through a Data Processing Addendum, or DPA.
Shopify has automatically incorporated a Data Processing Agreement (https://www.shopify.com/legal/dpa) into its terms of service, which is designed to address the requirements of Article 28.
For Shopify Plus merchants, their negotiated contracts will govern their relationship with Shopify. Plus Merchants can sign a Data Processing Addendum to address their needs. Shopify Plus merchants who do not sign a Data Processing Addendum will be governed by Shopify’s online Data Processing Addendum.
Think about the following questions:
Are other data processors that you work with outside of Shopify contractually committed to protecting your customers’ data? Many third-party apps, channels, payment gateways, or other data processors will also automatically incorporate a Data Processing Agreement into their terms. Have you consulted with each of these third-parties?
Are you a Shopify Plus merchant with a negotiated contract? If you want to sign a Data Processing Addendum, then reach out to Shopify Plus Support. They can provide you with Shopify's template DPA to sign.