GDPR 如何影响 Shopify？

《通用数据保护条例》(GDPR) 要求 Shopify 对其平台和内部隐私计划进行以下更改：

• 重新组织隐私团队，记录并保存 Shopify 所做的某些与隐私相关的决策，以便 Shopify 对其隐私相关做法承担责任。

• 确保 Shopify 能够尊重欧洲商家和客户对其个人数据的权利，并在使用 Shopify 的服务时，商家也能做到这一点。

• 当 Shopify 使用第三方分支处理机构提供服务时，向商家做出某些协议承诺并获得某些协议承诺。

本页相关主题

• Shopify 为 GDPR 做了哪些准备?

• Shopify 还采取了哪些措施来遵守 GDPR？

• Shopify 会与商家签订数据处理协议吗？

Shopify 为 GDPR 做了哪些准备?

Shopify 针对 GDPR 做了以下方面的准备：

政策和文档

• 根据 GDPR 第 13 条和第 14 条的要求，更新了 Shopify 的隐私政策，以包含有关 GDPR 扩展的权利的详细信息，以及有关 Shopify 如何处理个人数据的详细信息。

• 根据 GDPR 第 28 条的要求，向 Shopify 的在线服务条款中添加了数据处理附录。

• 实现了处理数据主体申请访问权限、删除申请和政府申请访问权限的详细过程。

• 准备了一份白皮书（英文版），以帮助商家和合作伙伴了解 Shopify 如何解释和履行 GDPR 规定的义务。

产品功能

• 根据 GDPR 第 13 条和第 14 条的要求，更新了隐私政策生成器，以包括商家需要在他们的隐私政策中包含的一些信息。

• 为 Shopify 平台添加了功能，使商家能够获得独立的同意来实现营销目的，并且能够根据他们的需求选择是否要预先选中同意复选框。

• 更新了通知，以允许商家能够将这些通知与客户是否选择接收营销信息联系起来。

应用商店

• 更新后的 Shopify 应用商店将会显示，以便应用开发者可链接到隐私政策，其中准确解释应用将收集和处理的个人数据。

• 为应用开发者提供了模板隐私政策，以便帮助他们起草隐私政策，其中包括商家根据 GDPR 要求更新自己的隐私政策所需的信息类型。

公司管控

• 指定一位经验丰富的数据保护官来监督 Shopify 的数据保护计划和 GDPR 实施计划。

• 按照 GDPR 第 30 条的要求，为我们的数据处理活动准备了一份注册表。

• 根据 GDPR 第 35 条和第 91 条要求，实现了数据保护影响评估。

• 记录了 Shopify 用于提供其平台和其他服务的分支处理机构，并已开始审查与这些分支处理机构的合同安排，以确保它们能够满足通过强大的技术和组织措施来保护个人数据的要求。

• 已启动申请批准约束公司规则的流程以支持 Shopify 的数据处理操作。

• 已经开始对关键团队和人员进行以 GDPR 为重点的培训，以便他们了解法律要求并且能够在考虑到隐私的情况下设计 Shopify 产品和商业计划。

Shopify 还采取了哪些措施来遵守 GDPR？

除了上述准备事项外，Shopify 还将推出以下功能：

• 用于代表客户通过 后台请求 Shopify 持有的所有客户信息的工具，适用于商家收到符合 GDPR 的主体申请访问的情况。

• 用于请求 Shopify 通过 Shopify 后台删除与特定客户相关的所有个人信息的工具，适用于商家收到符合 GDPR 的删除请求的情况。当商家使用此工具请求删除时，Shopify 还会将此请求转发给商家在请求客户个人信息访问权限获批时安装的应用。

• 更具信息性的渠道安装流程，更准确地告知商家该渠道在安装后将能访问哪些个人数据。

• 更强大的 Cookie 策略，其中包括 Shopify 存放的 Cookie（不仅存放在 Shopify 自己的在线资产上，还通过 Shopify 店面和移动应用存放）的类别相关特定信息，以确保商家获得所需信息，便于在存放提供服务所需的 Cookie 时获得 Shopify 的有效同意。

• 商家安装应用的过程更加透明，以便在安装应用之前，商家可以完全了解应用申请访问的确切个人数据。

• 为已安装应用提供更多描述性清单，以便商家可以随时查看特定应用数据访问权限。

Shopify 会与商家签订数据处理协议吗？

对于按照在线服务条款规定使用 Shopify 服务的商家，Shopify 对条款进行了修订，已将数据处理附录纳入在内。

您无需签署此文档，因为它已附加到服务条款，您继续使用 Shopify 服务即表示您同意此条款。这符合 GDPR 第 28(3) 条的要求。Shopify 无法与每个商家签署单独协议。

对于 Shopify Plus 商家，Shopify 制定了一份涵盖其个人数据处理事项的数据处理协议。有关详细信息，请联系 Shopify Plus 客服。

下载 Shopify 的 GDPR 白皮书

有关 Shopify 如何遵守 GDPR 并确保您在使用 Shopify 时能够遵守 GDPR 的详细信息，请下载 Shopify 的 GDPR 白皮书文档（英文版）。

How does the GDPR affect Shopify?

The General Data Protection Regulation (GDPR) requires Shopify to make the following changes to its platform and internal privacy program:

• Reorganize the privacy team, and document and keep records of certain privacy-related decisions made by Shopify so that Shopify is accountable for its privacy practices.

• Make sure that Shopify is able to honor the rights of European merchants and customers over their personal data, and that when using Shopify's services, merchants are able to do the same.

• Make certain contractual commitments to merchants and get certain contractual commitments when Shopify uses a third-party subprocessor to provide services.

On this page

• What has Shopify done to prepare for the GDPR?

• What else is Shopify doing to comply with GDPR?

• Will Shopify enter into Data Processing Agreements with its merchants?

What has Shopify done to prepare for the GDPR?

Shopify has been preparing for the GDPR in the following ways:

Policies and documentation

• Updated Shopify's privacy policy to include more information about the rights extended by the GDPR, as well as more detailed information about how Shopify processes personal data, as required by Articles 13 and 14 of the GDPR.

• Added a data processing addendum to Shopify's online terms of service, as required by Article 28 of the GDPR.

• Implemented a detailed procedure to deal with data subject access requests, deletion requests, and government access requests.

• Prepared a whitepaper (in English) to help merchants and partners understand how Shopify interprets and has been approaching its obligations under the GDPR.

duct features

• Updated the privacy policy generator to include some of the information merchants will need to include in their privacy policies, as required by Articles 13 and 14 of the GDPR.

• Added functionality to the Shopify platform so that merchants are able to obtain independent consent for marketing purposes, and can choose whether or not to pre-check the consent checkbox depending on their requirements.

• Updated abandoned cart notifications to allow merchants to be able to tie them to whether or not a customer has opted in to marketing communications.

App store

• Updated Shopify App Store displays so that app developers can link to a privacy policy that explains exactly what personal data the app collects and processes.

• Provided app developers with a template privacy policy to help them draft a privacy policy that will include the types of information merchants will need to be able to update their own privacy policies, as required by the GDPR.

Corporate governance

• Appointed an experienced Data Protection Officer to oversee Shopify's data protection program and GDPR implementation plan.

• Prepared a registry of our data processing activities, as required by Article 30 of the GDPR.

• Implemented a Data Protection Impact Assessment process, as required by Articles 35 and 91 of the GDPR.

• Documented the subprocessors that Shopify uses to deliver its platform and other services, and started to review the contractual arrangements with these subprocessors, to make sure that they are required to protect personal data through robust technical and organizational measures.

• Began the process of applying for approval of Binding Corporate Rules to support Shopify's data processing operations.

• Started to deliver GDPR-focused training to key teams and personnel, so that they are aware of the law’s requirements and can design Shopify products and business plans with privacy in mind.

What else is Shopify doing to comply with GDPR?

In addition to the preparations listed above, Shopify is rolling out the following features:

• Tool to request all of the information Shopify holds about a customer on their behalf through the Shopify admin, in case the merchant receives a subject access request under the GDPR.

• Tool to request that Shopify delete all personal information associated with a particular customer through the Shopify admin, in case the merchant receives an erasure request under the GDPR. When a merchant uses this tool to request erasure, Shopify will also forward this request to apps the merchant has installed at the time of the request that were granted access to customer personal information.

• More informative channel installation process that tells merchants exactly what personal data the channel will have access to after it is installed.

• More robust Cookie Policy that includes specific information about the categories of cookies that Shopify places, not just on its own online properties but also through Shopify storefronts and mobile apps, to make sure that merchants have the information they need to get effective consent for Shopify to place the cookies necessary to provide service.

• More transparent process through which merchants install apps so that merchants can fully understand exactly what personal data an app is requesting access to before installing the app.

• More descriptive listings for already-installed apps so that merchants can check specific app data access permissions at any time.

Will Shopify enter into Data Processing Agreements with its merchants?

For merchants who use Shopify's services subject to the online terms of service, Shopify has revised its terms to incorporate a data processing addendum.

You don't have to sign this document, because it is appended to the terms of service and you agree to it by continuing to use Shopify services. This fulfills the requirement of Article 28(3) of the GDPR. Shopify is not able to sign an individual agreement with each merchant.

For Shofy Plus merchants, Shopify has a data processing agreement to cover its processing of personal data. Contact Shopify Plus Support for more details.

Download Shopify's GDPR whitepaper

For more information about how Shopify complies with the GDPR, and to make sure that you will be in a position to comply in relation to your use of Shopify, download Shopify's GDPR whitepaper document (in English).

特别声明：以上文章内容仅代表作者本人观点，不代表ESG跨境电商观点或立场。如有关于作品内容、版权或其它问题请于作品发表后的30日内与ESG跨境电商联系。