General Data Protection Regulation (GDPR)
The European Union's General Data Protection Regulation (GDPR) imposes obligations and responsibilities with respect to personal data. By using Shopify, there are tools and information that you can use to help you to analyze your business practices and help ensure that you comply with your GDPR obligations. Using services offered by Shopify alone doesn't guarantee that you comply with GDPR.
You're generally the controller of your customers’ data. This means that you collect your customers’ data and choose how it's handled. If you make goods and services available in Europe, even if you or your business aren't located in Europe, then GDPR might apply to your business.
As a processor for your customers’ data, Shopify follows your instructions on how to handle that data. For information about Shopify’s obligations as a data processor for your customer data, refer to the Data Processing Addendum.
GDPR requirements for processing or storing data
The GDPR doesn't require personal data to be processed or stored in Europe. The GDPR requires personal data of European residents transferred outside of Europe be done in accordance with applicable laws.
Using Shopify to comply with GDPR
When using Shopify, there are tools and information that you can use to help you to comply with GDPR. Although using Shopify can help you with GDPR compliance, it’s important for you to understand your own obligations under GDPR and to ensure that you configure and use the platform in a way that complies with the requirements set forth by GDPR.
You can use the Shopify Privacy & Compliance app to help you get explicit consent from customers for data processing activities. By using the app, you can set up a cookie consent banner and a cookie preferences pop-up.
Data Processing Agreement
The Shopify Data Processing Addendum (DPA) outlines the responsibilities between you and Shopify as a data processor. Shopify follows your instructions on how to handle that data. This agreement also helps to ensure that personal data is processed in accordance with European Data Protection Laws.
Data Access and Deletion
Shopify provides tools that let you access, edit, and delete customer data upon request. This helps you to fulfill a customer’s rights to access, rectify, or erase their personal data as required by GDPR. Learn more about processing customer data requests.
Shopify offers pre-built policy templates that you can use and customize to communicate your data processing practices. By customizing these templates, you can be transparent about how you collect, use, and protect your customer’s personal data. Learn more about adding store policies.
Shopify implements robust security measures to protect personal data, including encryption, firewalls, and regular security audits. Learn more about Shopify’s security certifications and standards.