How does the GDPR affect Shopify?
The General Data Protection Regulation (GDPR) requires Shopify to make the following changes to its platform and internal privacy program:
Reorganize the privacy team, and document and keep records of certain privacy-related decisions made by Shopify so that Shopify is accountable for its privacy practices.
Make sure that Shopify is able to honor the rights of European merchants and customers over their personal data, and that when using Shopify's services, merchants are able to do the same.
Make certain contractual commitments to merchants and get certain contractual commitments when Shopify uses a third-party subprocessor to provide services.
What has Shopify done to prepare for the GDPR?
Shopify has been preparing for the GDPR in the following ways:
Policies and documentation
- Added a data processing addendum to Shopify's online terms of service, as required by Article 28 of the GDPR.
- Implemented a detailed procedure to deal with data subject access requests, deletion requests, and government access requests.
- Prepared a whitepaper (in English) to help merchants and partners understand how Shopify interprets and has been approaching its obligations under the GDPR.
- Added functionality to the Shopify platform so that merchants are able to obtain independent consent for marketing purposes, and can choose whether or not to pre-check the consent checkbox depending on their requirements.
- Updated abandoned cart notifications to allow merchants to be able to tie them to whether or not a customer has opted in to marketing communications.
- Appointed an experienced Data Protection Officer to oversee Shopify's data protection program and GDPR implementation plan.
- Prepared a registry of our data processing activities, as required by Article 30 of the GDPR.
- Implemented a Data Protection Impact Assessment process, as required by Articles 35 and 91 of the GDPR.
- Documented the subprocessors that Shopify uses to deliver its platform and other services, and started to review the contractual arrangements with these subprocessors, to make sure that they are required to protect personal data through robust technical and organizational measures.
- Began the process of applying for approval of Binding Corporate Rules to support Shopify's data processing operations.
- Started to deliver GDPR-focused training to key teams and personnel, so that they are aware of the law’s requirements and can design Shopify products and business plans with privacy in mind.
What else is Shopify doing to comply with GDPR?
In addition to the preparations listed above, Shopify is rolling out the following features:
- Tool to request all of the information Shopify holds about a customer on their behalf through the Shopify admin, in case the merchant receives a subject access request under the GDPR.
- Tool to request that Shopify delete all personal information associated with a particular customer through the Shopify admin, in case the merchant receives an erasure request under the GDPR. When a merchant uses this tool to request erasure, Shopify will also forward this request to apps the merchant has installed at the time of the request that were granted access to customer personal information.
- More informative channel installation process that tells merchants exactly what personal data the channel will have access to after it is installed.
- More transparent process through which merchants install apps so that merchants can fully understand exactly what personal data an app is requesting access to before installing the app.
- More descriptive listings for already-installed apps so that merchants can check specific app data access permissions at any time.
Will Shopify enter into Data Processing Agreements with its merchants?
For merchants who use Shopify's services subject to the online terms of service, Shopify has revised its terms to incorporate a data processing addendum.
You don't have to sign this document, because it is appended to the terms of service and you agree to it by continuing to use Shopify services. This fulfills the requirement of Article 28(3) of the GDPR. Shopify is not able to sign an individual agreement with each merchant.
For Shopify Plus merchants, Shopify has a data processing agreement to cover its processing of personal data. Please contact Shopify Plus Support for more details.
Download Shopify's GDPR whitepaper
For more information about how Shopify complies with the GDPR, and to make sure that you will be in a position to comply in relation to your use of Shopify, download Shopify's GDPR whitepaper document (in English).