GDPR overview

The GDPR is the European Union’s new data privacy law. It is the most robust and comprehensive privacy law to date, and will fundamentally change how companies collect and process personal data. In particular, the GDPR provides individuals with certain rights over their personal data including a right to access, correct, delete, restrict processing of their data. This regulation requires companies to take steps to help secure personal data rights and more generally protect that data.

When does the GDPR take effect?

The GDPR takes effect on May 25, 2018.

Does the GDPR require European personal data to be stored in Europe?

No. The GDPR requires that if the personal data of European residents is exported outside of Europe, then that personal data must be adequately protected. Companies are already required to take these steps under existing law.

Will Shopify transfer European personal data outside of Europe?

Yes. We have built a highly efficient technical infrastructure that relies on data centers and cloud service providers located outside of Europe. Recognizing that this places a burden on our merchants located in or servicing customers in Europe, however, we have recently shifted the processing of data about European residents to our Irish affiliate, Shopify International Ltd., so that our merchants are not exporting data to us. Rather, our Irish affiliate receives this data within Europe and then further transfers that data to our Canadian and US operations.

We support these transfers through a variety of legal mechanisms approved by the European Commission, including the EU-U.S. Privacy Shield and European Commission decision 2002/2/EC. We are also applying for approval over Binding Corporate Rules. For more information about this, see section 11 of our Privacy Policy.

Want to discuss this page?

Visit the Shopify Community

Ready to start selling online with Shopify?

Try it free