My Project Solution & GDPR: What you need to know

by May 14, 2018Compliance, Uncategorized

Europe’s General Data Protection Regulation (GDPR) comes into effect on May 25th, 2018. Stronger rules on data protection mean EU citizens have more control over their data.

Let’s start with a short disclaimer. We are not lawyers. This blog post is not legal advice and is for informational and/or educational purposes only. Any reliance you place on such information is therefore strictly at your own risk.

Essentially, please seek legal advice about GDPR compliance if you haven’t already done so. Only qualified legal professionals will be able to give you and your business the best advice.

With that out of the way, let’s dive into what GDPR is and what My Project Solution is doing in response to it.

The great thing about e-commerce is that it’s easier than ever to grow your business beyond your borders—but when you’re selling in multiple countries, you need to know a bit more about how they do business and what’s required to comply with their laws.

There’s a new regulation coming to the European Union in 2018, called the General Data Protection Regulation (GDPR). The rest of this blog outlines important information on the GDPR and what this new regulation means to your business.

WHAT IS GDPR?

“The General Data Protection Regulation (GDPR) is a regulation (binding legislation, not just a directive) by which the EU intends to strengthen and unify data protection for all individuals from the European Union (EU). It also addresses the export of personal data outside the EU.

It aims primarily to give control back to EU citizens and residents (EU Data Subjects) over their personal data and to simplify the regulatory environment for international business (any company that is gathering, processing or storing the personal data of EU citizens).”

GDPR gives EU Data Subjects more rights over their personal data, and it defines what counts as personal data very broadly. You can check out a complete guide to the legislation here.

It specifically gives EU Data Subjects the right to access, correct, delete, and restrict processing of their data, and sets out strict guidelines about how you need to get customers to agree that you can use their data (i.e. consent). This is especially important if you’re using your customers’ data for purposes beyond simply filling orders, such as marketing or advertising efforts.

GDPR also makes it your responsibility to protect that data (even if you’re using a processor like My Project Solution to actually store that data), and to ensure your customers and website visitors can exercise all the rights they now have.

For example, if someone in the EU emails you and asks you to delete their purchase history from your store, you’d need to be able to do that.

It’s important to note that this new law doesn’t just apply to stores in the EU – this applies globally to online stores that sell products to, and collects personal information from, EU Data Subjects. GDPR also includes steep sanctions for any company that is not compliant with the GDPR regulation after May 25th, 2018- when the GDPR goes into effect. These fines can go up to 20 million Euros (approximately $28 Million) or 4% of annual global (note global!) turnover, whichever is highest.

Essentially, the GDPR will impact any company that’s either based in Europe, has any customers in Europe, or has customers that have customers in Europe.

WHAT IS PERSONAL DATA PER GDPR GUIDELINES?

Under GDPR, if you collect or store any information that can be linked to an EU Data Subject, then it counts as “personal data”.

There’s a more in-depth explanation here but as a quick example, if you allow customers to create accounts on your store, or you collect related email addresses of EU Data Subjects, both of those would count as “personal data.”

But GDPR goes broader than that, and even information like an IP address that doesn’t identify a specific person counts as personal data.

WHO DOES THE GDPR APPLY TO?

My Project Solution

The GDPR applies to any company that handles the personal data of residents in the European Economic Area (EEA). Because My Project Solution works with merchants who serve buyers in the EEA, the GDPR applies to these elements of its business.

My Project Solution will provide tools and processes for its merchants to fulfill GDPR-related requests from their buyers- regardless of the buyer’s location.

My Project Solution Merchants/Customers

Separate from the way in which the GDPR applies to My Project Solution, the regulation also applies to My Project Solution’s merchants and partners who operate in the EEA or offer goods/services to residents of the EEA.

While My Project Solution is working to make sure that its own operations will comply with the GDPR (and to provide its merchants and partners with tools to help its merchants comply with the GDPR), each merchant is ultimately responsible for ensuring that their business complies with the laws of the jurisdictions in which they operate, have buyers or collect personal information.

Using My Project Solution does not guarantee that a merchant or partner complies with the GDPR.

Buyers

The GDPR also gives certain rights to identified or identifiable EU Data Subjects, including buyers visiting stores belonging to My Project Solution merchants. These include the right to request:

  • Deletion (erasure ) of their personal data
  • Correction (rectification) of their data
  • Access to their data
  • An export of their data in a common (portable) format
  • Name
  • Identification number
  • Location data
  • Online identifier (such as IP address or cookie ID)

This topic is discussed more fully in the Data Subject Rights section.

WHAT DATA DOES THE GDPR APPLY TO?

The GDPR generally applies to the collection and processing of personal data of EU Data Subjects. Under the GDPR, personal data means any information relating to an EU Data Subject. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:

CONTROLLER VS. PROCESSOR STATUS

The GDPR separates data protection responsibilities into two categories: controllers and processors.

Controller: The party that determines for what purposes and how personal data is processed, and typically the Controller is the party that collects personal information directly from an EU Data Subject.

Processor: The party that processes personal data on behalf of the controller.

Generally, My Project Solution acts as a processor for the merchant (who typically acts as the controller) with respect to such buyer personal data (or, if the merchant acts as a processor, My Project Solution acts as a subprocessor).

Processor Obligations:

To comply with the GDPR, generally the processor may only process personal data when authorized to do so by the controller.

Where My Project Solution is a processor for a merchant, it processes personal data in accordance with documented instructions from merchants. For example, when a merchant selects a payment processor, the processor gives My Project Solution the instruction to transmit data to the relevant party.

The GDPR also places several other responsibilities on the processor, discussed below:

Subprocessing

Processors must notify and obtain consent from their controller when transmitting personal data to a subprocessor. Depending on the Data Processing Agreement between the controller and the processor, consent may be specific on a case-by-case basis, or general consent with the controller’s right to object. My Project Solution uses a number of sub processors to provide the service, including:

  • Store platform data
  • Respond to and manage support inquiries

When a merchant signs up for the My Project Solution service, they consent to allow My Project Solution to use subprocessors. A list of sub processors is available upon request.

DATA PROTECTION IMPACT ASSESSMENTS

My Project Solution is formalizing the process for conducting data protection impact assessments (DPIAs) any time a change in processing procedure occurs that is likely to result in a high risk to individuals’ privacy rights. My Project Solution will help answer any reasonable question a merchant has about My Project Solution’s processing activities.

PERSONAL DATA BREACH REPORTING

Processors must notify the controller after becoming aware of a personal data breach resulting from a breach of the processor’s security.

My Project Solution is committed to ensuring that its incident response program meets the requirements of the GDPR. The specifics of breach notification are handled through a merchant’s contract with My Project Solution.

APPOINTMENT OF A DATA PROTECTION OFFICER

Processors must appoint a Data Protection Officer if they conduct certain types of personal data processing.

My Project Solution’s Data Protection Officer can be reached at privacy@myprojectsolution.net.

Merchants should consider whether they also need to appoint a Data Protection Officer.

DISCLOSURES TO THIRD PARTIES

My Project Solution will never independently sell personal data for commercial purposes. However, My Project Solution does disclose personal data to third parties or allow third parties to access personal data to help provide services—for example, to:

  • Store platform data
  • Respond to and manage support inquiries

Additionally, My Project Solution may provide personal data, where permitted, to prevent, investigate, or respond to:

  • Potential fraud
  • Illegal conduct
  • Physical threats
  • Violations of any agreements with My Project Solution

My Project Solution also provides information to third parties when legally required to do so. Where My Project Solution believes it is legally required to provide information, and not legally prohibited from disclosing the existence of the legal order, it will notify the data subject and give the data subject a chance to seek a protective order.

EU DATA SUBJECT RIGHTS

The GDPR provides data subjects (in this case, buyers) with certain rights over their personal data. Generally, data subject requests must be addressed within one month, unless they are exceptionally complex or numerous. The following rights are granted to data subjects:

Erasure

EU Data Subjects have the right to request that their personal data be erased in certain circumstances.

If a merchant receives a request from a buyer to delete their personal data, before forwarding the request to My Project Solution, the merchant has sole responsibility for:

  • Verifying that the requester is the same as the data subject (that is, the requester is not asking to erase someone else’s personal data)
  • Confirming there is no legal reason to preserve this data

If both conditions are satisfied, the merchant should forward the request to My Project Solution, either through My Project Solution’s support system, or by emailing privacy@myprojectsolution.net.

After a request is received, My Project Solution will ensure that the relevant personal data is erased. If erasing it is impossible, My Project Solution will let the merchant know to what degree it is impossible, and why.

In addition to contacting My Project Solution, the merchant should also work with any relevant third parties to make sure that they delete or anonymize the personal data.

Timing

Personal data cannot be erased from My Project Solution while it is:

  • Associated with a pending order
  • Associated with an order made fewer than 180 days before the request (the usual window in which a buyer can make a chargeback).

If the buyer’s personal data cannot be erased for this reason, the merchant should re-submit the deletion request after the appropriate time has passed.

Scope

When processing a request for erasure, My Project Solution will anonymize the personal data of the buyer, but keep non-personal data such as revenue information and order details.

Order details that are retained include: the gateway used to process payment, time of sale, amount paid, currency, subtotal, shipping cost, taxes added, shipping method, item quantity, item name, SKU, and payment method.

If no data erasure requests are received, My Project Solution will keep data for the lifetime of the account, and purge personal data within 90 days after an account is closed.

Access

Controllers must, upon request, explain to EU Data Subjects how their personal data is processed and provide access to this personal data.

If merchants cannot export data sufficient to fulfill the request from their admin, they can forward the request to My Project Solution. Similar to a request for erasure, if a buyer requests access to their personal data, the merchant should first validate the identity of the requester.

The merchant can then reach out to My Project Solution, either through My Project Solution’s support system, or by emailing privacy@myprojectsolution.net.

When My Project Solution receives the request, it will:

  • Confirm whether personal data about a buyer is being processed by My Project Solution
  • Confirm what categories of data are being processed by My Project Solution
  • Provide the buyer with the relevant information from My Project Solution systems

Data portability

Controllers who process data using automation must, in limited circumstances, provide data subjects with their personal data upon request. This data must be provided in a commonly used and machine-readable format.

Merchants may export some data directly from their store’s WebDriver CMS.

All data can be exported as a CSV:

  • Transaction histories
  • Orders
  • Product lists
  • Customer lists

In addition, if a merchant contacts My Project Solution to request copies of processed data, My Project Solution will make the data available in a common format.

Rectification

Data subjects have the right to correct incomplete or inaccurate personal data held or processed by a controller. My Project Solution’s websites allows a merchant to change customer records directly from their CMS.

CONTRACTUAL AGREEMENTS AND DATA PROCESSING ADDENDUM

My Project Solutions Terms of Service, Data Processing Addendum, Privacy Policy, and Acceptable Use Policy can be found online at https://myprojectsolution.net/ca.

For merchants whose relationship with My Project Solution is governed by My Project Solutions online Terms of Service, My Project Solution has automatically incorporated a Data Processing Addendum, which will apply to its processing of personal data. Just as My Project Solution  is not able to negotiate its Terms of Service, it is not able to negotiate this Data Processing Addendum.

FAQ

What if I have more questions about the GDPR or my local privacy laws?

Contact a local lawyer who specializes in privacy or data protection law.

Who can I contact for more information on My Project Solution’s practices?

Contact privacy@myprojectsolution.net.