The European Union (EU) is introducing a landmark regulation called the General Data Protection Regulation (GDPR) effective on the 25th of May, 2018.
The goal of the GDPR is to give EU residents significant improvements to their privacy rights and control over their personal data, and to protect them from privacy breaches and leaks. Every organization that handles, markets or tracks the personal data of EU residents is concerned, even if they are not based in Europe, and even ecommerce platforms with buyers from other countries or regions will have to follow this regulation, no matter where they are based.
There are strong penalties in place for non-compliance: up to €20m or 4% of global annual turnover, whichever is higher.
Making sure we are compliant, and in turn that the personal data of buyers are treated correctly, while continuing to provide a great customer experience has been an important focus for us.
Here are the main concepts of the GDPR:
- Personal data requires lawful processing. This means that you shouldn't buy email lists where you don't know how consent was acquired, and we can't enable newsletters to customers if we don't know whether they have consented to them.
- Customers should specify exactly what communications they want to receive from you. This means that the language explaining how you will contact them needs to be very clear and respect certain rules—leading to fewer unsubscribes and spam reports.
- Customers will have a right to transparency around the collection and processing of their data. This means that they will be able to ask us for the data we store on them, and receive it in a simple format.
- Customers can request the right to be forgotten. This means that if they ask us, we will remove all their personal data—letting you focus on the best customers.
We're rolling out changes to ensure that compliance is simple and straightforward for our merchants.
When someone buys something using our platform, their personal data is protected under the GDPR, and we only pass information given by the buyer's own consent to the seller.
How We Handle Customer Data
We collect customer data during our checkout process for payment processing and order fulfillment purposes. Since we don't operate as the Merchant of Record, we just store the name, contact details, and billing/shipping information provided by the buyer. The extent of billing information depends on which Payment Processor and/or Gateway the Merchant has enabled which handled the buyer's payment.
The personal data provided to us is protected under the GDPR, which gives us two applicable scenarios that allow us to pass the data on: legitimate interest, and consent.
E-junkie merchants have a legitimate interest to use customer provided data for product fulfillment, order processing, fraud prevention, and product support. We will pass customer data to merchants to enable these use cases, and this does not require additional consent from the customer. It is important that merchants only use customer data for those scenarios, or they will not be compliant with the GDPR. Our terms and conditions are also being updated to reflect these obligations.
We don't request from the buyer any information which is not covered by legitimate interests.
Data Transfer & Sharing
Rules for transferring data outside of the EU haven't actually changed under GDPR, and while we process data outside of the EU, we do so in a way which is fully compliant with EU law.
We process and store data in the US using infrastructure and data solutions provided by Amazon, which is certified under the EU-US Privacy Shield, and as such, the transfer and processing is compliant without the need for additional consent.
During our checkout process, buyers' billing data is securely shared with our payment providers. This sharing is necessary to facilitate the payment process. We don't share any information with third party services.
Our platform implements industry best practices for data security, including encryption at rest and in transit, access control, and auditing. Keeping buyer data private and secure is extremely important to us at E-junkie.
Cookies & Tracking
We use a small number of GDPR compliant tracking methods. These services use a combination of temporary and long-lived cookies to identify each buyer's unique shopping cart instance. These cookies are only used for a better user experience and not for personal information tracking or internal use. These cookies don't store any valuable information regarding the user.
The data collected is not shared with any outside parties, nor is it used for any activities which would require further GDPR compliance or an opt-out. This data is necessary to ensure the reliable operation of our platform.
What data our merchants see when a sale happens
We only share basic details such as name, contact details, and shipping address, which are required for order processing and customer support. Billing address requirements are determined by the Payment Processor or Gateway the merchant has enabled which handles the buyer's payment. Our product changes make this as easy as possible, and a friendly experience for both sellers and buyers.
- There are a number of GDPR Legitimate Interests data including order fulfillment, order and product support, but excluding marketing, which we store and share with the seller. It is the seller's obligation to only use the buyer's information for those interests, unless further consent is given for marketing.
- We provide a simple way for you to additionally collect marketing consent during the checkout flow. We do this using GDPR compliant language permitting marketing updates and offers in the future. We will pass this consent information back to you in our Seller Admin panel.
- Customers who previously opted-in to marketing consent, but did so in a manner which was not GDPR compliant (such as having the confirmation checkbox automatically checked) will have their marketing consent removed until they opt-in again.
E-junkie has been preparing for the GDPR in the following ways:
- Our Support and Development teams have accomplished our data protection program and GDPR implementation to the best of our ability.
- We added a Data Processing Addendum to our online Terms of Service, as required by Article 28 of the GDPR.
- We implemented a Data Protection Impact Assessment process, as required by Articles 35 and 91 of the GDPR.
- We started GDPR-focused code refactoring in awareness of the law's requirements, so we can design our products and business plans with privacy in mind.
- We implemented a detailed procedure to deal with data subject access requests, deletion requests, and government access requests.
Check our Forum post here regarding GDPR.