General Data Protection Regulation (GDPR)

The European Union's General Data Protection Regulation (GDPR) came into effect on May 25, 2018. The GDPR imposes new obligations and responsibilities on controllers and processors of data. As a merchant, you are generally the controller of your customers’ data. This means that you collect your customers’ data and choose how it is handled. Additionally, though it is a European regulation, the GDPR might apply to your business if you make goods and services available in Europe, even if you or your business are not located in Europe. As a processor for your customers’ data, Company follows your instructions on how to handle that data. For information about the Company's obligations as a data processor for your customer data, see the Data Processing Addendum. Company believes strongly in protecting your customers’ personal data as well as your own, and understands that doing so is critical to help you preserve the trust and confidence of your customers. Company has designed its platform to allow merchants to operate anywhere in the world. GDPR-compliant features are built into Company's platform, including features to enable you to offer your customers transparency into and control over their personal data, and technical measures to ensure that your customers’ personal data is protected as it crosses borders. Company believes in making it easy for you to use our platform in a manner that complies with privacy and data protection laws like the GDPR. While Company does what it can to set you up for success, there are also steps you will need to take on your own, and ultimately, compliance with the GDPR is the responsibility of each individual merchant. If you have legal questions specific to your obligations under the GDPR, consult with a local lawyer who is familiar with data protection laws.

1. GDPR Overview

The GDPR (General Data Protection Regulation) is the European Union’s data privacy law. The GDPR requires companies to take steps to provide individuals with more visibility into and better control over how their personal data is used. It also requires that companies handle that data securely and responsibly.

Does the GDPR require European personal data to be stored in Europe?

The GDPR doesn't require personal data to be stored in Europe. The GDPR requires only that if the personal data of European residents is transported outside of Europe, then that personal data must be adequately protected.

2. GDPR and Bikayi, Inc.

How does the GDPR affect Bikayi, Inc.?

The General Data Protection Regulation (GDPR) requires Company to make the following changes to its platform and internal privacy program:

What has Company done to prepare for the GDPR?

Company has been preparing for the GDPR in the following ways:

Policies and documentation

Updated Company's privacy policy to include more information about the rights extended by the GDPR, as well as more detailed information about how Company processes personal data, as required by Articles 13 and 14 of the GDPR.Added a data processing addendum to Company’s online terms of service, as required by Article 28 of the GDPR.Implemented a procedure to deal with data subject access requests, deletion requests, and government access requests.

Product features

Updated the privacy policy generator to include some of the information merchants will need to include in their privacy policies, as required by Articles 13 and 14 of the GDPR.Added functionality to the Company platform so that merchants are able to obtain independent consent for marketing purposes and can choose whether or not to pre-check the consent checkbox depending on their requirements.Updated abandoned cart notifications to allow merchants to be able to tie them to whether or not a customer has opted in to marketing communications.

App store

Updated Company App Store displays so that app developers can link to a privacy policy that explains exactly what personal data the app collects and processes.Provided app developers with a template privacy policy to help them draft a privacy policy that will include the types of information merchants will need to be able to update their own privacy policies, as required by the GDPR.

Corporate governance

What else is Company doing to comply with GDPR?

In addition to the preparations listed above, Company is rolling out the following features:

Will Company enter into Data Processing Agreements with its merchants?

For merchants who use Company's services subject to the online terms of service, Company has revised its terms to incorporate a data processing addendum.You don't have to sign this document, because it is appended to the terms of service and you agree to it by continuing to use Company services. This fulfills the requirement of Article 28(3) of the GDPR. The Company is not able to sign an individual agreement with each merchant.

3. GDPR and you

How does the GDPR affect you?

The General Data Protection Regulation (GDPR) affects any Company merchants who are based in Europe or who serve European customers. While Company is working hard to make sure that it complies and allows its merchants to comply with the GDPR as of May 25, 2018, it is important to note that the GDPR will also require you to take action independently from the Company platform. Company wants to help place merchants in the best possible position to comply with the law. This article includes questions you should consider to help you assess your obligations to make sure that you have set up your store in a way that complies with the law. That said, this is not legal advice. The GDPR is a complicated regulation, and it will apply differently to different merchants. You should consult with a lawyer to figure out what you specifically need to do. For information about processing data requests, see Processing GDPR data requests.

Why can't the Company handle GDPR compliance for merchants?

The GDPR imposes different obligations on controllers and processors of data. As a processor of data, the Company fulfills its own legal obligations under the GDPR. However, merchants (as controllers) also have their own separate obligations that they must consider. Company provides merchants with a platform that can be configured to be GDPR compliant, but you must consider how you would like to run your business. For further guidance, the following regulators within the European Union have provided specific guidance on the GDPR:
ICO - Guide to data protection.
Irish Data Protection Commissioner - GDPR
CNIL - Règlement européen: se préparer en 6 étapes.

Collecting personal data

The GDPR protects the fundamental rights of individuals within the European Union in relation to the processing of personal data. Examples of personal data include:
Think about the following questions:

Privacy notice

The GDPR (and particularly Articles 12 to 14) requires that you provide specific information to individuals whose data you are processing, generally in the form of a privacy notice or privacy policy.

Think about the following question:

Appointing a Data Protection Officer

A Data Protection Officer (DPO) oversees how your organization collects and processes personal data. If your business’s core activities include large-scale online tracking, the GDPR requires that you appoint a DPO and provide contact information for the DPO in your Privacy Policy. The GDPR includes specific tasks that a DPO needs to do, such as conducting data protection impact assessments when your organization changes how it collects and processes personal data. The DPO can be an internal person who has expertise in the GDPR and data protection requirements, but you can also consider working with a consultant or firm to serve as an external DPO.

Think about the following questions:

Data processing agreements

As a data controller under the GDPR, Article 28 requires that when you engage a data processor (like Company) to process your customers’ data, you impose strict contractual requirements on how they may use and process that data. This is typically done through a Data Processing Addendum, or DPA. Company has automatically incorporated a Data Processing Agreement into its terms of service, which is designed to address the requirements of Article 28. For some merchants, the Company may enter into negotiated contracts which will govern their relationship with the Company. Merchants who do not sign a Data Processing Addendum will be governed by the Company's online Data Processing Addendum.
Think about the following questions:If you want to sign a Data Processing Addendum, then reach out to Company Support. They can provide you with the Company's template DPA to sign.

Customer consent

Under the GDPR, you might need to obtain consent to process the personal data of your customers or change how you currently obtain that consent. For example, you might need to obtain consent from your customers if you are sending your customers marketing messages, or if you are using online advertising or retargeting apps.
Where you need to obtain consent, the GDPR says that it must be:
This means that the customer needs to be given detailed information about the particular use case, and some affirmative action needs to be taken by the consumer to show consent. Finally, if you offer your customers the opportunity to provide consent, the GDPR also requires that your customers have a way to withdraw consent. This can often be accomplished through an unsubscribe functionality. If you have questions about when and how you should obtain consent for collection of personal data, or the extent to which your customers should be allowed to withdraw their consent, then you should speak with a lawyer familiar with data protection laws. However, consent is only one of many legal bases in the GDPR that can justify processing of personal data. You might also process personal data to fulfill contractual requirements, or if you are required by law to process data. Some European regulators have suggested that if you at first ask for consent and your customer declines or agrees but then withdraws their consent, then you may no longer be able to rely on any other legal basis to process personal data. As a result, you should only rely on consent where you do not intend to (or need to) rely on another legal basis to process personal data.

Think about the following questions:
For each different way that you use or process your customers’ data, what is the legal basis for doing so? Are you processing based on their consent? Are you processing to fulfill a contractual obligation to the customer? Are you processing to further your legitimate business interests? You should record the legal basis as part of your map of your data practices, described in Collecting personal data.

Where you are relying on consent, is the consent you are getting bundled with the goods or services you are offering? For example, statements like by purchasing these goods, you agree to our use of your personal information may no longer be allowed under the GDPR.

Are you providing enough details about how you will be using the personal data at issue to make sure that the customer’s consent is informed?

Is the customer’s consent recorded and stored somewhere?

Do you require consent to send marketing communications to your customers? Even if you do not need consent under the GDPR, local laws may or may not require you to obtain consent to send marketing communications to your customers. Speak with a lawyer about the specific requirements that might apply to your store.

If you believe you require consent to send marketing communications, then is the marketing consent checkbox for your store unchecked by default? Consider setting your storefront up so that the marketing consent checkbox presented to customers is not pre-checked by default to ensure that your customers have to act affirmatively to provide consent.

Parental consent

The GDPR includes specific parental-consent requirements for processing the personal data of users under the age of 16 (although this age can be lower in certain countries).
Think about the following question:

Automated decision-making

The GDPR requires you to notify customers if you are using their personal information to engage in any automated decision-making. Automated decision-making means using automatic algorithms to make a decision about whether an individual is eligible for certain services or offers, should be charged a particular price, or is likely interested in certain types of goods or services. If you are using any processes that include fully automated decision-making (that is, without any human intervention) that will have a significant legal effect on the customer, then you need the customer’s consent. In general, Company does not engage in fully automated decision-making with your customers’ personal data. The one exception is Company's risk and fraud screening, where Company might automatically block a payment card number or IP address after a certain number of unsuccessful payment attempts. Company does not believe this has a significant legal effect on customers because the automated blocking lasts only for a short period of time.
Think about the following questions:

Data breach notification

If the GDPR applies to you and you experience a data breach, then you might be required to notify affected users or specific regulatory bodies. In particular, the GDPR requires notice where a data breach is likely to cause a high risk of adversely affecting individuals’ rights and freedoms.
This is likely to be the case if the breached information:
Where applicable, you're required to provide notice as quickly as 72 hours after you become aware of the breach.
Think about the following questions:
The GDPR imposes requirements on any company that uses third-party vendors and service providers to process the personal data of its users. The Company uses a number of sub processors to process your customers’ data. For more information about Company's sub processors, see Company's sub processors.
Think about the following question:

Third-party apps

The GDPR requires that you take a number of affirmative steps relating to your and your third-party service providers’ collection and use of personal data. This includes Company, but also any third-party apps that you might use in connection with your Company store. Company has taken action to make it easier for you to understand what personal data the apps you install have access to.
Steps:
You can also review app permissions before you install an app on the install screen in the app store. Additionally, there is a section of the app store for each app to link to a privacy policy that explains in more detail exactly what data app developers are collecting and how they are using it. While Company wants to make it as easy as possible for you to assess the data practices of the apps you choose to install, it is up to you to ensure that you are using third-party apps in a way that complies with the GDPR.
Think about the following question:

4. Processing GDPR data requests

The GDPR expands on an individual's right to access and control their personal data. This page includes:

Understand subject access and portability requests

The GDPR gives individuals the right, in certain circumstances, to request a copy of their personal data being processed by a company. The GDPR therefore requires that you be able to provide your customers with a copy of their personal data in a format that is: Common Easily readable Portable This allows customers to use their data with a different service provider. Company allows you to export most data in CSV or Excel formats right from your admin (for example, order, payout, products, and customer information). Generally, you should respond to a request within 30 days. Extensions are allowed if the request is exceptionally difficult to fulfill.

Process subject access and portability requests

If you receive an access or portability request, then you will first need to verify the identity of the requester (so that you do not inadvertently provide someone else your customer’s private personal information).
Steps:
The customer's information is sent by email to the store owner. The store owner can then provide the information to the customer who made the request.

Article 15 of the GDPR will also require you to provide additional context around how you use the data you are providing, including:
Additionally, you need to be able to ensure:
Think about the following questions:

Process erasure requests

The GDPR gives individuals the right, in certain circumstances, to ask that their personal data be erased, or that a company restrict the processing of their personal data."Personal data" means any data that can be used to identify an individual, including:
Personal data does not include information that is purely financial and cannot be linked to an individual, such as:If you receive a request for erasure (sometimes called redaction or deletion), then you should first verify the customer’s identity. You should also make sure there is no reason you need to keep the customer's data (for example, if the customer is also an employee).
Steps:
After you request an erasure through your admin email, Company will transmit your erasure request to all apps that you have installed at the time you make the request that might have access to that customer’s data. Once you request an erasure within your admin, a 10 day buffer period will begin during which you can cancel the request in case you made the request accidentally. To cancel a pending erasure request, contact Company Support, and include your store information and the relevant customer ID. When you request an erasure, the Company will only redact personal information (such as name and address). Your anonymized order information will remain intact in case you need it for accounting purposes. Once the relevant personal data has been erased, we will send you a confirmation email. By default, the Company will not erase personal data if the customer has made an order in the last 6 months (180 days), in case a chargeback occurs. If a request for erasure is submitted in that time frame, then it will sit pending, and Company will action it once the appropriate time has passed. You do not need to submit another request. If you would like to override this time delay (regardless of the risk of chargeback), contact Company Support.

Think about the following questions:

5. Company’s sub processors for customer personal data

Third-party subprocessors

The Company might also use third-party sub processors in order to provide our services. Core subproccessors are those that we can't offer our service without. Additional sub processors might apply if additional services are used. Transfers to third-party sub processors are conducted under contract.
List of third party processorService ProvidedCorporate HeadquartersData Processed
Google cloud PlatformCloud hosting Mountain View, USAAll platform data
FreshworksCustomer support tool Delaware, USACustomer support requests, Customer Contact data
Amazon AWSCloud hostingSeattle, USAInformation associated with delivery of website content

Additional third-party subprocessor

List of third party processorService ProvidedCorporate HeadquartersData Processed
SalesForceSales management toolSan Francisco, CACustomer contact data
zohobooksAccounting toolChennai,IndiaCustomer financial information
outplayMarketing toolDelaware, USACustomer contact data
moengageMarketing toolSan Francisco, CACustomer contact data
sales navigatorMarketing toolTempleton, CACustomer contact data
Atlassian-JiraProductivity ToolSydney, AustraliaTrack of tech tasks; No Customer Data
SlackCommunication ToolSan Francisco, CAIntra company knowledge exchange; No customer data
QuickbooksAccounting toolMountain View, USACustomer financial information
SnowflakeAnalytics ToolSan Mateo, USAProduct usage data; Customer contact data
AmplitudeAnalytics ToolBurlington, USAProduct usage data; Customer contact data

6. GDPR FAQ

Learn about frequently asked questions related to GDPR. These explanations are for informational purposes only, and do not constitute professional legal advice. Consult independent legal advice for information specific to your country and circumstances. Why does the Company not include an 'Agree to Terms and Conditions and Privacy Policy' checkbox at checkout? Company has thought about the GDPR very carefully and we have designed our platform to provide our merchants with a best-in-class commerce experience that can comply with privacy and data protection laws like the GDPR. Obtaining explicit, affirmative consent from customers to process their data can, when implemented properly, be a helpful way to provide transparency to and gain the trust of the customer. But when not implemented appropriately, checkboxes can be confusing to the customer, can create mismatched expectations, and can even create legal issues for merchants under the GDPR. We have chosen not to modify our checkout workflow to include an "Agree to Terms and Conditions and Privacy Policy" checkbox during checkout because of these concerns. In particular, the GDPR makes clear that merchants can collect and process customer personal data for many reasons, including if the customer has provided their informed consent. But the GDPR recognizes that there may be many circumstances in which personal data might need to be processed separate and apart from the customer's consent, such as:
Merchants are likely to rely on many of these legal grounds with respect to the different ways that they might process their customers' data. For example, a merchant might need to use a customer's shipping address to actually fulfill the order and satisfy the merchant's contract with the customer. Similarly, a merchant may be legally required to process personal data to respond to a subpoena or in the context of a tax audit. And a merchant may process personal data for any number of other legitimate interests. At the same time, European regulators have made clear that consent is the most important of these different justifications. In particular, regulators have suggested that, once a merchant asks for consent to process data for a particular purpose, they may no longer be able to rely on the legal grounds above (such as contracts or legitimate interests). Additionally, regulators have cautioned that consent cannot be made a condition to receiving goods or services. Why does all of this matter? Let's think about what would happen if a merchant did add an "Agree to Terms and Conditions and Privacy Policy" checkbox at checkout. If the customer does not choose to consent (or, if the customer consents and then withdraws their consent -- which is a right provided to individuals under the GDPR), then a merchant may no longer be able to rely on the other justifications listed above. So the merchant may be in a position where under the GDPR the merchant cannot legally process the customer's personal data to process or fulfill an order. At the same time, if the merchant modifies checkout so this checkbox was mandatory to complete the transaction, consent would be a precondition to receiving the goods or services and so may not be valid under the GDPR in the first place. This complexity has led a number of regulators to caution against asking for or relying on consent where it may not be appropriate. For example, the UK Information Commissioner's Office has advised: "Consent is appropriate if you can offer people real choice and control over how you use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair. If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis. Public authorities, employers and other organizations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given." We want to do our best to support our merchants and help them avoid problematic legal consequences. But at the same time, we understand that merchants ultimately need to feel comfortable that they have the trust of their customers.

Why can't I sign a Data Processing Agreement (DPA) with Company?

The GDPR requires that data processors be bound by a contract in writing (which includes contracts in electronic formats) to each data controller in order to process personal data. These contracts should specify what personal data is being processed, and the obligations and rights of the processor and controller. These contracts are often called Data Processing Agreements (DPA). In essence, a DPA is an agreement that the Company will only process the personal data given to it in the manner that the merchant specifies, because the merchant is the controller of the data. To fulfill this requirement, the Company has added a Data Processing Addendum to our Terms of Service. (It is called an 'Addendum' and not an 'Agreement' because it is added on to the Terms of Service, and isn't an agreement on its own.) As a merchant, you agree to the Terms of Service and, by extension, the Data Processing Addendum, when you sign up for Company's services, and you agree to any updates to the Terms of Service (for example, our update which added the Data Processing Addendum) by continuing to use the services. It is important to note that the Terms of Service are governed by Delaware law, and not the law of the jurisdiction in which you reside. So while other regional laws, like the GDPR, may certainly cover your business and how you process data, and may require you to have a binding contract with your service providers (like Company), those other regional laws do not necessarily dictate whether a contract is binding or not. In the case of your contract with us, that question of whether the DPA is a binding contract is determined by reference to Delaware law. As a result, even if your jurisdiction requires that a contract (like the DPA) be signed, that may not matter with respect to your DPA. Under Delaware law, we believe that by continuing to use our service once our terms are updated, both Company and you are bound by the new, modified Terms of Service. When you continue to use the Company, we believe you have entered into a binding contract with us that includes our Data Processing Addendum, as required by the GDPR.

What do I do if I have more questions about the GDPR or my local privacy laws?

Contact a local lawyer who specializes in privacy or data protection law.

Who can I contact for more information on the Company's practices?

Contact Company Support for more information on Company's practices.

If I use Company to host my store, does my business comply with GDPR?

Not automatically. While Company's operations will comply with the GDPR, and Company will provide tools to help its merchants comply, it is the responsibility of each merchant to ensure that its business is compliant with the laws of the jurisdiction in which it operates. Using Company's platform alone does not guarantee that a company complies with the GDPR.

7. ePrivacy Directive

The ePrivacy Directive is a set of rules for data protection and privacy in the European Union (EU). The directive is separate from the General Data Protection Regulation (GDPR), and contains additional requirements for European privacy protection. It regulates the storing and accessing of information on devices, such as cookies, email marketing, and other aspects of privacy. The ePrivacy Directive requires that a website asks for the users' consent before storing cookies that are not strictly necessary for the basic functioning of the website in their browser. The directive also requires that users are told the general purpose of a cookie before they are asked to provide consent. This applies to both first-party cookies that are generated by your website and typically used for analytics, and third-party cookies that are typically generated by advertisers and used for marketing purposes. Both first- and third-party cookies can be used for analytics and advertising. If you're a Company merchant operating in or with customers from the EU, EEA (European Economic Area, which consists of EU countries plus Iceland, Liechtenstein, and Norway), UK, or Switzerland, then you must ask visitors to your website for their permission to use cookies that are not strictly necessary for the basic functioning of the website. This can be done through a banner that loads when a visitor enters your online store. Merchants must choose between three options for how Company uses cookies to collect and store your visitors' data: Collected before consent, Partially collected before consent, and Collected after consent.
OptionDefinitionImpact
Collected before consentData is collected before a customer gives consent. This may not meet applicable data protection and privacy laws, but has no impact on analytics and ad campaigns.No impacts to analytics or marketing data collection.
Partially collected before consentAnalytics data collection is limited to the duration of a user session, and marketing data collection is blocked prior to customer consent.This option may impact analytics and marketing data, and analytics data collection can be reduced.
Collected after consent (Recommended)Data is not collected until a customer gives consent. This may be required by applicable data protection and privacy protection laws, but may impact analytics and ad campaigns.Due to the potential of users declining to give permission to data collection, this option may impact analytics and marketing data. There can be a drop in the number of overall sessions. Other metrics that depend on accurate session counts for their calculation can also be affected, for example, conversion rate.