CIMcloud & GDPR: What You Need To Know
Europe’s General Data Protection Regulation (GDPR) comes into effect on May 25th, 2018. Stronger rules on data protection mean EU citizens have more control over their data.
Let’s start with a short disclaimer. We are not lawyers. This blog post is not legal advice and is for informational and/or educational purposes only. Any reliance you place on such information is therefore strictly at your own risk.
Essentially, please seek legal advice about GDPR compliance if you haven’t already done so. Only qualified legal professionals will be able to give you and your business the best advice.
With that out of the way, let’s dive into what GDPR is and what CIMcloud is doing in response to it.
The great thing about e-commerce is that it’s easier than ever to grow your business beyond your borders—but when you’re selling in multiple countries, you need to know a bit more about how they do business and what's required to comply with their laws.
There’s a new regulation coming to the European Union in 2018, called the General Data Protection Regulation (GDPR). The rest of this blog outlines important information on the GDPR and what this new regulation means to your business.
What is GDPR?
“The General Data Protection Regulation (GDPR) is a regulation (binding legislation, not just a directive) by which the EU intends to strengthen and unify data protection for all individuals from the European Union (EU). It also addresses the export of personal data outside the EU.
It aims primarily to give control back to EU citizens and residents (EU Data Subjects) over their personal data and to simplify the regulatory environment for international business (any company that is gathering, processing or storing the personal data of EU citizens).”
GDPR gives EU Data Subjects more rights over their personal data, and it defines what counts as personal data very broadly. You can check out a complete guide to the legislation here.
It specifically gives EU Data Subjects the right to access, correct, delete, and restrict processing of their data, and sets out strict guidelines about how you need to get customers to agree that you can use their data (i.e. consent). This is especially important if you're using your customers’ data for purposes beyond simply filling orders, such as marketing or advertising efforts.
GDPR also makes it your responsibility to protect that data (even if you’re using a processor like CIMcloud to actually store that data), and to ensure your customers and website visitors can exercise all the rights they now have.
For example, if someone in the EU emails you and asks you to delete their purchase history from your store, you’d need to be able to do that.
It’s important to note that this new law doesn’t just apply to stores in the EU – this applies globally to online stores that sell products to, and collects personal information from, EU Data Subjects. GDPR also includes steep sanctions for any company that is not compliant with the GDPR regulation after May 25th, 2018- when the GDPR goes into effect. These fines can go up to 20 million Euros (approximately $28 Million) or 4% of annual global (note global!) turnover, whichever is highest.
Essentially, the GDPR will impact any company that’s either based in Europe, has any customers in Europe, or has customers that have customers in Europe.
What is Personal Data per GDPR Guidelines?
Under GDPR, if you collect or store any information that can be linked to an EU Data Subject, then it counts as “personal data”.
There’s a more in-depth explanation here but as a quick example, if you allow customers to create accounts on your store, or you collect related email addresses of EU Data Subjects, both of those would count as “personal data.”
But GDPR goes broader than that, and even information like an IP address that doesn’t identify a specific person counts as personal data.
Who does the GDPR apply to?
The GDPR applies to any company that handles the personal data of residents in the European Economic Area (EEA). Because CIMcloud works with merchants who serve buyers in the EEA, the GDPR applies to these elements of its business.
CIMcloud will provide tools and processes for its merchants to fulfill GDPR-related requests from their buyers- regardless of the buyer’s location.
Separate from the way in which the GDPR applies to CIMcloud, the regulation also applies to CIMcloud’s merchants and partners who operate in the EEA or offer goods/services to residents of the EEA.
While CIMcloud is working to make sure that its own operations will comply with the GDPR (and to provide its merchants and partners with tools to help its merchants comply with the GDPR), each merchant is ultimately responsible for ensuring that their business complies with the laws of the jurisdictions in which they operate, have buyers or collect personal information.
Using CIMcloud does not guarantee that a merchant or partner complies with the GDPR.
The GDPR also gives certain rights to identified or identifiable EU Data Subjects, including buyers visiting stores belonging to CIMcloud merchants. These include the right to request:
- Deletion (erasure ) of their personal data
- Correction (rectification) of their data
- Access to their data
- An export of their data in a common (portable) format
- Identification number
- Location data
- Online identifier (such as IP address or cookie ID)
This topic is discussed more fully in the Data Subject Rights section.
What data does the GDPR apply to?
The GDPR generally applies to the collection and processing of personal data of EU Data Subjects. Under the GDPR, personal data means any information relating to an EU Data Subject. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:
Controller vs. Processor status
The GDPR separates data protection responsibilities into two categories: controllers and processors.
Controller: The party that determines for what purposes and how personal data is processed, and typically the Controller is the party that collects personal information directly from an EU Data Subject.
Processor: The party that processes personal data on behalf of the controller.
Generally, CIMcloud acts as a processor for the merchant (who typically acts as the controller) with respect to such buyer personal data (or, if the merchant acts as a processor, CIMcloud acts as a subprocessor).
To comply with the GDPR, generally the processor may only process personal data when authorized to do so by the controller.
Where CIMcloud is a processor for a merchant, it processes personal data in accordance with documented instructions from merchants. For example, when a merchant selects a payment processor, the processor gives CIMcloud the instruction to transmit data to the relevant party.
The GDPR also places several other responsibilities on the processor, discussed below:
Processors must notify and obtain consent from their controller when transmitting personal data to a subprocessor. Depending on the Data Processing Agreement between the controller and the processor, consent may be specific on a case-by-case basis, or general consent with the controller’s right to object. CIMcloud uses a number of subprocessors to provide the service, including to:
- Store platform data
- Respond to and manage support inquiries
When a merchant signs up for the CIMcloud service, they consent to allow CIMcloud to use subprocessors. A list of subprocessors is available upon request.
Data Protection Impact Assessments
CIMcloud is formalizing the process for conducting data protection impact assessments (DPIAs) any time a change in processing procedure occurs that is likely to result in a high risk to individuals’ privacy rights. CIMcloud will help answer any reasonable question a merchant has about CIMcloud’s processing activities.
Personal data breach reporting
Processors must notify the controller after becoming aware of a personal data breach resulting from a breach of the processor’s security.
CIMcloud is committed to ensuring that its incident response program meets the requirements of the GDPR. The specifics of breach notification are handled through a merchant's contract with CIMcloud.
Appointment of a Data Protection Officer
Processors must appoint a Data Protection Officer if they conduct certain types of personal data processing.
CIMcloud’s Data Protection Officer can be reached at firstname.lastname@example.org.
Merchants should consider whether they also need to appoint a Data Protection Officer.
Disclosures to third parties
CIMcloud will never independently sell personal data for commercial purposes. However, CIMcloud does disclose personal data to third parties or allow third parties to access personal data to help provide services—for example, to:
- Store platform data
- Respond to and manage support inquiries
Additionally, CIMcloud may provide personal data, where permitted, to prevent, investigate, or respond to:
- Potential fraud
- Illegal conduct
- Physical threats
- Violations of any agreements with CIMcloud
CIMcloud also provides information to third parties when legally required to do so. Where CIMcloud believes it is legally required to provide information, and not legally prohibited from disclosing the existence of the legal order, it will notify the data subject and give the data subject a chance to seek a protective order.
If a merchant agrees to use a third-party service provider such as a payment processor, a sales channel, or an app that is not controlled by CIMcloud, the respective service provider’s use of personal data is controlled by the merchant’s agreement with the provider. CIMcloud is not responsible for the data practices of these third-party service providers, and merchants should carefully evaluate these service providers as they would any third party.
EU Data Subject rights
The GDPR provides data subjects (in this case, buyers) with certain rights over their personal data. Generally, data subject requests must be addressed within one month, unless they are exceptionally complex or numerous. The following rights are granted to data subjects:
EU Data Subjects have the right to request that their personal data be erased in certain circumstances.
If a merchant receives a request from a buyer to delete their personal data, before forwarding the request to CIMcloud, the merchant has sole responsibility for:
- Verifying that the requester is the same as the data subject (that is, the requester is not asking to erase someone else’s personal data)
- Confirming there is no legal reason to preserve this data
If both conditions are satisfied, the merchant should forward the request to CIMcloud, either through CIMcloud's support system, or by emailing email@example.com.
After a request is received, CIMcloud will ensure that the relevant personal data is erased. If erasing it is impossible, CIMcloud will let the merchant know to what degree it is impossible, and why.
In addition to contacting CIMcloud, the merchant should also work with any relevant third parties to make sure that they delete or anonymize the personal data.
Personal data cannot be erased from CIMcloud while it is:
- Associated with a pending order
- Associated with an order made fewer than 180 days before the request (the usual window in which a buyer can make a chargeback).
If the buyer’s personal data cannot be erased for this reason, the merchant should re-submit the deletion request after the appropriate time has passed.
When processing a request for erasure, CIMcloud will anonymize the personal data of the buyer, but keep non-personal data such as revenue information and order details.
Order details that are retained include: the gateway used to process payment, time of sale, amount paid, currency, subtotal, shipping cost, taxes added, shipping method, item quantity, item name, SKU, and payment method.
If no data erasure requests are received, CIMcloud will keep data for the lifetime of the account, and purge personal data within 90 days after an account is closed.
Controllers must, upon request, explain to EU Data Subjects how their personal data is processed and provide access to this personal data.
If merchants cannot export data sufficient to fulfill the request from their admin, they can forward the request to CIMcloud. Similar to a request for erasure, if a buyer requests access to their personal data, the merchant should first validate the identity of the requester.
The merchant can then reach out to CIMcloud, either through CIMcloud's support system, or by emailing firstname.lastname@example.org.
When CIMcloud receives the request, it will:
- Confirm whether personal data about a buyer is being processed by CIMcloud
- Confirm what categories of data are being processed by CIMcloud
- Provide the buyer with the relevant information from CIMcloud systems
Controllers who process data using automation must, in limited circumstances, provide data subjects with their personal data upon request. This data must be provided in a commonly used and machine-readable format.
Merchants may export some data directly from their store’s WebDriver CMS.
All data can be exported as a CSV:
- Transaction histories
- Product lists
- Customer lists
In addition, if a merchant contacts CIMcloud to request copies of processed data, CIMcloud will make the data available in a common format.
Data subjects have the right to correct incomplete or inaccurate personal data held or processed by a controller. CIMcloud’s platform allows a merchant to change customer records directly from their WebDriver CMS.
Contractual agreements and Data Processing Addendum
For merchants whose relationship with CIMcloud is governed by CIMcloud's online Terms of Service, CIMcloud has automatically incorporated a Data Processing Addendum, which will apply to its processing of personal data. Just as CIMcloud is not able to negotiate its Terms of Service, it is not able to negotiate this Data Processing Addendum.
What if I have more questions about the GDPR or my local privacy laws?
Contact a local lawyer who specializes in privacy or data protection law.
Who can I contact for more information on CIMcloud’s practices?
If I use CIMcloud to host my store, does my business comply with GDPR?
Not automatically. While CIMcloud’s operations will comply with the GDPR, and CIMcloud will provide tools to help its merchants comply, it is the responsibility of each merchant to ensure that its business is compliant with the laws of the jurisdiction in which it operates.
Using CIMcloud’s platform alone does not guarantee that a company complies with the GDPR.