GDPR 如何影響 Shopify？

《通用數(shù)據(jù)保護(hù)條例》(GDPR) 要求 Shopify 對(duì)其平臺(tái)和內(nèi)部隱私計(jì)劃進(jìn)行以下更改：

• 重新組織隱私團(tuán)隊(duì)，記錄并保存 Shopify 所做的某些與隱私相關(guān)的決策，以便 Shopify 對(duì)其隱私相關(guān)做法承擔(dān)責(zé)任。

• 確保 Shopify 能夠尊重歐洲商家和客戶對(duì)其個(gè)人數(shù)據(jù)的權(quán)利，并在使用 Shopify 的服務(wù)時(shí)，商家也能做到這一點(diǎn)。

• 當(dāng) Shopify 使用第三方分支處理機(jī)構(gòu)提供服務(wù)時(shí)，向商家做出某些協(xié)議承諾并獲得某些協(xié)議承諾。

本頁(yè)相關(guān)主題

• Shopify 為 GDPR 做了哪些準(zhǔn)備?

• Shopify 還采取了哪些措施來(lái)遵守 GDPR？

• Shopify 會(huì)與商家簽訂數(shù)據(jù)處理協(xié)議嗎？

Shopify 為 GDPR 做了哪些準(zhǔn)備?

Shopify 針對(duì) GDPR 做了以下方面的準(zhǔn)備：

政策和文檔

• 根據(jù) GDPR 第 13 條和第 14 條的要求，更新了 Shopify 的隱私政策，以包含有關(guān) GDPR 擴(kuò)展的權(quán)利的詳細(xì)信息，以及有關(guān) Shopify 如何處理個(gè)人數(shù)據(jù)的詳細(xì)信息。

• 根據(jù) GDPR 第 28 條的要求，向 Shopify 的在線服務(wù)條款中添加了數(shù)據(jù)處理附錄。

• 實(shí)現(xiàn)了處理數(shù)據(jù)主體申請(qǐng)?jiān)L問(wèn)權(quán)限、刪除申請(qǐng)和政府申請(qǐng)?jiān)L問(wèn)權(quán)限的詳細(xì)過(guò)程。

• 準(zhǔn)備了一份白皮書(shū)（英文版），以幫助商家和合作伙伴了解 Shopify 如何解釋和履行 GDPR 規(guī)定的義務(wù)。

產(chǎn)品功能

• 根據(jù) GDPR 第 13 條和第 14 條的要求，更新了隱私政策生成器，以包括商家需要在他們的隱私政策中包含的一些信息。

• 為 Shopify 平臺(tái)添加了功能，使商家能夠獲得獨(dú)立的同意來(lái)實(shí)現(xiàn)營(yíng)銷目的，并且能夠根據(jù)他們的需求選擇是否要預(yù)先選中同意復(fù)選框。

• 更新了通知，以允許商家能夠?qū)⑦@些通知與客戶是否選擇接收營(yíng)銷信息聯(lián)系起來(lái)。

應(yīng)用商店

• 更新后的 Shopify 應(yīng)用商店將會(huì)顯示，以便應(yīng)用開(kāi)發(fā)者可鏈接到隱私政策，其中準(zhǔn)確解釋?xiě)?yīng)用將收集和處理的個(gè)人數(shù)據(jù)。

• 為應(yīng)用開(kāi)發(fā)者提供了模板隱私政策，以便幫助他們起草隱私政策，其中包括商家根據(jù) GDPR 要求更新自己的隱私政策所需的信息類型。

公司管控

• 指定一位經(jīng)驗(yàn)豐富的數(shù)據(jù)保護(hù)官來(lái)監(jiān)督 Shopify 的數(shù)據(jù)保護(hù)計(jì)劃和 GDPR 實(shí)施計(jì)劃。

• 按照 GDPR 第 30 條的要求，為我們的數(shù)據(jù)處理活動(dòng)準(zhǔn)備了一份注冊(cè)表。

• 根據(jù) GDPR 第 35 條和第 91 條要求，實(shí)現(xiàn)了數(shù)據(jù)保護(hù)影響評(píng)估。

• 記錄了 Shopify 用于提供其平臺(tái)和其他服務(wù)的分支處理機(jī)構(gòu)，并已開(kāi)始審查與這些分支處理機(jī)構(gòu)的合同安排，以確保它們能夠滿足通過(guò)強(qiáng)大的技術(shù)和組織措施來(lái)保護(hù)個(gè)人數(shù)據(jù)的要求。

• 已啟動(dòng)申請(qǐng)批準(zhǔn)約束公司規(guī)則的流程以支持 Shopify 的數(shù)據(jù)處理操作。

• 已經(jīng)開(kāi)始對(duì)關(guān)鍵團(tuán)隊(duì)和人員進(jìn)行以 GDPR 為重點(diǎn)的培訓(xùn)，以便他們了解法律要求并且能夠在考慮到隱私的情況下設(shè)計(jì) Shopify 產(chǎn)品和商業(yè)計(jì)劃。

Shopify 還采取了哪些措施來(lái)遵守 GDPR？

除了上述準(zhǔn)備事項(xiàng)外，Shopify 還將推出以下功能：

• 用于代表客戶通過(guò) 后臺(tái)請(qǐng)求 Shopify 持有的所有客戶信息的工具，適用于商家收到符合 GDPR 的主體申請(qǐng)?jiān)L問(wèn)的情況。

• 用于請(qǐng)求 Shopify 通過(guò) Shopify 后臺(tái)刪除與特定客戶相關(guān)的所有個(gè)人信息的工具，適用于商家收到符合 GDPR 的刪除請(qǐng)求的情況。當(dāng)商家使用此工具請(qǐng)求刪除時(shí)，Shopify 還會(huì)將此請(qǐng)求轉(zhuǎn)發(fā)給商家在請(qǐng)求客戶個(gè)人信息訪問(wèn)權(quán)限獲批時(shí)安裝的應(yīng)用。

• 更具信息性的渠道安裝流程，更準(zhǔn)確地告知商家該渠道在安裝后將能訪問(wèn)哪些個(gè)人數(shù)據(jù)。

• 更強(qiáng)大的 Cookie 策略，其中包括 Shopify 存放的 Cookie（不僅存放在 Shopify 自己的在線資產(chǎn)上，還通過(guò) Shopify 店面和移動(dòng)應(yīng)用存放）的類別相關(guān)特定信息，以確保商家獲得所需信息，便于在存放提供服務(wù)所需的 Cookie 時(shí)獲得 Shopify 的有效同意。

• 商家安裝應(yīng)用的過(guò)程更加透明，以便在安裝應(yīng)用之前，商家可以完全了解應(yīng)用申請(qǐng)?jiān)L問(wèn)的確切個(gè)人數(shù)據(jù)。

• 為已安裝應(yīng)用提供更多描述性清單，以便商家可以隨時(shí)查看特定應(yīng)用數(shù)據(jù)訪問(wèn)權(quán)限。

Shopify 會(huì)與商家簽訂數(shù)據(jù)處理協(xié)議嗎？

對(duì)于按照在線服務(wù)條款規(guī)定使用 Shopify 服務(wù)的商家，Shopify 對(duì)條款進(jìn)行了修訂，已將數(shù)據(jù)處理附錄納入在內(nèi)。

您無(wú)需簽署此文檔，因?yàn)樗迅郊拥椒?wù)條款，您繼續(xù)使用 Shopify 服務(wù)即表示您同意此條款。這符合 GDPR 第 28(3) 條的要求。Shopify 無(wú)法與每個(gè)商家簽署單獨(dú)協(xié)議。

對(duì)于 Shopify Plus 商家，Shopify 制定了一份涵蓋其個(gè)人數(shù)據(jù)處理事項(xiàng)的數(shù)據(jù)處理協(xié)議。有關(guān)詳細(xì)信息，請(qǐng)聯(lián)系 Shopify Plus 客服。

下載 Shopify 的 GDPR 白皮書(shū)

有關(guān) Shopify 如何遵守 GDPR 并確保您在使用 Shopify 時(shí)能夠遵守 GDPR 的詳細(xì)信息，請(qǐng)下載 Shopify 的 GDPR 白皮書(shū)文檔（英文版）。

How does the GDPR affect Shopify?

The General Data Protection Regulation (GDPR) requires Shopify to make the following changes to its platform and internal privacy program:

• Reorganize the privacy team, and document and keep records of certain privacy-related decisions made by Shopify so that Shopify is accountable for its privacy practices.

• Make sure that Shopify is able to honor the rights of European merchants and customers over their personal data, and that when using Shopify's services, merchants are able to do the same.

• Make certain contractual commitments to merchants and get certain contractual commitments when Shopify uses a third-party subprocessor to provide services.

On this page

• What has Shopify done to prepare for the GDPR?

• What else is Shopify doing to comply with GDPR?

• Will Shopify enter into Data Processing Agreements with its merchants?

What has Shopify done to prepare for the GDPR?

Shopify has been preparing for the GDPR in the following ways:

Policies and documentation

• Updated Shopify's privacy policy to include more information about the rights extended by the GDPR, as well as more detailed information about how Shopify processes personal data, as required by Articles 13 and 14 of the GDPR.

• Added a data processing addendum to Shopify's online terms of service, as required by Article 28 of the GDPR.

• Implemented a detailed procedure to deal with data subject access requests, deletion requests, and government access requests.

• Prepared a whitepaper (in English) to help merchants and partners understand how Shopify interprets and has been approaching its obligations under the GDPR.

duct features

• Updated the privacy policy generator to include some of the information merchants will need to include in their privacy policies, as required by Articles 13 and 14 of the GDPR.

• Added functionality to the Shopify platform so that merchants are able to obtain independent consent for marketing purposes, and can choose whether or not to pre-check the consent checkbox depending on their requirements.

• Updated abandoned cart notifications to allow merchants to be able to tie them to whether or not a customer has opted in to marketing communications.

App store

• Updated Shopify App Store displays so that app developers can link to a privacy policy that explains exactly what personal data the app collects and processes.

• Provided app developers with a template privacy policy to help them draft a privacy policy that will include the types of information merchants will need to be able to update their own privacy policies, as required by the GDPR.

Corporate governance

• Appointed an experienced Data Protection Officer to oversee Shopify's data protection program and GDPR implementation plan.

• Prepared a registry of our data processing activities, as required by Article 30 of the GDPR.

• Implemented a Data Protection Impact Assessment process, as required by Articles 35 and 91 of the GDPR.

• Documented the subprocessors that Shopify uses to deliver its platform and other services, and started to review the contractual arrangements with these subprocessors, to make sure that they are required to protect personal data through robust technical and organizational measures.

• Began the process of applying for approval of Binding Corporate Rules to support Shopify's data processing operations.

• Started to deliver GDPR-focused training to key teams and personnel, so that they are aware of the law’s requirements and can design Shopify products and business plans with privacy in mind.

What else is Shopify doing to comply with GDPR?

In addition to the preparations listed above, Shopify is rolling out the following features:

• Tool to request all of the information Shopify holds about a customer on their behalf through the Shopify admin, in case the merchant receives a subject access request under the GDPR.

• Tool to request that Shopify delete all personal information associated with a particular customer through the Shopify admin, in case the merchant receives an erasure request under the GDPR. When a merchant uses this tool to request erasure, Shopify will also forward this request to apps the merchant has installed at the time of the request that were granted access to customer personal information.

• More informative channel installation process that tells merchants exactly what personal data the channel will have access to after it is installed.

• More robust Cookie Policy that includes specific information about the categories of cookies that Shopify places, not just on its own online properties but also through Shopify storefronts and mobile apps, to make sure that merchants have the information they need to get effective consent for Shopify to place the cookies necessary to provide service.

• More transparent process through which merchants install apps so that merchants can fully understand exactly what personal data an app is requesting access to before installing the app.

• More descriptive listings for already-installed apps so that merchants can check specific app data access permissions at any time.

Will Shopify enter into Data Processing Agreements with its merchants?

For merchants who use Shopify's services subject to the online terms of service, Shopify has revised its terms to incorporate a data processing addendum.

You don't have to sign this document, because it is appended to the terms of service and you agree to it by continuing to use Shopify services. This fulfills the requirement of Article 28(3) of the GDPR. Shopify is not able to sign an individual agreement with each merchant.

For Shofy Plus merchants, Shopify has a data processing agreement to cover its processing of personal data. Contact Shopify Plus Support for more details.

Download Shopify's GDPR whitepaper

For more information about how Shopify complies with the GDPR, and to make sure that you will be in a position to comply in relation to your use of Shopify, download Shopify's GDPR whitepaper document (in English).

特別聲明：以上文章內(nèi)容僅代表作者本人觀點(diǎn)，不代表ESG跨境電商觀點(diǎn)或立場(chǎng)。如有關(guān)于作品內(nèi)容、版權(quán)或其它問(wèn)題請(qǐng)于作品發(fā)表后的30日內(nèi)與ESG跨境電商聯(lián)系。