shopify賣家任何使用GDPR任命數(shù)據(jù)保護官和處理數(shù)據(jù)-ESG跨境

隱私聲明

GDPR（尤其是第 12 至 14 條）要求您向您處理其數(shù)據(jù)的個人提供特定信息，通常采用隱私聲明或隱私政策的形式。

您可使用 Shopify 的隱私政策生成器來幫助您制定隱私政策。您可在“結(jié)賬”或在線下的設(shè)置中找到它。

請考慮以下問題：

• 您的網(wǎng)站上是否有隱私政策，其中包含您需要根據(jù)法規(guī)提供的所有信息？它是否至少包括客戶如何就隱私問題與您聯(lián)系，以及客戶如何行使其權(quán)利（例如刪除或更正（修改或更正）其數(shù)據(jù)的權(quán)利以及訪問該數(shù)據(jù)的權(quán)利）的相關(guān)信息？

• 您的隱私政策是否包括 Shopify 如何將您客戶的個人數(shù)據(jù)用于自動的風險和欺詐評分？您（或您的服務(wù)提供商）將客戶信息用于自動決策時，GDPR 要求您披露這些信息。Shofy 使用您客戶的個人信息，通過自動決策阻止某些看似有欺詐性質(zhì)的交易。Shopify 的隱私政策生成器包含此信息。有關(guān)此系統(tǒng)的詳細信息，請參閱自動決策。

任命數(shù)據(jù)保護官

數(shù)據(jù)保護官 (DPO) 監(jiān)督組織收集和處理個人數(shù)據(jù)的方式。如果公司的核心活動涉及大規(guī)模的在線跟蹤，則 GDPR 要求您任命 DPO 并在隱私政策中提供 DPO 的聯(lián)系信息。

GDPR 包括 DPO 需要完成的特定任務(wù)，例如，在您的組織更改其收集和處理個人數(shù)據(jù)的方式時，進行數(shù)據(jù)保護影響評估。DPO 可以由在 GDPR 和保護要求方面具有專業(yè)知識的內(nèi)部人員擔任，但您也可考慮與顧問或公司合作，由他們擔任外部 DPO。

考慮以下問題：

• 有多少人受到您店面跟蹤技術(shù)的影響？這些可能包括行為廣告應(yīng)用，甚至重定向應(yīng)用。受影響的人數(shù)是否為“大規(guī)?！笔且豁椃蓻Q策，您應(yīng)根據(jù)您的具體情況咨詢律師。

• 您應(yīng)主動任命 DPO 嗎？即使法律上不要求您指定 DPO，如果您在歐洲占據(jù)舉足輕重的地位，您可能希望主動這樣做以確保您充分保護客戶的數(shù)據(jù)。

數(shù)據(jù)處理協(xié)議

作為 GDPR 適用的數(shù)據(jù)控制方，第 28 條要求您在通過數(shù)據(jù)處理方（如 Shopify）處理客戶數(shù)據(jù)時，您應(yīng)對其可能使用和處理該數(shù)據(jù)的方式規(guī)定嚴格的協(xié)議要求。這通常通過數(shù)據(jù)處理附錄或 (DPA) 完成。

Shopify 已自動將數(shù)據(jù)處理協(xié)議 (https://www.shopify.com/legal/dpa) 納入服務(wù)條款，從而滿足第 28 條要求。

對于 Shopify Plus 商家，他們與 Shopify 之間的關(guān)系將由他們的協(xié)商合同決定。Shopify Plus 商家可簽署數(shù)據(jù)處理附錄以滿足他們的需求。未簽署數(shù)據(jù)處理附錄的 Shopify Plus 商家將受 Shopify 在線數(shù)據(jù)處理附錄的監(jiān)管。

考慮以下問題：

• 您在 Shopify 外部使用的其他數(shù)據(jù)處理者是否依照協(xié)議承諾保護您客戶的數(shù)據(jù)？許多第三方應(yīng)用、渠道、支付網(wǎng)關(guān)或其他數(shù)據(jù)處理者也會自動將數(shù)據(jù)處理協(xié)議納入他們的條款中。您是否就這些事宜咨詢過這些第三方？

• 您是具有協(xié)商合同的 Shopify Plus 商家嗎？如果您想簽署數(shù)據(jù)處理附錄，請聯(lián)系 Plus 客服。他們可以為您提供 Shopify 的模板 DPA 以進行簽署。

Privacy notice

The GDPR (and particularly Articles 12 to 14) requires that you provide specific information to individuals whose data you are processing, generally in the form of a privacy notice or privacy policy.

You can use Shopify's privacy policy generator to get you started. You can find it in your settings under Checkout or online.

Think about the following question:

• Do you have a privacy policy on your site that includes all of the information that you are required to provide under the regulation? At minimum, does it include how customers can get in contact with you about privacy questions and how customers can exercise their rights, for example the rights to erasure (deletion) or rectification (modification or correction) of their data and the right to access it?

• Does your privacy policy include how Shopify may use your customers' personal data for automated risk and fraud scoring? The GDPR requires you to disclose when you (or your service providers) use their information in connection with automated decision-making. Shopify uses your customers’ personal information to block rtain transactions that appear to be fraudulent through automated decision-making. Shopify's Privacy Policy Generator includes this information. For more information about this system, see Automated decision-making.

Appointing a Data Protection Officer

A Data Protection Officer (DPO) oversees how your organization collects and processes personal data. If your business’s core activities include large scale online tracking, the GDPR requires that you appoint a DPO and provide contact information for the DPO in your Privacy Policy.

The GDPR includes specific tasks that a DPO needs to do, such as conducting data protection impact assessments when your organization changes how it collects and processes personal data. The DPO can be an internal person who has expertise in the GDPR and data protection requirements, but you can also consider working with an consultant or firm to serve as an external DPO.

Think about the following questions:

• How many people are affected by tracking technologies on your storefront? These can include behavioral advertising apps, or even retargeting apps. Whether or not the number of people affected is “l(fā)arge scale” is a legal decision, and you should consult with a lawyer depending on your circumstances.

• Should you voluntarily appoint a DPO? Even if you are not legally required to appoint a DPO, if your presence in Europe is large enough, you may Wish to do so voluntarily to make sure that you adequately protect your customers’ data.

Data processing agreements

As a data controller under the GDPR, Article 28 requires that when you engage a data processor (like Shopify) to cess your customers’ data, you impose strict contractual requirements on how they may use and process that data. This is typically done through a Data Processing Addendum, or DPA.

Shopify has automatically incorporated a Data Processing Agreement (https://www.shopify.com/legal/dpa) into its terms of service, which is designed to address the requirements of Article 28.

For Shopify Plus merchants, their negotiated contracts will govern their relationship with Shopify. Plus Merchants can sign a Data Processing Addendum to address their needs. Shopify Plus merchants who do not sign a Data Processing Addendum will be governed by Shopify’s online Data Processing Addendum.

Think about the following questions:

• Are other data processors that you work with outside of Shopify contractually committed to protecting your customers’ data? Many third-party apps, channels, payment gateways, or other data processors will also automatically incorporate a Data Processing Agreement into their terms. Have you consulted with each of these third-parties?

• Are you a Shopify Plus merchant with a negotiated contract? If you want to sign a Data Processing Addendum, then reach out to Shopify Plus Support. They can provide you with Shopify's template DPA to sign.

特別聲明：以上文章內(nèi)容僅代表作者本人觀點，不代表ESG跨境電商觀點或立場。如有關(guān)于作品內(nèi)容、版權(quán)或其它問題請于作品發(fā)表后的30日內(nèi)與ESG跨境電商聯(lián)系。