Selz’s commitment to the GDPR
The European Union’s General Data Protection Regulation (GDPR) came into effect on 25th May 2018. The regulation makes significant changes to how companies and individuals can use and process personal data and impacts everyone doing business in the EU.
Selz has always been committed to following the world’s best standards for data privacy and we’re likewise committed to complying with the GDPR. Importantly, we’re committed to making sure all our retailers have the tools they need to comply with these new regulations. So over the next few weeks, we’re going to be rolling out a series of GDPR related updates.
This post explains some of the implications of the GDPR and the updates we are releasing to address them. It’s for informational purposes only and isn’t a substitute for legal advice. If you’re unsure about your obligations under the GDPR we encourage you to take professional legal advice.
What is the GDPR?
The GDPR is new EU legislation which regulates the processing of personal data. The GDPR requires companies or individuals to implement safeguards to ensure personal data is adequately protected. It also gives individuals rights over their data, for example when giving their consent, accessing and correcting their data. The GDPR applies to anyone established in Europe but also to anyone who offers goods and services for sale to European customers.
How has Selz prepared for the GDPR?
Selz has prepared for the GDPR in these ways:
- We appointed an experienced Data Protection Officer to oversee our data protection program and GDPR implementation plan.
- We reviewed our contractual arrangements with sub-processors, to make sure that they are required to protect personal data through robust technical and organizational measures.
- We started to deliver GDPR-focused training to key teams and personnel so that they are aware of the law’s requirements and can design our products and business plans with privacy in mind.
- We implemented a detailed procedure to deal with data subject access requests, deletion requests, and government access requests.
- We created a Data Processing Addendum and incorporated it into our Terms of Service, as required by Article 28 of the GDPR.
- We created informational materials about our data protection program for merchants who are looking to conduct due diligence and make sure that Selz can support their data protection needs.
- We are preparing a detailed register of our data processing activities, as required by Article 30 of the GDPR.
I am a Selz Merchant – how does the GDPR affect me?
1. Does the GDPR apply to me?
Generally speaking, the GDPR applies to anyone established in Europe, but also to anyone who offers goods and services for sale to European customers. If you are based in the United States but you sell your goods and services to customers based in Europe, for example, the GDPR applies to you.
It is important to understand what you need to do to prepare for the GDPR. The information below is meant to help you do that, however it is not legal advice. Our recommendation to merchants is that they should consult with a lawyer to understand what they need to do to ensure they comply with the GDPR.
2. Key Concept: data controller and data processors
Under the GDPR, entities which process personal data may fall into two categories: data controller and data processor. Data controllers, alone or jointly with others, determine the means and purpose of the processing of personal data. A data processor is the entity which processes the data on behalf of and according to the instructions of the data controller.
Because we process personal data on your behalf, Selz is a data processor. So we have prepared a Data Processing Addendum which governs our relationship with you.
4. Data subjects’ Rights
The GDPR expands the rights of data subjects, in this case, the customers whose personal data you collect. These rights include the right to access their data, to rectify their data, to request erasure of their data and to port their data. We are releasing new features which will allow you to process these requests. These features include:
- Simplified customer data export
- Customer data deletion
5. Data breach notification
If you or your business experiences a breach of customer data, you may be required to notify supervisory authorities in the EU, and in some instances your customers. The same applies to Selz. As part of our undertaking to you, which is outlined in the Data Processing Addendum which forms part of our terms of service, we commit to notifying you of data breaches, as required by GDPR regulation.
The GDPR is a complex piece of legislation and we encourage merchants to review their business operations and inform themselves. As part of your review, you should consider:
- How and when does my business process personal data?
- What measures are in place to ensure that personal data is secure?
- Am I obtaining appropriate, affirmative consent to process this personal data?
Some additional resources: