1. Data Flows
If you haven’t already done it, map out your data flows today. A data flow can be as simple as receiving address details from a customer making an order. Perhaps you then save those address details to then printing address labels off at the end of the year to send your best customers a Christmas card. Think about where personal information comes in (I imagine it’s when your customer places an order) and consider where it goes next and how it flows around your department. Do you pass details onto someone else? Do you save it somewhere else? In order to keep this data safe you firstly need to know where it is. More on data flows later.
In the case of internet shopping, the lawful basis for holding personal information is consent. Your customer has consented to provide you with their details in return for the purchase of your products. This information can legally be stored for as long as it is used for the intention it was provided (unless the customer asks you to delete it beforehand that is). Now is the time to think about data retention. How long do you need the personal information for? It may be different for different types of information. Your Data Retention Policy will need to be included in your Privacy document.
On the subject of consent, from May 25th you will only be able to send marketing information to your customers who have consented to receive it. By this I mean they have opted in – you can no longer imply consent to receive emails by pre-selected boxes. Unless a customer has actually told you they want this information you can no longer send it. Your Newsletter feature and Store Blog are going to be vital tools to engage with your customers and tell them about updates and new products. If your customers have signed up for your freewebstore Newsletter, this feature is set up to be fully GDPR compliant so your customers have given their consent to receive it.
4. Individual Rights
Consent for you to hold personal data can be withdrawn at any time. Individuals will have the right to be forgotten or even ask you what information you hold on them. You must respond within a month to such a request so you will need to know where your information is held. If you’ve mapped out your data flows you will be able to do this quickly. We will shortly be releasing an update which will allow you to search for all the records you hold on an individual which will allow you to comply with a request for information or erasure.
When running a creative business, it’s important to respect your buyers’ privacy rights and follow data protection laws. As a business owner, you receive certain personal information about customers when they place an order or contact you about a potential order, such as name, postal address, email address, and phone number. The European General Data Protection Regulation (GDPR) and other local data protection laws guard how this kind of personal information is collected and used, and protect the privacy rights of online shoppers. Under these laws, buyers are entitled to certain information, including when, why, how, by whom, and for what purpose personal information is collected, used, and shared.
Leading Practices for Marketing Messages
There are a few things you should know before using email addresses to contact your buyers, such as sending a newsletter or advertising new products. Under the laws of many countries, including those in Europe, you often need prior “express consent” from your buyers to send them marketing or promotional messages. Express consent means that you can only send marketing messages to a buyer if they have indicated their consent for you to do so through a clear affirmative action, such as a buyer agreeing in an Seller Bay Convo or email to receive marketing messages from you. Even if you get a buyer’s email address through Seller Bay to help fulfill the transaction, you’re required to get the buyer’s express consent before sending them marketing messages. Remember that even once you have express consent to send marketing messages, you must respect requests to opt out of receiving further marketing messages from you, as consent can be revoked at any time.
Keep in mind that sending unsolicited advertising or promotions through Seller Bay Convos is not allowed under Seller Bay’s policies. It is also a criminal offense in some countries. Before using buyers’ personal information for any purpose other than fulfilling orders, providing customer service, and sending marketing messages where you have obtained the buyer’s express consent, you should seek legal advice.
This uses Google Cloud to host some of his buyers’ personal information.
- the personal information he collects;
- the legal bases he relies on to collect, use, and share personal information;
- the third parties with whom he shares personal information;
- the length of time he keeps personal information;
- if he’s transferring personal information outside of Europe (for example, if he moves his business to the United States and continues to sell to buyers in Europe, or uses a third party provider located outside of Europe, or uses Google Cloud to host some of his buyers’ information), how the transfer will be handled;
- his buyers’ rights regarding his use of their personal information; and
- how his buyers can contact him with privacy-related requests.
1. Personal information he collects
Should go on to explain what information he collects from buyers, why he needs the information, how he uses it to fulfill orders, the third parties with whom he shares the information, and the length of time he keeps the information. Here’s an example:
Information I Collect
To fulfil your order, you must provide me with certain information (which you authorized Seller Bay to provide to me), such as your name, email address, postal address, payment information, and the details of the product that you’re ordering. You may also choose to provide me with additional personal information (for a custom order of jewelry, for example), if you contact me directly.
2. The legal bases he relies on to collect, use, and share personal information
Why I Need Your Information and How I Use It
I rely on a number of legal bases to collect, use, and share your information, including:
- as needed to provide my services, such as when I use your information to fulfil your order, to settle disputes, or to provide customer support;
- when you have provided your affirmative consent, which you may revoke at any time, such as by signing up for my mailing list;
- if necessary to comply with a legal obligation or court order or in connection with a legal claim, such as retaining information about your purchases if required by tax law; and
3. The third parties with whom he shares personal information
The GDPR requires that you disclose the details of any personal information you share with third parties. Should explain to his buyers why, when, and with whom he may share buyers’ personal information. For example:
Information Sharing and Disclosure
Information about my customers is important to my business. I share your personal information for very limited reasons and in limited circumstances, as follows:
- Service providers. I engage certain trusted third parties to perform functions and provide services to my shop, such as delivery companies. I will share your personal information with these third parties, but only to the extent necessary to perform these services.
- Business transfers. If I sell or merge my business, I may disclose your information as part of that transaction, only to the extent permitted by law.
- Compliance with laws. I may collect, use, retain, and share your information if I have a good faith belief that it is reasonably necessary to: (a) respond to legal process or to government requests; (b) enforce my agreements, terms and policies; (c) prevent, investigate, and address fraud and other illegal activity, security, or technical issues; or (d) protect the rights, property, and safety of my customers, or others.
4. The length of time he keeps personal information
The GDPR requires you to disclose the period of time during which you will store personal information. Nathan should consider how long he needs to retain information for business purposes and to comply with any legal or tax obligations, and keep in mind that data shouldn’t be kept for any longer than necessary. For example:
5. If transferring personal information outside of Europe, how the transfer will be handled
GDPR requires you to disclose if you transfer personal information outside of the EU and the legal bases Uyou rely on to do so, such as consent and contractual necessity. uses Google Cloud, which is Privacy Shield certified, so he should explain to his buyers that he relies on Privacy Shield as the legal basis for the transfer of his buyers’ personal information outside of the EU.
Transfers of Personal Information Outside the EU
I may store and process your information through third-party hosting services in the US and other jurisdictions. As a result, I may transfer your personal information to a jurisdiction with different data protection and government surveillance laws than your jurisdiction. If I am deemed to transfer information about you outside of the EU, I rely on Privacy Shield as the legal basis for the transfer, as Google Cloud is Privacy Shield certified.
6. His buyers’ rights regarding his use of their personal information and his contact details
Based on GDPR requirements, should finish by explaining to his buyers their rights regarding the information they provide to him on Seller Bay. Should also provide his contact details and explain to his buyers that he is the data controller of their personal information.
If you reside in certain territories, including the EU, you have a number of rights in relation to your personal information. While some of these rights apply generally, certain rights apply only in certain limited cases. I describe these rights below:
- Access. You may have the right to access and receive a copy of the personal information I hold about you by contacting me using the contact information below.
- Change, restrict, delete. You may also have rights to change, restrict my use of, or delete your personal information. Absent exceptional circumstances (like where I am required to store data for legal reasons) I will generally delete your personal information upon request.
- Object. You can object to (i) my processing of some of your information based on my legitimate interests and (ii) receiving marketing messages from me after providing your express consent to receive them. In such cases, I will delete your personal information unless I have compelling and legitimate grounds to continue using that information or if it is needed for legal reasons.
- Complain. If you reside in the EU and wish to raise a concern about my use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local data protection authority.
How to Contact Me
For purposes of EU data protection law, am the data controller of your personal information. If you have any questions or concerns, you may contact me at Alternately, you may mail me at:
*If a customer contacts you to access, correct or delete personal information held by Seller Bay, you may contact Seller Bay at Seller-Bay.com/help for assistance, or request that the customer send a request directly to Seller Bay.