數據泄露通知

如果 GDPR 適用于您并且您遇到泄露，則您可能需要通知受影響的用戶或特定的監管機構。

要特別注意的是，GDPR 要求在發生很可能對個人權利和自由產生不利影響的數據泄露時發出通知。

如果泄露的信息符合以下特征，則可能需要這樣做：

• 包括付款詳細信息。

• 可能會被用于泄露尷尬信息或個人信息。

• 可能會被用于訪問個人的賬戶或服務。

在適用的情況下，您需要在發現違規行為后 72 小時內盡快發出通知。

考慮以下問題：

• 您是否曾咨詢過律師以確定在遇到數據泄露時您需要針對哪些所收集和處理的信息提供相關通知？

• 您是否有針對您業務的數據泄露響應計劃，從而為此類事件做好準備？

• 包括付款詳細信息。

• 可能會被用于泄露尷尬信息或個人信息。

• 可能會被用于訪問個人的賬戶或服務。

GDPR 對使用第三方供應商和服務提供商來處理其用戶的個人數據的所有公司提出了要求。

Shopify 使用多個分支處理機構來處理客戶的數據。有關 的分支處理機構的更多信息，請參閱 Shopify 的分支處理機構。

請考慮以下問題：

• 您是否審查過您使用的供應商和服務提供商（包括 Shopify）的隱私保護措施，從而確保您對他們如何保護您客戶的個人數據感到滿意？

第三方應用

GDPR 要求您采取一些與您和您的第三方服務提供商收集和使用個人數據相關的肯定步驟。其中包括 Shopify，以及您可能用于 Shopify 商店的第三方應用。

Shopify 已采取措施，讓您更容易了解您安裝的應用可以訪問哪些個人數據。

步驟：

1. 在 Shopify 后臺中，點擊應用。

2. 在要查看其權限的應用上點擊查看詳細信息。

在應用商店的安裝屏幕上安裝應用之前，您還可以查看應用權限。

此外，針對每個應用，應用商店中還有一個鏈接到隱私政策的部分，更詳細地解釋了應用開發者正在收集什么數據，以及他們將如何使用這些數據。

Shopify 希望使您盡可能輕松地評估您選擇安裝的應用的數據實踐，但您需要確保使用的是符合 GDPR 的第三方應用。

請考慮以下問題：

• 基于您的地點、您客戶的地點、您應用開發人員的地點以及每個應用的實現情況，您是否使用的是符合 GDPR 的第三方應用？如果您對特定應用的數據實踐是否涉及其他考慮事項或是否能使您符合 GDPR 存在疑問，請咨詢律師。

國際數據轉移

除非個人數據得到充分保護，否則 GDPR 禁止將歐洲人員的個人數據輸出到歐洲外部。

Shopify 按照 GDPR 的要求保護個人數據，在數據轉移至美國和加拿大并在這些地方進行處理的過程中，對其進行保護。

Shopify 已對自身的數據流進行了設置，從而滿足商家的這些需求。如 Shopify 隱私政策中所述，所有歐洲的個人數據最初均接收自商家，并由 Shopify 位于的子公司 Shopify International Ltd. 在愛爾蘭進行處理。Shopify 隨后將根據 GDPR 的規定傳輸此類數據。

有關 Shopify 如何按照 GDPR 標準和信息安全最佳做法接收和處理來自歐洲經濟區 (EEA) 和英國的個人數據的詳細信息，請參閱 Shopify 的 GDPR 白皮書（英文版）。

請考慮以下問題：

您是否確保您向其轉移數據的其他方將在遵守 GDPR 的情況下跨國際邊境轉移該數據？要實現此目的，您可以查看第三方應用、渠道、支付網關或其他供應商的隱私政策，了解其是否說明了將如何保護歐盟數據。

下載 Shopify 的 GDPR 白皮書

有關 Shopify 如何遵守 GDPR 并確保您在使用 Shopify 時能夠遵守 GDPR 的詳細信息，請下載 Shopify 的 GDPR 白皮書文檔（英文版）。

Data breach notification

If the GDPR applies to you and you experience a data breach, then you might be required to notify affected users or specific regulatory bodies.

In particular, the GDPR requires notice where a data breach is likely to cause a high risk of adversely affecting individuals’ rights and freedoms.

This is likely to be the case if the breached information:

• Includes payment details.

• Could be used to reveal embarrassing or personal information.

• Could be used to access an individual’s accounts or services.

Where applicable, you're required to provide notice as quickly as 72 hours after you become aware of the breach.

Think about the following questions:

• Have you spoken with a lawyer to determine what information you collect and process might require you to provide notice if you experience a data breach?

• Do you have a data breach response plan for your business so you are prepared for such an incident?

• Includes payment details.

• Could be used to reveal embarrassing or personal information.

• Could be used to access an individual’s accounts or services.

The GDPR imposes requirements on any company that uses third-party vendors and service providers to process the personal data of its users.

Shopify uses a number of subprocessors to process your customers’ data. For more information about Shopify's subprocessors, see Shopify's subprocessors.

Think about the following question:

• Have you ed the privacy practices of the vendors and service providers that you use, including Shopify, to make sure that you are comfortable with how they protect your customers’ personal data?

Third-party apps

The GDPR requires that you take a number of affirmative steps relating to your and your third-party service providers’ collection and use of personal data. This includes Shopify, but also any third-party apps that you might use in connection with your Shopify store.

Shopify has taken action to make it easier for you to understand what personal data the apps you install have access to.

Steps:

1. From your Shopify admin, click Apps.

2. Click View details on the app you want to review permissions for.

You can also review app permissions before you install an app on the install screen in the app store.

Additionally, there is a section of the app store for each app to link to a privacy policy that explains in more detail exactly what data app developers are collecting and how they are using it.

While Shopify wants to make it as easy as possible for you to assess the data practices of the apps you choose to install, it is up to you to ensure that you are using third-party apps in a way that complies with the GDPR.

Think about the following question:

• Based on your location, your customers' locations, your app developers' locations, and your implementation of each app, are you using third-party apps in a way that complies with the GDPR? Consult with a lawyer if you have questions about whether a particular app’s data practices may require additional consideration or work on your part to ensure compliance with the GDPR.

International data transfers

The GDPR prohibits exporting the personal data of Europeans outside of Europe unless that information will be adequately tected.

Shopify protects personal data according to the requirements of the GDPR as it is transferred to and processed in the United States and Canada.

Shopify has set up its data flows to take care of these requirements for merchants. As described in Shopify's Privacy Policy, all European personal data is initially received from merchants and processed in Ireland by Shopify's Irish affiliate Shopify International Ltd. Shopify then transfers that data onward in compliance with the GDPR.

For more information about how personal data from the European Economic Area (EEA) and United Kingdom is received and processed by Shopify according to GDPR standards and information security best practices, see Shopify’s GDPR whitepaper (in English).

Think about the following question:

Have you ensured that other parties you transfer data to will transfer that data across international borders in a way that complies with the GDPR? You can do this by looking at the privacy policies of your third-party apps, channels, payment gateways, or other vendors, and seeing if they explain how they protect European data.

Download Shopify's GDPR whitepaper

For more information about how Shopify complies with the GDPR, and to make sure that you will be in a position to comply in relation to your use of Shopify, download Shopify's GDPR whitepaper document (in English).

特別聲明：以上文章內容僅代表作者本人觀點，不代表ESG跨境電商觀點或立場。如有關于作品內容、版權或其它問題請于作品發表后的30日內與ESG跨境電商聯系。