On 25 May 2018, the European Union introduced the General Data Protection Regulation. The scope of application of the regulation is extremely broad, and any organization that collects, transfers, retains or processes personal information in all member states of the European Union is bound by the Regulation.
SHOPLINE wants to help you comply with the law as much as possible, and compliance with the GDPR is the responsibility of every merchant.
The territorial scope of the GDPR agreement:
(1) The GDPR applies to organisations with operations in the EU, as long as these organisations process personal data in the context of the operations of the operations within the EU (regardless of whether such processing actually takes place in the EU).
(2) If an organization does not have a business establishment in the EU, but processes the personal data of individuals in the EU, and such processing is related to the provision of goods or services to individuals in the EU, regardless of whether such goods or services are charged or not, the GDPR should also apply.
(3) The GDPR applies to the processing of personal data of individuals in the EU by non-EU organisations, as long as such processing involves monitoring the behaviour of those individuals and the processing takes place in the EU.
Merchants are often the controllers of customer data, which means that you are responsible for collecting your customers' data and determining how it is processed. Also, while this is an EU regulation, if you provide goods and services in Europe, the GDPR may apply to your business even if you or your business is not in Europe.
Interpretation of the content of the GDPR agreement:
(1) Fines for illegal companies can be up to 20 million euros (about 150 million yuan) or 4% of their global turnover, whichever is higher.
(2) The website operator must explain to the customer in advance that the customer's search and shopping records will be automatically recorded, and obtain the user's consent, otherwise it will be illegally handled as "not informing and recording the user's behaviour".
(3) Companies can no longer use vague, incomprehensible language, or lengthy privacy policies to obtain data usage permission from users.
(4) The user's "right to be forgotten" is expressly stipulated, that is, the user can request the responsible party to delete his own data records.