What is GDPR?
The European Union (EU)'s General Data Protection Regulation (GDPR) is a new regulation that came into effect on the 25th of May, 2018. Its aim is to harmonize the data privacy laws across the EU, and (in particular) protect the rights of residents of the EU about the processing of their personal data. It recognizes the data privacy rights of EU residents, and lays down rules regarding processing of personal information shared with third party webCommerce. GDPR aims to give EU residents full control over their personal data.
What is personal data?
GDPR considers personal data as any data that can directly or indirectly identify a natural person. This includes, but is not limited to: name, address, phone number, email address, IP address, traveling habits, and photos.
When and where does GDPR take effect?
GDPR applies for any activity that collects or processes personal data of EU residents. It does not matter if the activity takes place inside the EU or not. GDPR has global reach.
Why be GDPR compliant?
EU's GDPR is legally binding. The concerned Supervisory Authority (as defined by GDPR), may fine the non-compliant person or organization up to 20 million Euros or 4% of their annual worldwide turnover from the preceding year, whichever is higher. Levying a fine happens for two reasons:
- A deterrent, so that Data Controllers and Data Processors act responsibly, and adhere to GDPR's guidelines.
- A compensation for the persons who have suffered material or non-material damage because of infringement to GDPR.
Key roles that GDPR identifies
- Data Subject: A resident of the EU from whom, or about whom, data is collected and/or processed.
- Data Controller: The person or organization that defines the purpose and means of collecting and processing data.
- Data Processor: The person or organization that processes the collected data on behalf of the Data Controller.
In this context, when you use Zoho Commerce to build an ecommerce store:
- The store visitors who view and interact with the website act as theData Subjects.
- The store administrator or the store owner, who creates and publishes content such as, product details, text, design, and forms is the Data Controller.
- Zoho Commerce who processes and serves the given data using the platform acts as theData Processor.
Here is how Zoho Commerce helps you stay compliant with the GDPR:
The following are the features that Zoho Commerce provides for Data Controllers to process personal data in a GDPR compliant manner.
- Data Security
- Secure transit: SSL/TLS encryption keeps your website safe during transit.
- Security Audit: Zoho is ISO 27001, 27017, 27018, 27701 certified & SOC 2 Type II compliant. Learn more
- Encryption: All access tokens like login credentials and passwords are encrypted at rest.
- Restricted Sign up
- Member Portal The member portal enables you to manage which visitors get to view what pages.
- Invited Members You can invite members to your website to limit only accepted visitors to your website.
- Privacy by Design
To view your visitor statistics, Zoho Commerce anonymizes IP addresses to their respective country codes. Only anonymized data gets stored and never the IP address.
The contributors feature enables you to invite friends, family, and colleagues to edit your ecommerce store content collectively and design. The User option allows you to add your employees to run the store with limited access to the operations of your store.
You can grant four levels of access to your Contributors:
- Audit Logs
You, the data controller can get insight and control over data that has been entered in your store by either contributors or yourself.
- Data Portability
All data that you have entered in your website can be downloaded at any time in a .zip format which is password-protected.
- Form Data
You, the data controller can download form data at any time subject to adequate authorisation.
Before integrating with any internal or third-party service, your permission will be requested. Once you grant permission, you can integrate with Zoho products such as: Zoho CRM, Zoho PageSense, Zoho Campaigns, and Zoho Sales IQ. Each of these Zoho products are GDPR-ready. Click here to learn more.
Data Subject Rights
The following are the Data Subject Rights that GDPR recognizes and how Zoho Commerce helps you address them.
Right of access
A visitor may request you (the Data Controller) for data that he has submitted through the forms on your website. You can download the data and send it to your data subjects.
Right to rectification
Data Subjects may request to rectify data that they have entered in forms. Once the request is made, you can make required changes to the form data.
Right to be informed
The blog comments, product reviews and comment box features have a "Guest" option for Data Subjects to comment anonymously. Store admins can moderate these comments to avoid spamming.
Data Hosting (Locality)
Zoho Servers are located in the most secure data centers in US, EU, IN and AU. The region where we host your service data depends on the Zoho domain that your Zoho Commerce account is registered in.
The following table lists the Zoho domains and their respective hosting locations.
|Zoho Domain - Account creation||Data Center Location|
|commerce.zoho.com||US (United States)|
|commerce.zoho.eu||EU (European Union)|