main page content
At Bold Commerce, we take the protection and handling of personal information very seriously.
We do this not only because of legal requirements, but because we hold integrity as one of our core company values.
Making sure that merchants (and their customers) can trust that our team will keep their personal and financial information safe is vital, and frankly, something we obsess over each and every day.
What is GDPR?
The General Data Protection Regulation (GDPR) creates a new set of legal requirements that aim to better protect the personal data of residents of the European Union. This includes more stringent rules on how and where data can be disclosed, stored, and processed.
To help our merchants be confident that Bold takes data security seriously, we’ve compiled a list of things we’ve done that help us meet the high standards set by the GDPR, including:
- Updating our Privacy Statement
- Consent and Lawful Basis for Processing
- Data Subject Rights
- Data Processing Addendum
We’ve updated our Privacy Statement to explain how we handle your data and who might access it in plain language, so it’s easy to understand.
This document is important because it explains how we enable and facilitate Rights for Data Subjects, including requests for access, deletion, and modification.
As a Merchant, it’s important for you to familiarize yourself with this document so that you can effectively handle inquiries from your customers.
Consent and Lawful Basis for Processing
The Lawful Basis for Processing represent the six reasons a company may be allowed to process a user’s personal data.
Bold acts as both a Data Controller and Processor in some circumstances, as defined under the GDPR, and these scenarios are described in our updated Privacy Statement.
We have implied consent to process a Merchant’s personal data when installing one of our apps, or submitting a form indicating interest in Bold services (such as a quote request for our Professional Services, or a pre-sales support request).
In some other cases, we might have expressed consent to process your data. In our case, this would happen if you sign up to our email list: we tell you what you’re signing up for in plain English.
We also act as a Data Processor when you install one of our apps.
A Processor takes personal data on behalf of a Controller and acts on it as the Controller has requested. In Bold’s case, we process the personal data of our Merchant’s Customers to help facilitate a transaction between the Merchant and Customer. For example, our Recurring Orders app reads Shopify customer and order data to be able to generate and report on purchased subscriptions.
Protection of Personal Data
We’ve completed an audit of our physical, technical, and administrative security measures to make sure we can be confident that personal data we’re entrusted with is kept safe.
One important outcome of this audit was the minimization and redaction of information that could potentially be used to identify someone personally. The best way to avoid a data breach is to not have that data in the first place; we’ve instituted policies to ensure that we only keep customer (or merchant) information for as long as is reasonable and necessary. At Bold, this means that customer personal data is redacted after a merchant uninstalls one of our apps.
A Data Protection Impact Analysis helps us assess the risk that apps, services and features could pose to an user’s personal data. This process is undertaken as we develop new services and functionality to make sure we’re building with privacy in mind.
We’ve also reviewed processes of teams across the company to make sure we’re handling personal data in a way that meets the high standards set by the GDPR.
One of our biggest undertakings has been to work with every single vendor or processor used by our team that could potentially come in contact with personal data. This includes server hosts, support ticketing software, blog providers, and everything in between. We’ve made sure they also meet the requirements set out by the GDPR, and where they aren’t able to do this we’ve found alternatives or discontinued the relationships altogether. We’ve signed Data Processing Agreements (or Addendums, where appropriate) to ensure the transfer of this data to countries without adequate privacy laws (as determined by the European Commission) is done safely.
Multiple sessions have also been held with every single member of our staff to ensure that all are educated on their legal obligations as it pertains to personal data, and to ensure their commitment to the ideals of privacy and respect for personal data being at the core of working alongside Merchants.
Data Subject Rights
One of the most relevant components of the GDPR to citizens is the Data Subject’s Rights. A set of rights granting people the ability to exercise control over their personal data. The three most relevant ones to you as an eCommerce entrepreneur are likely the right of access, the right to rectification, and the right of erasure.
Right of Access
The right of access allows a Data Subject (person whom’s data has been collected or stored) to request from a Data Controller any data they have collected relating to that person, along with information on if and how it has been processed. In plain language, this is a “Give me everything you have on me” type of request. The Data Controller (in many cases, the merchant) is responsible for providing the data from their systems, any which has been provided to third-party Processors. If a merchant receives a request relating to the right of access, they should contact firstname.lastname@example.org for assistance.
Right to Rectification
The right to rectification allows Data Subjects to request their personal data be modified or corrected. As a merchant, this may simply mean you make the change as requested in your eCommerce platform. If you have a concern relating to a rectification request as it exists in a Bold app or service, contact email@example.com.
Right to Erasure
The right to erasure, commonly referred to as the “Right to be forgotten” means Data Subjects have the right to ask for all of their personal data be deleted by a Controller. This means, as with each of the other rights, the Controller is responsible for their own records, and must ensure Processors with whom they work also delete this person’s data. Fulfilling requests for erasure and deletion are handled through an email to firstname.lastname@example.org.
Data Processing Addendum
We offer a Data Processing Addendum confirming data transferred outside of the EEA (European Economic Area) is handled and processed safely. Merchants can download the Data Processing Addendum, sign and send it to email@example.com.
If you want to learn more, read our last post on GDPR: What is it, why it matters, and how it will affect your store or send us an email to firstname.lastname@example.org.