As GDPR is just about to take effect, we wanted to take a moment of your time to notify you of the steps we took to bring our business processes in line with some of the requirements in general data protection regulation.
Our Privacy & Data Protection Policy:
We updated our Privacy & Data Protection Policy to make it clearer to our website visitors which personal information we process, who we share it with, and on which lawful bases do we process this information.
The privacy policy also informs you of your rights that come from GDPR articles 12 to 23.
Since we’re processing some of your personal data using Google Analytics and we’re basing this processing on our legitimate interest to know where our visitors come from to our website and which marketing channels work well for us, you have the right to object to processing of your personal data for these purposes and thus we’ve enabled a mechanism on the Privacy & Data Protection Policy page which allows you to opt-out from this tracking.
Our newsletter:
Our newsletter subscribers were not collected in a way that would be compliant with the new GDPR regulation, so we’re sending a “re-consent” campaign to our subscribers with valid affirmative action consent check-boxes and necessary information about our newsletter processing to all our subscribers to be able to send newsletters only to those who really gave us a valid consent to do so.
We’re using MailChimp’s services for our newsletters and we are using their new “GDPR friendly” subscription forms with marketing permission check-boxes that enable our potential subscribers to granularly choose what kind of updates they want to receive from us (if any).
Our clients:
As required by Art 28 (3) of GDPR, when a controller shares personal data with a processor, there needs to be a signed Data Processing Agreement in place between these two entities which secures that the data is being processed in line with GDPR.
We have contacted each of our clients that share some of their customers’ data with us for consulting, development or other purposes and proposed a Data Processing Agreement that we can sign with them.
We’re also helping our clients bring their websites in line with GDPR by offering consulting and technical implementation for both technical and organizational measures they need to take in order to comply with the regulation.
Our processes:
We have a developer strike force in place that works on standardizing and making it easier to anonymize data sets of eCommerce platforms we use in development environments.
We’ve also written an internal rulebook called “Personal data handling and protection policy” which is binding all of our employees to certain organizational measures that ensure private data processing in line with GDPR.
We’ve also written down all of our technical measures we have in place and are attaching those along with our Personal data handling and protection policy as appendixes to Data Processing Agreements we signed with our customers to prove that their data is in safe hands with us.
We’re keeping a record of processing activities which are not happening occasionally as required by Article 30 of GDPR and in line with WP29’s Position Paper related to article 30(5).
Our free extensions and code snippets:
If you’ve been following this blog, you know we’ve been publishing a lot of custom code snippets and proof-of-concept type extensions via our articles or GitHub profiles of our employees. For the sake of clarifying the role of such code in light of GDPR, we have prepared a statement/disclaimer explaining how those extensions and code snippets can and should be used.
We hope this too can help some of our blog readers, merchants and developers alike. You can view and download our statement here.
What’s next?
While we did a lot to bring our business and help bring our customers’ businesses in line with the GDPR, we realize there are a lot of uncertainties in the community regarding interpretations of certain articles of the regulation and we will continuously strive to further improve and optimize our privacy processes.