Application to ShopWired
The GDPR applies to both ShopWired and the users of ShopWired who create websites using the tools that it provides that process the personal data of any resident of any country that is a member state of the European Union.
It is highly likely that, after the United Kingdom's withdrawal from the EU, the government will implement the GDPR into United Kingdom law.
The ShopWired platform is provided by Platform 21 Limited, a company located and registered in England and Wales.
Supplemental services are also provided by companies located within the United Kingdom. SHOPWIRED.CO.UK Ltd and Platform 43 Ltd, both registered in England & Wales.
Necessary data transfer and disclosure and other legal agreements, required by the GDPR, are in place between each of these 3 companies governing roles, responsibilities and legal requirements obligated by the GDPR. Data Protection Impact Assessments have, where necessary, been conducted to ensure that data transfers and disclosures take place within the regulatory requirements of the GDPR.
Application to ShopWired Users
The GDPR applies to individual ShopWired users in a separate way to which it applies to ShopWired.
As a business, you have your own individual and unique (to your business) requirements in how you ensure that your whole business complies with the requirements imposed by the GDPR.
It is your responsibility to ensure compliance with the GDPR. Whilst ShopWired does comply with the GDPR this does not make your business automatically compliant.
Website visitors and customers
The GDPR gives rights to persons, referred to as data subjects, who are either explicitly identified in data or who's identity could be inferred from data (such as an IP address).
The rights conferred by the GDPR include:
• The right to request their data is deleted (erasure)
• The right to see the data that you hold about them and obtain an export of it (access)
• The right to correct any data that's incorrect (rectification)
The GDPR applies to any collection, storage or processing of personal data. Personal data means by information relating to a data subject.
This includes data such as:
• Identification numbers (e.g. customer IDs)
• Location data (about where the data subject resides)
• An online identifier like an IP address or cookie ID
Data subjects have the right to request their data be erased in certain circumstances.
This topic is covered more in the erasure help guide.
Data subjects have the right to access the data.
That means, explaining to data subjects about how their personal data is processed and provide access to the personal data.
Within your ShopWired account, we are building a way for you to be able to generate an export for all the data held about a particular customer.
Before providing a data subject with this data you must first validate their identity. Providing data about a data subject to another person would be a serious breach.
Data subjects have the right to request that data held about them, which is incorrect, is rectified.
Within your ShopWired administration system, you will be able to rectify data held about customers where that data is personally identifiable (such as their name or address).
Automated decision making
In limited circumstances, ShopWired might hold personally identifiable data about an individual where that data relates to the customer's use of a website within the ShopWired platform.
Our security systems constantly scan traffic received into the platform for suspicious behaviour. Where suspicious behaviour is identified and it is deemed to constitute a threat to the wider security of the platform, certain IP addresses may be added to a blacklist to block traffic from that source.
In a recent judgment, the Court of Justice of the European Union decided that an IP address, on its own, and without the ability to legally obtain information from a party that can match the IP address to personally identifiable information (such as a name) is not, in and of itself, personally identifiable information.
As such, it is our interpretation of the legislation that where ShopWired collates a list of IP addresses for use as blacklists in order to protect the platform, that data does not constitute data which personally identifies a customer and as such there is no legal requirement to either delete that data (where requested) or provide access to it.