隱私聲明

GDPR（尤其是第 12 至 14 條）要求您向您處理其數據的個人提供特定信息，通常采用隱私聲明或隱私政策的形式。

您可使用 Shopify 的隱私政策生成器來幫助您制定隱私政策。您可在“結賬”或在線下的設置中找到它。

請考慮以下問題：

• 您的網站上是否有隱私政策，其中包含您需要根據法規提供的所有信息？它是否至少包括客戶如何就隱私問題與您聯系，以及客戶如何行使其權利（例如刪除或更正（修改或更正）其數據的權利以及訪問該數據的權利）的相關信息？

• 您的隱私政策是否包括 Shopify 如何將您客戶的個人數據用于自動的風險和欺詐評分？您（或您的服務提供商）將客戶信息用于自動決策時，GDPR 要求您披露這些信息。Shofy 使用您客戶的個人信息，通過自動決策阻止某些看似有欺詐性質的交易。Shopify 的隱私政策生成器包含此信息。有關此系統的詳細信息，請參閱自動決策。

任命數據保護官

數據保護官 (DPO) 監督組織收集和處理個人數據的方式。如果公司的核心活動涉及大規模的在線跟蹤，則 GDPR 要求您任命 DPO 并在隱私政策中提供 DPO 的聯系信息。

GDPR 包括 DPO 需要完成的特定任務，例如，在您的組織更改其收集和處理個人數據的方式時，進行數據保護影響評估。DPO 可以由在 GDPR 和保護要求方面具有專業知識的內部人員擔任，但您也可考慮與顧問或公司合作，由他們擔任外部 DPO。

考慮以下問題：

• 有多少人受到您店面跟蹤技術的影響？這些可能包括行為廣告應用，甚至重定向應用。受影響的人數是否為“大規模”是一項法律決策，您應根據您的具體情況咨詢律師。

• 您應主動任命 DPO 嗎？即使法律上不要求您指定 DPO，如果您在歐洲占據舉足輕重的地位，您可能希望主動這樣做以確保您充分保護客戶的數據。

數據處理協議

作為 GDPR 適用的數據控制方，第 28 條要求您在通過數據處理方（如 Shopify）處理客戶數據時，您應對其可能使用和處理該數據的方式規定嚴格的協議要求。這通常通過數據處理附錄或 (DPA) 完成。

Shopify 已自動將數據處理協議 (https://www.shopify.com/legal/dpa) 納入服務條款，從而滿足第 28 條要求。

對于 Shopify Plus 商家，他們與 Shopify 之間的關系將由他們的協商合同決定。Shopify Plus 商家可簽署數據處理附錄以滿足他們的需求。未簽署數據處理附錄的 Shopify Plus 商家將受 Shopify 在線數據處理附錄的監管。

考慮以下問題：

• 您在 Shopify 外部使用的其他數據處理者是否依照協議承諾保護您客戶的數據？許多第三方應用、渠道、支付網關或其他數據處理者也會自動將數據處理協議納入他們的條款中。您是否就這些事宜咨詢過這些第三方？

• 您是具有協商合同的 Shopify Plus 商家嗎？如果您想簽署數據處理附錄，請聯系 Plus 客服。他們可以為您提供 Shopify 的模板 DPA 以進行簽署。

Privacy notice

The GDPR (and particularly Articles 12 to 14) requires that you provide specific information to individuals whose data you are processing, generally in the form of a privacy notice or privacy policy.

You can use Shopify's privacy policy generator to get you started. You can find it in your settings under Checkout or online.

Think about the following question:

• Do you have a privacy policy on your site that includes all of the information that you are required to provide under the regulation? At minimum, does it include how customers can get in contact with you about privacy questions and how customers can exercise their rights, for example the rights to erasure (deletion) or rectification (modification or correction) of their data and the right to access it?

• Does your privacy policy include how Shopify may use your customers' personal data for automated risk and fraud scoring? The GDPR requires you to disclose when you (or your service providers) use their information in connection with automated decision-making. Shopify uses your customers’ personal information to block rtain transactions that appear to be fraudulent through automated decision-making. Shopify's Privacy Policy Generator includes this information. For more information about this system, see Automated decision-making.

Appointing a Data Protection Officer

A Data Protection Officer (DPO) oversees how your organization collects and processes personal data. If your business’s core activities include large scale online tracking, the GDPR requires that you appoint a DPO and provide contact information for the DPO in your Privacy Policy.

The GDPR includes specific tasks that a DPO needs to do, such as conducting data protection impact assessments when your organization changes how it collects and processes personal data. The DPO can be an internal person who has expertise in the GDPR and data protection requirements, but you can also consider working with an consultant or firm to serve as an external DPO.

Think about the following questions:

• How many people are affected by tracking technologies on your storefront? These can include behavioral advertising apps, or even retargeting apps. Whether or not the number of people affected is “large scale” is a legal decision, and you should consult with a lawyer depending on your circumstances.

• Should you voluntarily appoint a DPO? Even if you are not legally required to appoint a DPO, if your presence in Europe is large enough, you may Wish to do so voluntarily to make sure that you adequately protect your customers’ data.

Data processing agreements

As a data controller under the GDPR, Article 28 requires that when you engage a data processor (like Shopify) to cess your customers’ data, you impose strict contractual requirements on how they may use and process that data. This is typically done through a Data Processing Addendum, or DPA.

Shopify has automatically incorporated a Data Processing Agreement (https://www.shopify.com/legal/dpa) into its terms of service, which is designed to address the requirements of Article 28.

For Shopify Plus merchants, their negotiated contracts will govern their relationship with Shopify. Plus Merchants can sign a Data Processing Addendum to address their needs. Shopify Plus merchants who do not sign a Data Processing Addendum will be governed by Shopify’s online Data Processing Addendum.

Think about the following questions:

• Are other data processors that you work with outside of Shopify contractually committed to protecting your customers’ data? Many third-party apps, channels, payment gateways, or other data processors will also automatically incorporate a Data Processing Agreement into their terms. Have you consulted with each of these third-parties?

• Are you a Shopify Plus merchant with a negotiated contract? If you want to sign a Data Processing Addendum, then reach out to Shopify Plus Support. They can provide you with Shopify's template DPA to sign.

特別聲明：以上文章內容僅代表作者本人觀點，不代表ESG跨境電商觀點或立場。如有關于作品內容、版權或其它問題請于作品發表后的30日內與ESG跨境電商聯系。