MyDentalCE.com's website is powered by Shopify, an e-commerce company currently in compliance with GDPR. Our internal policies are also in compliance with GDPR, per our Shopify terms of service and privacy upgrades to respect and protect our customer privacy on our website.
- Added a data processing addendum to Shopify's online terms of service, as required by Article 28 of the GDPR.
- Implemented a detailed procedure to deal with data subject access requests, deletion requests, and government access requests.
- Prepared a whitepaper to help merchants and partners understand how Shopify interprets and has been approaching its obligations under the GDPR.
- Added functionality to the Shopify platform so that merchants are able to obtain independent consent for marketing purposes, and can choose whether or not to pre-check the consent checkbox depending on their requirements.
- Updated abandoned cart notifications to allow merchants to be able to tie them to whether or not a customer has opted in to marketing communications.
- Appointed an experienced Data Protection Officer to oversee Shopify's data protection program and GDPR implementation plan.
- Prepared a registry of our data processing activities, as required by Article 30 of the GDPR.
- Implemented a Data Protection Impact Assessment process, as required by Articles 35 and 91 of the GDPR.
- Documented the subprocessors that Shopify uses to deliver its platform and other services, and started to review the contractual arrangements with these subprocessors, to make sure that they are required to protect personal data through robust technical and organizational measures.
- Began the process of applying for approval of Binding Corporate Rules to support Shopify's data processing operations.
- Started to deliver GDPR-focused training to key teams and personnel, so that they are aware of the law’s requirements and can design Shopify products and business plans with privacy in mind.
In addition to the preparations listed above, Shopify will also roll out the following features before May 25:
- Tool to request all of the information Shopify holds about a customer on their behalf through the Shopify admin, in case the merchant receives a subject access request under the GDPR.
- Tool to request that Shopify delete all personal information associated with a particular customer through the Shopify admin, in case the merchant receives an erasure request under the GDPR. When a merchant uses this tool to request erasure, Shopify will also forward this request to apps the merchant has installed at the time of the request that were granted access to customer personal information.
- More informative channel installation process that tells merchants exactly what personal data the channel will have access to after it is installed.
- More transparent process through which merchants install apps so that merchants can fully understand exactly what personal data an app is requesting access to before installing the app.
- More descriptive listings for already-installed apps so that merchants can check specific app data access permissions at any time.