GDPR

General Data Protection Regulation 2018 (GDPR)

SkuIQ GDPR approach

Last updated: 07/30/2018

Introduction

The EU General Data Protection Regulation (“GDPR”) came into force across the European Union on 25th May 2018 and brought with it the most significant changes to data protection law in two decades. Based on privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.

The 21st Century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardize data protection laws and processing across the EU; affording individuals stronger, more consistent rights to access and control their personal information.

SkuIQ has set itself the goal GDPR fully comply before the enactment of the legislation

This page will set out:

  • What is Sku IQ doing about the GDPR?
  • What does this mean for our customers?
  • General GDPR information

1. What is Sku IQ doing about GDPR?

Sku IQ has two roles involving GDPR. Sku IQ acts as a data controller for personal data of its customers. Personal data mainly concerns the name and contact information of our all our customers. Additionally, Sku IQ acts as a processor (CPU) of the personal data received by Sku IQ customers, as well as third party data concerning their customers. This means that Sku IQ must support its customers to ensure the processing of personal data remains secure and our primary responsibility is to ensure that we adequately protect all data of our customers. In addition, we will assist our clients in responding to requests for inspection, removal or alteration of personal data.

To ensure both, Sku IQ has sought ways to continually optimize the processing of personal information and data. Additionally, Sku IQ is preparing to take the necessary technical measures to meet the new rights of people under GDPR regulation. Currently, you can find all updates and information on GDPR on this page, and we will continue to update our customers on details regarding the necessary steps we are taking with respect to GDPR compliance.

What are Sku iQ’s obligations towards its merchants under GDPR?

Merchants have chosen Sku IQ as a processor of the personal data of their customers from multiple locations. This means that Sku IQ will assist them with their obligations as a controller. In addition, Sku IQ is the controller of any personal data that relates to the merchant directly. For more information on how we process the personal data relating to our direct merchants, please refer to the privacy policy located on our website.

2. What does this mean for our customers?

Every Sku IQ customer also has the responsibility to ensure that they are acting in accordance with the new GDPR legislation. As data controllers also, Sku IQ customers are responsible for maintaining the lawful processing of personal data of their customers. To meet these standards, we recommend (at minimum) following steps:

  1. Make sure your terms of service, privacy and your cookie policy are up to date, and you inform your customers correctly which of their personal data you intend to use and for what purposes.
  2. Ensure those who provide you with access to their data give the opportunity to receive a copy of their personal data or, under certain circumstances, allow you to correct or delete their personal information.
  3. You are required to sign an agreement for the processing of all parties who process personal data on behalf of you to agree on the purposes for which these processors may use the personal information, including to Sku IQ. In the coming weeks, we will be contacting our customers to provide the opportunity to sign our standard contract for the processing of data (DPA).
  4. You must ensure that stored personal information is accurate and protected.
  5. You must not track personal information for longer than necessary, or the period stipulated in any agreement.
  6. Be prepared if any stakeholders make a notice of act (within 72 hours) in the event of any data breach.

Please note that the above is not comprehensive and we recommend you seek legal advice for more information on any implication of the GDPR that may affect your business.

3. General GDPR information (FAQ)

‘What is GDPR?

The GDPR is a new law aimed at EU citizens to give more control over their data. It will replace the Data Protection Directive of 1995. The GDPR governs the collection, storage, transmission and use of personal data. This means all the ‘processing’ of personal data, including tracking (tracking) devices. Therefore is any company or organization that processes data for its customers, clients or customers, under this legislation. Personal information means any information that relates to a person (called data subject). For EU citizens, it means they will have more control over their data. It is now regulating how businesses must process and store the personal data they collect.

Who does the GDPR affect?

The GDPR not only applies to organizations located within the EU, but it will also apply to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

What is personal data?

Under GDPR, personal data is any information relating to an identified or identifiable natural person. This person is referred to as the “data subject”. This includes the obvious data such as name, address, email address and phone number but also IP-address or data specific to the physical, physiological, genetic, economic, cultural or social identity of that natural person.

What is processing of personal data?

Processing means anything you can do with personal data and includes viewing, storing, changing, transferring and even deleting personal data.

What is the difference between a controller and a processor of personal data?

The controller is the person who determines the purpose and means of processing of personal data. The processor is a person who processes personal data on behalf of the controller and in accordance with the instructions and scope that the controller and processor have jointly agreed upon. Under GDPR, Sku IQ is the controller of personal data of its employees and the personal data that directly concerns the contact persons of our merchants. Sku IQ is a processor of the personal data that merchants are receiving from its customers.

What are Sku IQ’s merchants’ obligations under GDPR?

Under GDPR, the merchants are the controller of the personal data of their customers. This means that as controllers, they are required to process data in accordance with GDPR. Some of the key points are:

  1. Determine what personal data is processed and for what purposes;
  2. Accommodate merchants’ rights in relation to the processed data;
  3. Ensure that the processed personal data is protected adequately;
  4. Establish a clear process to identify and report data breaches within the timeframes set out in GDPR;
  5. Conclude a data processing agreement with all third parties who process personal data on Sku IQ’s  behalf;
  6. Inform the merchants, by means of a privacy policy, in a clear and understandable way on how their data is processed and what has been done to be compliant under GDPR.

What does GDPR say about processing personal data?

GDPR prescribes that in processing personal data the following principles should be taken into account:

  1. Personal data must be processed in a matter that is fair and transparent towards the data subject;
  2. Personal data may be collected for purposes that have been communicated to data subject and for which you have a legitimate purpose;
  3. Personal data must be accurate and kept up to date; inaccurate data must be corrected or erased without delay;
  4. Personal data must be kept no longer than necessary;
  5. Personal data must be handled in a secure way.

What specific rights do individuals have in relation to the personal data that is processed under GDPR?

An individual has the following rights (each of which are explained later in this document):

  • Right of information and access
  • Right to rectification
  • Right of portability
  • Right to object
  • Right to erasure
  • Right to restriction of processing

The controller of the personal data is responsible for addressing these requests; but Sku IQ , as a processor, will assist its merchants in that regard. Any request from a merchant in relation to the above-listed rights should be followed up within one (1) month of the request. If it concerns complex or substantial requests, the term might be extended by an additional month.

What does the right to information and access to personal data mean?

Upon request, individual must be informed about the personal data that is being processed. Copy of the personal data undergoing processing shall be provided, free of charge. In addition, the following information must be provided:

  • the purposes of processing
  • the categories of data processed
  • the recipients or categories of recipients
  • the envisaged retention period, or, if not possible, the criteria used to determine this period
  • the individual’s rights in relation to personal data

What does the right to rectification of personal data mean?

An individual may require incorrect personal data to be rectify.

What does the right of portability of personal data mean?

An individual may require personal data to be provided in a structured, commonly-used and machine-readable form so that it may be transferred to another data controller without undue burden.

What does the right to object to processing of personal data mean?

An individual does not have the right to object to the processing of  personal data in general but may object to the following processing activities:

  • Processing for direct marketing purposes
  • Processing for scientific, historical, research or statistical purposes

What does the right erasure of personal data mean?

It means that an individual may require a controller to have personal data deleted if the processing fails to satisfy the requirements of GDPR. This may be the case under the following circumstances:

  • When the personal data is no longer necessary for the purpose for which it was collected;
  • Where an individual withdraws prior consent and there is no justification for the processing.
  • Where an individual objects to controller’s basis for processing data.
  • When the data is otherwise unlawfully processed.

What does the right to restriction of processing of personal data mean?

This right gives an individual an alternative to the right of erasure and allows the individual to require data to be restricted from further processing when the processing is challenged. Such challenge may occur if the individual disputes the accuracy of data or has objected to the processing. Restriction means that the controller may only store the data and may not further process it unless the individual gives consent, or the processing is necessary for legal claims.  

How is Sku IQ helping merchants with the data subject rights of customers?

Sku IQ  will assist merchants with appropriate technical and organisational measures with responding to requests. This means that if a request is received from a customer, merchants can easily redirect it to Sku IQ via legal@skuiq.com  for additional assistance.

How is Sku IQ protecting the personal data it processes?

Sku IQ has taken both technical and organisational measures to ensure that all the data that we process is adequately protected.

What is a data breach?

Any incident where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data.

What does Sku IQ do in the event it suffers a data breach?

Sku IQ has an internal data breach policy in place which enables it to adequately react in the event of a data breach. Sku IQ’s actions are, briefly, the following:

  1.   Identify the source of the data breach;
  2.   Contain the breach and take all necessary measures to protect data;
  3.   Notify the involved data controller without undue delay after becoming aware of the data breach;
  4.   Asses to what extent measures need to be taken to prevent a similar data breach in the future.

It is the controller’s obligation to notify the supervisory authorities without undue delay and, where feasible, within 72 hours after becoming aware of the breach. A notification is not necessary if the breach is unlikely to result in a risk to the rights and freedom of natural persons.

It is also the controller’s obligation to notify the individuals who are affected by the data breach. The notification is not necessary if the breach is unlikely to result in a high risk for the rights and freedoms of the individuals or if appropriate technical and organizational protection where in place at the time of the incident.

Does Sku IQ use sub-processors?

Sku IQ uses AWS and KPN to store and protect our data. For these services, Sku IQ has entered into an agreement with these sub-processors to ensure that they process the personal data with at least the same level of security as it does.

What is a Data Processing Agreement?

A data processing agreement (DPA) sets out the relationship between the controller and the processor. It describes what personal data the processor may process on behalf of the controller and for what purposes it shall do so. It also describes the technical and organizational measures that the processor has taken to make sure that his processing activities meet the requirements of GDPR and that the rights of the individuals are adequately protected. We will soon make our DPA available.

How long can personal data be kept?

GDPR does not give a specific term in regard to keeping the personal data but indicates that personal data should be retained no longer than necessary in relation to the purpose for which such data is processed. There is also an exception to keep certain personal data longer if it is required to do so by law.

How many years will Sku IQ retain the personal data it processes?

Sku IQ aims is to retain personal data no longer than necessary for the purpose for which such data is received and processed. The length of the period really differs per type of personal data. More details on our data retention policy will follow soon.