All Collections
Springbot Guidelines & Policies
What is GDPR & What do you need to know?
What is GDPR & What do you need to know?

If your store is required to comply with GDPR regulations, here's what you need to be aware of.

Updated over a week ago

What is GDPR & What do you need to know?

By now, you have likely heard of the GDPR: The General Data Protection Regulation, a European privacy law approved by the European Commission in 2016. The GDPR will replace a prior European Union privacy directive known as Directive 95/46/EC (the “Directive”), which has been the basis of European data protection law since 1995.

The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data. It will have a significant impact on businesses around the world.

  • Right to object: An individual may prohibit certain data uses.

  • Right to be forgotten: An individual may request that an organization delete all data on that individual without undue delay.

  • Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.

  • Right of access: Individuals have the right to know what data about them is being processed and how.

  • Right of portability: Individuals may request that personal data held by one organization be transported to another.

Overall, you need to know that under GDPR you have to have a lawful reason to process (fancy word for use) data. There are 6 different legal bases with legitimate interest, fulfilling a contract or with consent as the most popular. For example, let’s talk about consent. Some of the big requirements when using consent are:

  • It has to be specific about what you are using the data for.

  • A privacy notice needs to be nearby.

  • No pre-ticked boxes!

  • It cannot be a condition of buying a product or service.

  • You have to have record of the consent

  • The user needs to easily withdraw consent

Stricter consent requirements: Consent is one of the fundamental aspects of the GDPR, and organizations must ensure that consent is obtained in accordance with the GDPR’s strict new requirements.

  • Consent must be specific to distinct purposes.

  • Silence, pre-ticked boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use and management of their personal data.

  • Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent.

Stricter processing requirements: Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:

  • Retention period: This should be as short as possible (“storage limitation”).

  • Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented (see consent requirements above), or the processing is in the organization’s "legitimate interest.”

Reviewing your Privacy Statements:

You should review the privacy statement and practices applicable to your organization and ensure that they provide proper notice that the personal data of your subscribers or contacts will be transferred to Springbot and processed by Springbot.

For example, you may want to consider updating your privacy statement to include language that specifically identifies Springbot as one of your processors and delineates the applicable processing activities performed by Springbot, such as the collection (e.g., via sign-up forms) and storage of personal data (e.g., within your Springbot account in order to allow you to create and use distribution lists, send marketing email campaigns, and place online advertisements), and the transfer of personal data to certain of Springbot’s sub-processors (who, as described in our Data Processing Agreement, perform some critical services, such as helping Springbot prevent abuse and providing support to our customers).

In regard to other apps:

You should review any other integrations or add-ons that you are using (or plan to use), and any terms associated with those, to ensure that you have adequately disclosed potential data processing activities associated with your use of those services to your subscribers and contacts.

Here you can find more information for each of our Shopping Platforms on GDPR:

Did this answer your question?