Privacy and The GDPR (General Data Protection Regulation)

With the rapid changes in internet technology and the increasing sharing of personal data online, many countries continue to update their regulations related to the collection, use and security of personal data. The General Data Protection Regulation (GDPR) is new and ground-breaking European Union privacy legislation that impacts the way that businesses and organizations collect, use, and protect personal data, which takes effect May 25, 2018.

We're thrilled that merchants all over the world have chosen LemonStand to power their online stores, including many from the EU. Whether you're running an EU based online store, or this new legislation impacts you because you sell to EU based customers, you can rest assured that LemonStand's services are compliant and that we're here to help make sure that you are too. 

How The GDPR Impacts LemonStand

  • GDPR mandates that we are able to meet and honour the regulations in the way that we operate our business. 
  • LemonStand is required to show our commitments and adherence to GDPR through the contractual agreements we have with our customers, and requires certain contractual commitments when we use third parties to provide services.
  • We ensure that LemonStand and our customers are able to honor the rights of European merchants and their customers related to their personal data.
  • We ensure that our team has the expertise and knowledge to fully understand the ongoing impact of GDPR to our business, as well as yours. 

What has LemonStand done to comply with the GDPR?

Here at LemonStand, we’ve been working hard to ensure that we fully comply with GDPR. We've done an exhaustive review of the legislation and our service and made changes and updates where necessary to comply. Some of the key changes we've made are outlined below:

  • We've appointed a Data Protection Officer (DPO) - who can be contacted via email at privacy@lemonstand.com for any GDPR or privacy related requests
  • We’ve reviewed our policies and procedures that relate to data protection across the organization and made changes to ensure compliance.
  • We’ve done a comprehensive reivew of all of our subprocessors of data to ensure that they are also compliant with these regulations and updated our contracts with partners where necessary.
  • We’ve reviewed and trained our staff on all changes and processes related to GDPR.
  • We've created a Data Processing Addendum ("DPA") to confirm and clarify how we process, transfer and protect data, which is applicable for the personal data of any data subject located in the European Economic Area (EEA)
  • We've updated our Privacy Policy that we hold with website users, merchants and their customers to ensure they clearly state our data handling/processing procedures under our Terms of Service.
  • We've added some guidance to our help documentation to help LemonStand customers (merchants) who might be impacted by GDPR to understand how to support their customers (see section below)

When it comes to GDPR compliance, we've got your back.  We pledge to continue to monitor the regulatory environment for new legislation that may affect us or our customers and share them with you to ensure we all stay up to date and run our businesses in compliance with relevant rules.


How The GDPR Impacts Merchants

Disclaimer: This overview is not an exhaustive analysis of the GDPR and should not be considered legal advice. This information is meant to provide background and help you better understand LemonStand's strategy with regards to GDPR and potential impacts to Lemonstand customers and other online merchants

When it comes to eCommerce, privacy and trust are extremely important, and we're committed to supporting you in complying with GDPR if and when it applies to your business. This overview is intended to help you identify some requirements of the GDPR that might apply to your business and some specific actions that you should be considering in order to ensure compliance. 

For more information on the GDPR you can visit the following sites that provide more specific information and guidance:


Note: We are your eCommerce platform provider, but we’re by no means policy experts. We recommend consulting with a lawyer to figure out exactly how you need to prepare if you are affected by the GDPR. While at LemonStand we've completed our own preparations for the GDPR, you may need to make some of your own to ensure that your site is compliant. 

For example, since we give customers full control of their data and integrations there is data handling and processing of personal data that can happen outside of our platform and outside of our control, which is why you’ll also need to prepare for GDPR on your side. Please read on for more information on how to go about that.

Collection of personal data

Under the GDPR, personal data is any piece of information that can be used on its own or in combination with other data to identify an individual. Examples of personal data include: name, mailing address, email address, social media information, or digital identifiers such as an IP address or even a cookie ID. Under the GDPR, individuals within the EU have rights around how that data is processed.

To understand the impact around the collection of personal data, think about the following questions as they relate to LemonStand and your online store:

  • Do you have customers from the European Union? 
  • What specific personal information are you collecting from your customers to administer your online store? Personal data includes name, email, location information, or identifiers such as an IP address or even a cookie ID. 
  • Some kinds of data are more sensitive than others, like that pertaining to ethnicity, medical information, religious views, or political views. Consider if you’re collecting any of this kind of information in the administration of your store and if you truly need to collect it.
  • If your store uses third party applications (like an email service provider, or marketing analytics tool), you should find out if they collect and process data in accordance with the GDPR. 

Getting consent from your customers

Part of the GDPR regulation states that you might need to obtain consent to process the personal data of your learners or modify how you currently obtain that consent. In particular, the GDPR says that consent must be "freely given, specific, informed and unambiguous." Specific examples that you might want to consider are if you are using online advertising or retargeting apps, then you might need a heightened form of consent. Think through the following as it relates to your online storefront:

  • Do you need to get a more specific consent/opt-in from customers because of the personal information that you or a third-party app processes? 
  • Do you need to change your processes to get affirmative, opt-in consent for processing personal data (that you or a third party is processing)?

Collecting information from minors

Under our privacy policy, we do not knowingly provide our services to minors and it is against our terms of use to store the personal information of minors on a LemonStand site without parental consent. 

Ensure that you are not collecting the personal information of minors as part of your store administration without parental consent.

Receiving GDPR data requests

The GDPR includes specific terms around an individual's right to access and control their personal data. You should think through your ability to respond to one of these kinds of requests. If you believe that you’d be unable to fulfill one of these requests you may want to consider modifying how you process the personal data of your learners.

  • If a customer were to contact you about understanding what data you have collected about them would you be able to fulfill that request?
  • Most of the information processed by LemonStand is available to you in your store administration. LemonStand may provide support in the fulfillment of such requests once you have taken efforts to fulfill it yourself or if it isn't possible for you to fulfill yourself.

Responding to subject access requests and portability

The GDPR gives individuals the right, in certain circumstances, to request a copy of the personal data that is being processed by an organization. You must be able to provide your customers with a copy of their personal data in a common, easily readable, portable format so that they can use that data with a different service provider. Consider the following questions:

  • Upon receiving such a request, what data would you need to provide?
  • What format would you be able to provide this data in (e.g. CSV)?
  • Do you need to change how you process learner information to be able to provide this data?
  • If you’re using third parties, think through who you would need to contact in order to process and fulfill an access request.

LemonStand allows you to export customer and order data in a CSV format to help comply with these provisions. You can find more information about how you can manage and export the data related to your customers through LemonStand from this article

Erasure requests

The GDPR gives individuals the right, in certain situations, to request their personal data be erased, or that a company restrict the processing of their personal data. You should consider whether you might be obligated to erase or restrict the processing of your customers' data in response to such a request. If you're looking to fulfill an erasure request here's what you need to know:

  • You have the ability to delete the data of individual customers and/or their order history, which also can contain personal data. This can be done for customers from the Customers > Customers page in your store admin interface. You can select and delete order information from the Orders > Orders page, and for subscription data from the Orders > Subscriptions page in your store admin.  Before you fulfill a request you should consider if you need to maintain the data for any legal reason and if you can verify the identity of the requestor (to ensure it's them making the request). 
  • If you receive one of these requests you can contact LemonStand at privacy@lemonstand.com to finalize the deletion process. Note: LemonStand cannot complete these requests on behalf of a merchant, a merchant must first delete their customer and any related order/subscription information as described above.  

Notification of data breaches

We take security very seriously and everything you store on LemonStand is maintained and stored in a secure manner. However, if you experience a data breach and the GDPR applies to you, then you might be required to notify affected users or specific regulatory bodies as quickly as 72 hours after you detect the breach. Consider compiling a data breach response plan for your business, if you don’t have one, so that you are prepared for such an incident.

Subprocessing

The GDPR has specific requirements for companies that use third party service providers to process the personal data of its users. We recommend reviewing the privacy practices of the service providers that you use, including LemonStand, to try to make sure that they adequately protect your customers’ personal data.

Do you need a Data Protection Officer?

A Data Protection Officer (DPO) is responsible for how an organization collects and processes personal data. The GDPR includes specific tasks that a DPO oversees, such as conducting data protection impact assessments when your organization changes how it collects and processes personal data. Consider whether you are required to appoint a DPO to advise on your compliance with the GDPR.

Specifically, you may require a DPO if:

  • You are a public authority
  • The core activities of your business involve large scale, regular and systematic monitoring of individuals; or
  • The core activities of your business consist of large-scale processing of special categories of data or data related to criminal convictions and offenses. 

You can find out more information about DPO’s here: 

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/ 

LemonStand wants to help you to the extent that we can with ensuring GDPR compliance. However, it’s important to note that compliance and preparation will vary depending on your website and business itself, where your customers are located, how you have implemented/used third parties, and the extent to which you have previously considered customer privacy. We’ll do our best to help you ensure you're compliant, but you may wish to consider consulting a lawyer or legal counsel if you feel you’re particularly impacted or under-prepared for the GDPR.