GDPR Compliance Center by Pandectes

Data Privacy Day 2022

Data Privacy Day is a day to focus on best practices for ensuring private data remains that way. Pandectes provides you with insights and tips from experts on the front lines.

Introduction

Data Privacy Day (known in Europe as Data Protection Day) is an international event that occurs every year on 28 January. On 26 April 2006 the Council of Europe decided to launch a Data Protection Day to be celebrated each year on 28 January, the date on which the Council of Europe’s data protection convention, known as “Convention 108”, was opened for signature. Data Protection Day is now celebrated globally and is called Privacy Day outside Europe.

Tomorrow marks the 40th anniversary of the opening for signature in Strasbourg of the first ever binding international treaty addressing the need to protect personal data: the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, also known as “Convention 108.” The treaty was updated in 2018 by an Amending Protocol, which is currently in effect, with the goal of ensuring that its data protection principles are still relevant to emerging technologies and strengthening the treaty’s follow-up process.

Millions of people are unaware of and uninformed about how their personal information is being used, collected or shared in our digital society. Data Privacy day aims to inspire dialogue and empower individuals and companies to take action.

When illustrating concepts pertaining to data protection, it is often useful to have a concrete use case at hand. As a result, the next post presents an example of such a scenario. Namely, it describes the various aspects of the processing activities of an online shop. In particular, the aspects include the involved entities, the purposes pursued by the processing, the legal bases for the processing, the data necessary to fulfill the purposes, as well as the storage period necessary for this data.

Some basic information about data privacy is presented in the next paragraphs.

Entities

The example of online shopping has a number of participating entities. In particular, these are:

  • The online shop such as Shopify stores who acts as controller.
  • One or several shipping services which for the purpose of this use case illustration are assumed to act as processors of the online shop.
  • Customers who act as data subjects.

Purposes

The following goals are pursued by the processing activities of the example online shop:

  • Processing of Orders
  • Payment
  • Place an order for delivery
  • Notification of Status
  • Convenience for Customers
  • Accounting
  • Customer Service
  • Warranty
  • Customer Relationships That Never End

While these purposes are treated independently for analytical purposes, there may be a high interdependency between them in actual processing, and a processing step may entail many purposes.

Legal

The distinct elements of the processing that make up online shopping are normally sustained with the aid of using distinct legal bases. 

Principles

Personal data may not be processed unless there is at least one legal basis to do so. Article 6 states the lawful purposes are:

  • (a) If the data subject has given consent to the processing of his or her personal data;
  • (b) To fulfil contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
  • (c) To comply with a data controller’s legal obligations;
  • (d) To protect the vital interests of a data subject or another individual;
  • (e) To perform a task in the public interest or in official authority;
  • (f) For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children)

Shopify and Data Privacy

Shopify provides a detailed description of data privacy on the platform. Of course, each merchant is responsible for preparing a privacy policy page for their store and they need to be compliant with the laws such as GDPR, CCPA, etc that are applied to each country or region in order to protect their visitors and customers.

GDPR Compliance Center

Pandects provide the best solution for GDPR, CCPA, LGPD with the GDPR Compliance Center application.

Scroll to Top