GDPR Statement

 

On 25th May 2018 EU General Data Protection Regulation (GDPR) comes into force. This will impact all enterprises.  This replaces the UK’s Data Protection Act 1998.

 

Basic background information about this process can be found here

 

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/



As our customer there are 2 relationships.

 

  1. Dx3webs is the  Data Controller.  You are our customer.  We are responsible for protecting the data you provide us with when you use our website, create an account or purchase a service.  We have fully audited our own GDPR compliance both in terms of the services we offer to our customers and in terms of our own internal policies and procedures. We have appropriate technical and personnel protocols in place to ensure the security of your data.  We have carried out a full audit of our sub-processors and other third party processors we use to ensure their GDPR compliance. Only specific staff access data sensitive platforms Our updated privacy policy is here 

 https://dx3webs.com/privacy-policy-cookie-restriction-mode

  1. Dx3webs is your Data Processor. You host your site with us. You are the owner of your data and we process this on your behalf.  We do not use the data we hold on your behalf for any reason. We do not share or facilitate access to this data to any 3rd party unless legally required to do so.  Your data is hosted in the UK with ISO27001 certified data centers in Maidenhead. None of your data is transferred outside the EEA. The security of the servers is our top priority. Patches are applied as soon as available and our security policies and practices evolve with the threats to ensure your data and your clients information is as safe as possible.  Access to the servers is limited only to authorised personnel either physically or remotely and only to ensure we can deliver the managed service we are contracted to provide. We do not use 3rd parties to delivery any part of our managed service to you.

 

  Data Breach

Should either of these aspects of GDPR responsibilities suffer a data breach you will be notified within 24 hours of us discovering the breach. At which point our PCI / GDPR Data Breach policy will be enacted.

 

  Log retention.

Remember that your PCI obligations require you to store log files for a minimum of 1 year to aid investigation. As this includes the IP address of your clients you should make them aware of this in your privacy policy.

 

  Magento FAQ

  • What changes to I need to make to my Magento site?

 

Given that GDPR affects any business that deals with customers residing in the EEA there is quite a potential number of magento stores that need tweaking to fulfil the spirit of the GDPR regulations. As such extensions are being released to address this. Some free and some at cost.  Areas that need addressing are:

 

Add a cookie consent bar to your site.  You need to tell users if you are using 3rd party cookies and they need to explicitly consent to use them.

Allow customers to remove their personal data / account from your site.

All marketing should be done on an Opt in basis and allow users to opt out from subscriptions.

Update your privacy policy and cookie policy to explicitly state what data you collect, why and how it is stored / transferred.

Anonymize personal data, in particular any data which is not being used for transactional purposes eg quote table data.

 

If in doubt seek legal advice on the matter. There are lot of legal firms offering GDPR advice.

 

In particular make sure the site is as secure as you can make it. As a minimum follow these tips :

https://dx3webs.com/blog/magento-security-tips

 

  • What is Magento’s stance on encryption being a requirement for GDPR?

Organizations should implement appropriate technical and organizational measures to ensure a level of security that is appropriate to the risk. Such measures may include encryption, but it is not a mandatory requirement under the GDPR. In GDPR parlance, when determining appropriate technical and organizational measures, organizations should take into account the costs of implementation and the nature, scope, context and purposes of the processing.


  • As your Data Processor what are Dx3webs commitments as listed in our Terms and Conditions


Dx3webs GDPR Terms reflect the requirements of data processors in Article 28. This commits us to:

  • Only use subprocessors with the consent of the controller and take responsibility for subprocessors.

  • Process personal data only on instructions from the controller.

  • Ensure that all personnel who process personal data are committed to confidentiality.

  • Implement appropriate technical and organizational measures to ensure a level of personal data security appropriate to the risk.

  • Assist controllers in their obligations to respond to data subjects’ requests to exercise their GDPR rights.

  • Meet the breach notification and assistance requirements.

  • Assist controllers with data protection impact assessments and consultation with supervisory authorities.

  • Delete or return personal data at the end of provision of services.

  • Support the controller with evidence of compliance with the GDPR.

The full wording can be found in our Terms and Conditions here

 

 
  • Under what circumstances does Dx3webs transfer your data outside of the EU?

We do not transfer any of your data outside the EU.

 
  • How does Dx3webs store data that they process on our behalf?

Your data is stored on our servers in your applications in our Maidenhead Data Centre in the UK and is copied to our backup servers each night which are also in the UK.


  • Does Dx3webs store ‘Sensitive Personal Data’?

We foresee no circumstances in which ‘Sensitive Personal Data’ would be collected in your application. If your application does store Sensitive Personal Data please ensure you have taken sufficient steps to safeguard this data.


  • Does Dx3webs have a Data Protection Officer?

No. We fall outside the criteria for a mandatory DPO. We believe that every member of staff is an active advocate for the proper care and use of customers information.


 


If you have any questions about GPDR please email privacy@Dx3webs.com

© 2016 Dx3webs Ltd. All Rights Reserved. | Company No. 08221801 | VAT No GB142 6020 55 | Terms & Conditions | Privacy Policy