General Data Protection Regulations

On Technology Pty Ltd (ABN 43 126 286 691) (including its brand ‘Codisto’) (henceforth “Codisto”) is committed to comply with privacy and data privacy protection laws in all jurisdictions where it does business.

Ensuring data privacy protection is the foundation of trust and maintaining the reputation of Codisto in all its commercial relationships.

Codisto is committed to complying with the EU GDPR requirements that impact its operations and applications used by our customers, which becomes effective on 25th May 2018.

This document is supported by Codisto’s privacy policy which explains how and why Codisto collects personal information, how it is used, and what controls a Data Subject has over Codisto’s use of it.

Codisto is committed to complying with applicable laws governing the collection and use of personal information and to protecting and safeguarding a Data Subject’s privacy when that person deals with us.

The Codisto privacy policy can be found at www.codisto.com/privacy.

Summary of GDPR

The European Union’s Data Protection Directive 95/46/EC, adopted in 1995, regulates the protection of individuals with regards to the processing of personal data and the free movement of such data.

The European Union Commission has issued updated privacy laws commonly referred to as General Data Protection Regulations (or GDPR) and which will take effect on 25th May 2018.

Further information on GDPR can be found on the EU GDPR Portal at http://www.eugdpr.org/

The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data driven world.

Terms:

  • Personal Identifiable Information” (PII) means any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose means of the processing of PII. In most cases the party initially collecting the PII is the Data Controller. They are the party that needs to “control” the use and security of PII, need to obtain consent for its collection and use and is primarily liable for data breaches.
  • Data Processor” means the natural or legal person, public authority, agency or other body which processes PII on behalf of the Data Controller. Processing means any operation or set of operations which is performed on PII or on sets of PII, whether or not by automated means.
  • Buyer” means person placing an ecommerce platform or marketplace order
  • Merchant” means party processing an ecommerce or marketplace order.
  • Marketplace” means the online marketplaces e.g. Amazon, eBay for which Codisto offers integration as part of its service.
  • ecommerce platform” means the ecommerce platforms e.g. Shopify, BigCommerce, Magento, WooCommerce, Ecwid for which Codisto offers integration as part of its service.

The GDPR apply to all companies processing PII of Data Subjects residing in the European Union, regardless of the company’s location. The GDPR also applies to the processing of PII of Data Subjects in the EU by a Data Controller or Data Processor not established in the EU (e.g. such as in the USA or Australia), where the activities relate to offering goods or services to EU citizens.

Whilst Codisto is working to make sure that its own operations will comply with the GDPR, each customer is ultimately responsible for ensuring that their business complies with the laws of the jurisdictions in which they operate or have buyers. Using Codisto does not guarantee that a merchant complies with the GDPR.

The GDPR also gives certain rights to identified or identifiable persons (referred to as data subjects), including buyers of merchants. These include the right to request:

  • Deletion of their personal data (right to be forgotten)
  • Correction (rectification) of their data
  • Access to their data
  • An export of their data in a common (portable) format

This topic is discussed more fully in the Data subject rights section

Controllers & Processors

We have assessed that the GDPR applies to Codisto as a Data Processor of PII on behalf of our customers who use our applications as part of their business and as a Data Controller for customer PII we collect ourselves and store and process in our sales, marketing and internal operational systems.

Processor obligations

To comply with the GDPR, generally the processor may only process personal data when authorised to do so by the controller. Where Codisto is a processor for a merchant, it processes personal data on instructions from merchants. For example, when a merchant authorizes connection of an Amazon or eBay account with an ecommerce platform store for synchronization of inventory, products or orders, they give Codisto the instruction to transmit data to the relevant party.

The GDPR also places several other responsibilities on the processor, discussed below:

Subprocessing

Processors must notify and obtain consent from their controller when transmitting personal data to a subprocessor. Codisto uses a number of subprocessors to provide the service, including to:

  • Store data
  • Respond to and manage support inquiries

When a merchant signs up for the Codisto service, they consent to allow Codisto to use subprocessors.

Data protection impact assessments

Codisto is formalising the process for conducting data protection impact assessments (DPIAs) any time a change in processing procedure occurs that is likely to result in a high risk to individuals’ privacy rights. Codisto will help answer reasonable questions a merchant has about Codisto’s processing activities.

Personal data breach reporting

Processors must notify the controller after becoming aware of a personal data breach resulting from a breach of the processor’s security.

Codisto is committed to ensuring that its incident response program meets the requirements of the GDPR.

Controller obligations

Under the GDPR, the controller has the following responsibilities:

Facilitating requests

Controllers are obligated to help data subjects exercise their rights.

Posting a privacy notice

When personal data is collected from a data subject, controllers must provide certain minimum information about the intended processing of the personal data, as well as information about how to contact and identify the controller.

Merchants are responsible for providing this information to their buyers. Codisto provides this information in the Codisto Privacy Policy where it is a controller, and encourages merchants to provide this information in their own privacy policies.

Complying with marketing and cookie regulations

Controllers are responsible for making sure that they comply with marketing and cookie regulations in the jurisdictions in which they operate.

Merchants with EU buyers should make sure that they obtain appropriate consent for the use of cookies—the ePrivacy Directive generally requires some form of consent in order to use tracking technologies.

All merchants should similarly make sure that their email marketing practices comply with applicable e-marketing or anti-spam requirements.

Special categories of personal data

The GDPR mandates greater security and controls when processing of certain special categories of PII, such as financial and health data.

Codisto does not currently and does not plan to process or capture special category PII.

Merchants are responsible for assessing whether they need to obtain a higher level of consent for certain buyers.

Legal basis for processing

Codisto as the data controller:

Codisto obtains consent to capture and process PII as part of the initial collection process and only processes PII for the purposes covered by the consent and according to our privacy policy.

Codisto as the data processor:

It is the responsibility of the Data Controller (e.g. merchant who collects the buyer PII) to ensure that they have a proper legal basis for any PII they collect, enter or transfer into Codisto’s applications (as Data Processor), including keeping evidence of consent when processing is based on consent. This obligation is included in Codisto’s terms and conditions. Codisto processes and stores PII according to GDPR requirements as a data processor.

Data transfers

The United States, European Economic Area (“EEA”) Member States, and other countries all have different laws. When your information is moved from your home country to another country, the laws and rules that protect your personal information in the country to which your information is transferred may be different from those in the country in which you live. For example, the circumstances in which law enforcement can access personal information may vary from country to country. In particular, if your information is in the US, it may be accessed by government authorities in accordance with US law.

Codisto operates a global service. To the extent that Codisto is deemed to transfer personal information outside of the EEA, we rely separately, alternatively, and independently on the following legal bases to transfer your information:

Model Clauses

The European Commission has adopted standard contractual clauses (also known as Model Clauses), which provide safeguards for personal information that is transferred outside of Europe. We often use these Model Clauses when transferring personal information outside of Europe.

Privacy Shield

Codisto does not participate in Privacy Shield at this time. However, we may rely on the EU-US Privacy Shield to transfer personal information to some of our third party service providers in the United States, where they are certified to receive such information under the Privacy Shield Program.

Necessary for the performance of the contract between Codisto and its customers

Codisto provides a voluntary service; you can choose whether or not you want to use the Services. However, if you want to use the Services, you need to agree to our Terms of Use, which set out the contract between Codisto and its customers. As we operate in countries worldwide (including in the US) and use technical infrastructure in the US to deliver the Services to you, in accordance with the contract between us, we need to transfer your personal information to the US and to other jurisdictions as necessary to provide the Services. Simply put, we can’t provide you with the Services and perform our contract with you without moving your personal information around the world. 

Third parties

Codisto will never independently sell personal data for commercial purposes. However, Codisto uses 3rd party suppliers as Data Processors to provide us with hosting, processing, applications and other services used to provide the Codisto application and process PII. Codisto has Data Processing Agreements with these data processors and is satisfied that these suppliers provide adequate protection under GDPR for PII.

Data protection and security

Under the GDPR, controllers and processors are required to implement appropriate technical and organisational measures.

Codisto, as a Data Processor, when processing PII on behalf of a Data Controller in connection with services provided by Codisto, has implemented and maintains the following technical and organizational security measures for the processing of such PII:

1. Physical Access Controls: Codisto has implemented reasonable measures to prevent physical access, such as secured buildings and access controls within premises, to prevent unauthorized persons from gaining access to PII, and ensure Third Parties such as those operating data centres are also adhering to such controls.

2. System Access Controls: Codisto has implemented reasonable measures to prevent PII from being used without authorization. These controls vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.

3. Data Access Controls: Codisto has implemented reasonable measures to ensure that PII is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the PII to which they have privilege of access; and, that PII cannot be read, copied, modified or removed without authorization in the course of Processing.

4. Transmission Controls: Codisto has implemented reasonable measures to ensure that it is possible to check and establish to which entities the transfer of PII is made by means of data transmission facilities so PII cannot be read, copied, modified or removed without authorization during electronic transmission or transport.

5. Input Controls: Codisto has implemented reasonable measures to allow it to check and establish whether and by whom PII has been entered into data processing systems, modified or removed and to ensure that (i) PII is under the control of Data Controller; and (ii) PII is managed by secured transmission from Data Controller.

6. Data Backup and retention: Codisto has implemented measures to ensure that backups of relevant databases are taken on a regular basis, are secured to ensure that PII is protected against accidental destruction or loss. PII will be securely deleted or erased when it is no longer needed for a permitted business purpose.

7. Logical Separation: Codisto has implemented measures to ensure that PII from different Codisto customer environments is logically segregated on its systems to ensure that PII that is collected for different purposes is processed separately.

Amazon Web Service (AWS) is a key 3rd party data processor as Codisto’s cloud infrastructure service provider and is responsible for the security of the cloud infrastructure used by Codisto. AWS provides highly secure data centres utilizing state-of the art electronic surveillance and multi-factor access control systems. Data centres are staffed 24x7 by trained security guards and access is authorized strictly on a least privileged basis, limited to system administration purposes.

Data subject rights

Right to access
Due to its nature, Codisto has assessed the likelihood of requests to access the PII stored as a Data Controller as low. The same assessment applies to PII stored by Codisto as a Data Processor in our applications by our customers Should we receive a request to access PII, we can provide, subject to verification of the Data Subject, such PII on a case by case basis.

Data portability
Due to its nature, Codisto has assessed the likelihood of requests to port PII we store as Data Controller as low. The same assessment applies to PII stored by Codisto as a Data Processor in our applications by our customers. Should we receive a request to provide PII, we can provide, subject to verification of the Data Subject, such PII data in an agreed format on a case by case basis.

Right to be forgotten
Due to its nature, Codisto has assessed the likelihood of requests to erase PII we store as a Data Controller as low. The same assessment applies to PII stored by Codisto as a Data Processor in our applications by our customers. Should we receive a request for PII to be erased, we can, subject to the verification of the Data Subject, erase such PII on a case by case basis.

Rectification
Due to its nature, Codisto has assessed the likelihood of requests to rectify PII we store as a Data Controller as low. The same assessment applies to PII stored by Codisto as a Data Processor in our applications by our customers. Should we receive a request for PII to be rectified, we can, subject to the verification of the Data Subject, rectify such PII on a case by case basis.

Staff and contractor training

Codisto has implemented a mandatory on-line training program to ensure all staff and contractors are trained in privacy and information security.