EU GDPR Compliance
We abide by and are compliant with the Data Protection Act 1998 (DPA) and the General Data Protection Regulation (GDPR) which comes into effect on May 25, 2018.
We are committed to keeping buyers’ personal information secure and confidential.
What is the GDPR?
The GDPR is a new legal framework from the European Union (EU) that updates data protection regulations. The law is designed to solidify data protection privacy laws throughout the EU and enhance the rights of EU citizens to protect their personal data.
Who Does GDPR Apply To?
The GDPR applies to any business that offers products or services to EU citizens or collects personal information from EU citizens.
What Does GDPR Require?
Whereas the previous framework regarding data protection applied to Data Controllers, the new framework applies to both Data Controllers and Data Processors (including subprocessors).
Data Controllers are responsible for deciding what personal data is collected and the purpose of that collection. Additional security is now required around obtaining and maintaining consent of use for personal data.
Data Processors have the obligation to keep records of personal data utilized and increase security measures around this use. Notification of security breaches is required to the Data Controllers and to customers.
For additional information on GDPR, click here.
Lawful Basis for Processing Personal Data
For the purposes of GDPR, we are the Data Controller when selling on BraceAbility.com and process all personal data legally, fairly and in a transparent manner.
Under Article 6 of GDPR, the lawful basis on which we process personal data received from customers is that of “Contract” - whereby processing is necessary in order to fulfill buyer orders and enquiries.
We retain information provided by customers, such as transaction information for internal financial accounting purposes. It is a legal requirement to retain this information for a period of 7 years.
Web Platform Data Processor: Shopify
BraceAbility.com utilizes Shopify as a web platform and Data Processor. Shopify processes personal data according to documented instructions provided by BraceAbility. Shopify also acts as an intermediary for payment processing for BraceAbility and transmits data to the payment processor, Stripe, according to agreed to instructions.
In order to fulfill the instructions provided by BraceAbility in relation to customer orders, Shopify may use a number of subprocessors to:
- store platform data
- operate portions of Shopify’s website
- respond to support inquiries
Shopify ensures that subprocessors of information have updated standards to comply with GDPR.
For more information on Shopify GDPR compliance, visit Shopify’s GDPR Whitepaper.
Other Data Processors
BraceAbility utilizes multiple data processors in order to process and fulfill customer orders and provide customer service support. BraceAbility ensures all data processors using personal data comply with GDPR regulations.
Data We Receive: Personally Identifiable Information
We receive personally identifiable information via BraceAbility.com from customers only when it is voluntarily submitted by buyers when placing an online order. The data we receive includes: name, billing address, delivery name, delivery address, e-mail address, telephone number, date of order, items ordered, value of items ordered, chosen method of delivery.
We do not sell or rent personally identifiable information to any third party for any purpose.
How We Use Buyers’ Personal Information
We may use any personal buyer information provided by customers to:
- process and dispatch buyers’ order/s
- use the information to meet our legal and regulatory obligations
- prevent and detect crime
- develop and improve our products, including statistical analysis
We treat all information we hold about buyers as private and confidential. We will not reveal any personal details or details concerning buyers’ orders to anyone not connected with us, unless:
- a buyer asks us to reveal the information, or we have a buyer’s permission to do so
- we are required or permitted to do so by law
We may share buyer personal information with our suppliers, service providers and other contractors only to fulfil orders buyers place with us on BraceAbility.com.
Data Subject Access Requests
Under GDPR, buyers are entitled to obtain from us, the Data Controller for the purposes of GDPR, when selling on BraceAbility.com, a copy of the data held concerning them and to have any inaccuracies in the data rectified. We are obliged to provide this data to within one calendar month of the request and free of charge, unless the nature of the request is complex, then the data will be provided within the reasonable time frame determined.
However, we have the right to refuse or charge for requests that are manifestly unfounded or excessive and repetitive.