GDPR Compliance

The European Union’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018. The GDPR imposes new obligations and responsibilities on controllers and processors of data.

As a marketplace admin, you are generally the controller of your suppliers and customers’ data. This means that you collect their data and choose how it is handled. Additionally, though it is a European regulation, the GDPR might apply to your business if your suppliers make goods and services available in Europe, even if you or your business are not located in Europe.

As a processor for your users’ data, IdyaFlow follows your instructions on how to handle that data. For more information about the roles of data controller and processor, please review the Compliance sections of this page.

IdyaFlow believes strongly in protecting your users’ personal data as well as your own, and understands that doing so is critical to help you preserve the trust and confidence of your users. IdyaFlow has designed its platform to allow suppliers to operate anywhere in the world. GDPR-compliant features are built into IdyaFlow’ platform, including features to enable you to offer your users transparency into and control over their personal data, and technical measures to ensure that your users’ personal data is protected as it crosses borders.

While IdyaFlow does what it can to set you up for success, there are also steps you will need to take on your own, and ultimately, compliance with the GDPR is the responsibility of each supplier. If you have legal questions specific to your obligations under the GDPR, then please consult with a local lawyer who is familiar with data protections laws.

As a processor for your users’ data, the General Data Protection Regulation (GDPR) requires IdyaFlow to make the following changes to its platform and internal privacy program:

• • Document and keep records of certain privacy-related decisions made by IdyaFlow so that IdyaFlow is accountable for its privacy practices.
  • Make the terms of Service and Privacy Policy easily accessible to the marketplace admins to include detailed information about the rights extended by the GDPR.
  • Make sure that IdyaFlow is able to honor the rights of European suppliers and customers over their personal data, and that when using IdyaFlow’ services, marketplace admins are able to do the same.

Platform Features

• • Ability to create and update marketplace specific Privacy Policy and Terms of Service to protect marketplace admins.
  • Ability for the marketplace admins to obtain independent consent for marketing purposes. 
  • Built-in tool to download all the information IdyaFlow holds about your supplier and customer through IdyaFlow admin
  • Built-in tool to delete all personal information associated with a particular supplier or customer through the IdyaFlow admin.
  • More Robust Cookie policy that includes specific information about the categories of cookies IdyaFlow uses.

By signing the IdyaFlow SaaS usage agreement and continuing to use IdyaFLow’ services, you agree to the data processing policy.

The General Data Protection Regulation (GDPR) affects any IdyaFlow Marketplace platforms who are based in Europe or who serve European customers. While IdyaFlow is working hard to make sure that it complies, and allows its marketplace admins to comply with the GDPR as of May 25, 2018, it is important to note that the GDPR will also require you to take action independently from the IdyaFlow platform.

IdyaFlow provides marketplace administrators with the tools and features to be GDPR compliant, and where necessary, will not withhold informational requests from you for your users. That said, this is not legal advice. The GDPR is a complicated regulation, and it will apply differently to different marketplace platforms. You should consult with a lawyer to figure out what you specifically need to do.

IdyaFlow provides marketplace admins with a platform that can be configured to be GDPR compliant, but you must consider yourself how you would like to run your business. Below section includes information you should consider to help you assess your obligations to make sure that you have set up your marketplace in a way that complies with the law.

Personal data

• • Examples of personal data include:
    • Name
    • Address
    • Email address
    • Social media account
    • Digital identifier such as an IP address or a cookie ID.

Privacy Policy

• • The GDPR requires that you provide specific information to users whose data you are processing, generally, in the form of a privacy policy. 

Appointing a Data Protection Officer

• • A Data Protection Officer (DPO) oversees how your organization collects and processes personal data. If your business’s is above a certain size in terms of data subjects, the GDPR requires that you appoint a DPO and provide contact information for the DPO in your Privacy Policy. 

Customer consent

• • Under the GDPR, you might need to obtain consent to process the personal data of your users or change how you currently obtain that consent.
  • Where you need to obtain consent, the GDPR says that it must be:
    • Freely given: it must be entirely voluntary, and should not be bundled with other goods or services.
    • Specific: it must be tied to clearly explained use cases.
    • Informed: it can only be given if the data subject is provided enough information about the personal data that will be collected and used.
    • Unambiguous: it must be demonstrated by an affirmative act by the merchant (that is, not simply by continuing to use the services). 

Children

• • The GDPR includes specific parental-consent requirements for processing the personal data of users that are deemed too young (the age is 16 and below in the European Economic Area but could be different elsewhere).

Data breach notification

• • If the GDPR applies to you and you experience a data breach, then you might be required to notify affected users or specific regulatory bodies.
  • In particular, the GDPR requires notice where a data breach is likely to cause a high risk of adversely affecting individuals rights and freedoms.

Third party apps

• • The GDPR requires that you take a number of affirmative steps relating to you and your third-party service providers collection and use of personal data. This includes IdyaFlow, but also any third-party apps that you in connection to your IdyaFlow marketplace (e.g. Stripe).

International data transfers

• • The GDPR prohibits exporting the personal data of Europeans outside of Europe unless that information will be adequately protected.
  • IdyaFlow protects personal data according to the requirements of the GDPR as it is transferred to and processed in the United States and Canada.

The GDPR gives individuals the right, in certain circumstances, to request a copy of their personal data being processed by a company. The GDPR therefore requires that you be able to provide your users (suppliers and customers) with a copy of their personal data in a format that is:

• • Common
  • Easily readable
  • Portable

This allows users to use their data with a different service provider. IdyaFlow allows you to export most data in CSV or Excel formats right from your admin (for example, order, payout statement, suppliers, and customer information).

Data Erasure Requests

The GDPR gives individuals the right, in certain circumstances, to ask that their personal data be erased, or that a company restrict the processing of their personal data.

“Personal data” means any data that can be used to identify an individual, including:

• • Name
  • Address
  • Email
  • IP address
  • Credit card number

If you receive a delete or portability request, then you will first need to verify the identity of the requester. To request erasure of data from IdyaFlow, please send us an email to privacy@idyaflow.com with a subject line: Marketplace – User Erase Request and we will manually process the erasure of the requested user data from the platform.