ChannelAdvisor and the GDPR

The European Union’s (EU) General Data Protection Regulation (“GDPR”) became effective on May 25, 2018.  Building on our membership with the Privacy Shield Framework, ChannelAdvisor Corporation, including our affiliated entities (referred to collectively as “ChannelAdvisor,” “we,” “our,” or “us”), has taken all necessary steps and maintained processes and protections for Personal Data in compliance with the GDPR.  “Personal Data” under GDPR means any information related to an identified or identifiable natural person, where that person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to an individual. While ChannelAdvisor’s Personal Data protection standards include GDPR support, they are not limited to citizens of the European Union. Instead, we apply the same level of protection for all Personal Data regardless of the individual’s location.  ChannelAdvisor maintains reasonable and appropriate technical and organizational measures that adequately protect personal data in accordance with applicable privacy laws.

Below are frequently asked questions about ChannelAdvisor’s observance of the GDPR and how we handle Personal Data.

Is ChannelAdvisor bound by the GDPR?

Yes, because ChannelAdvisor’s operations within the European Union involve processing personal data of European residents. 

How is Personal Data protected by ChannelAdvisor?

All Personal Data is encrypted both in transmission and when stored in our systems. ChannelAdvisor also has a robust set of security and organizational measures in place to protect personal data, such as physical and access controls in our hardware and software as well as our offices, and the facilities where our applications are hosted.

How long is Personal Data retained by ChannelAdvisor?

The retention period for Personal Data varies according to the type of service ChannelAdvisor is providing to a particular client. Personal Data is retained only as long as needed to perform our contractual obligations, or for other legitimate business reasons. The majority of Personal Data ChannelAdvisor stores is order-related information that ChannelAdvisor maintains on behalf of our clients, to support the services we provide related to their marketplaces and webstore accounts. This data is retained for no longer than 90 days after the order creation date on the marketplace or webstore, except that for Amazon marketplace orders the Personal Data is only retained for 30 days.  For clients who use our pixel tracking system, such as for our Digital Marketing solution, the IP address of the prospective buyer that may be collected by ChannelAdvisor during our performance of these services is retained for no more than 60 days. Further information about types of Personal Data collected by ChannelAdvisor are found elsewhere in these FAQs as well as in our Privacy Policy.

As a ChannelAdvisor Client, what are my responsibilities under the GDPR?

Just like ChannelAdvisor, our clients also share in the responsibility of the Personal Data which they choose to collect using our systems.  Our clients must protect any Personal Data which they transfer from ChannelAdvisor to their systems, using methods and processes which follow the requirements of the GDPR. For Personal Data that ChannelAdvisor obtains from marketplaces and other channels, the client is the “Controller” of that data, whereas ChannelAdvisor is the “Processor” of the data, as those terms are used in the GDPR. The GDPR strictly limits the retention and use of Personal Data, so it cannot be used for marketing directed towards a data subject unless that person has explicitly agreed to the use of their data for that purpose.

Does my contract with ChannelAdvisor need to be modified for the GDPR?

Contractual requirements vary depending on the nature of the client’s business and their location, so a client should review its contract to determine whether it believes a change is needed regarding Personal Data processed by ChannelAdvisor on your behalf.   ChannelAdvisor does provide a Data Processing Agreement (DPA) for use under the GDPR.  To discuss the need for a DPA with ChannelAdvisor, please open a case on our Community site. As client contracts are created and renewed they will also include a DPA where appropriate.

How do I handle data deletion requests from data subjects for Personal Data retained by ChannelAdvisor?

Please see the related sections below regarding clients who sell on marketplaces and webstores, as well as those who are advertisers on online marketing sites..

What are your rights with respect to Personal Data held by ChannelAdvisor?

For our Clients who are Sellers on marketplaces and webstores: In addition to the existing functionality available in the ChannelAdvisor application for clients to find, view and export order data for specific buyers, we also provide clients with the ability to delete the Personal Data on such orders from the Orders and Orders Detail pages in the ChannelAdvisor platform. As such, clients can handle data privacy requests from their buyers or other individuals themselves without any need for ChannelAdvisor’s assistance. Please be advised that clients may need to contact any other third parties who also might have this data, to pass along data privacy requests. These third parties may include, for example, any shipping providers who the client has configured to access buyer data using our application.

For our Clients who are Advertisers on online marketing sites: ChannelAdvisor may collect Personal Data in our Digital Marketing application, such as the IP address of the user, which is collected through use of our Digital Marketing tracking pixel. If you are not using our Digital Marketing tracking pixel, then ChannelAdvisor will not collect the Personal Data of your prospective or actual consumers. If you are using our Digital Marketing tracking pixel, ChannelAdvisor might have IP addresses associated with your consumers. In such cases, ChannelAdvisor must retain those IP addresses for 60 days, after which time they are automatically deleted. No affirmative request or action from you is needed in order to facilitate such deletion.

For our Partners: ChannelAdvisor may process Personal Data at the request of our clients,  such as marketplace sellers or advertisers who use your platform, in order to fulfill our contractual obligations with them. We can only locate Personal Data if we know the seller or advertiser with whom the buyer’s Personal Data might be associated. As such, in order for ChannelAdvisor to process valid GDPR data subject requests, such requests must be made through the seller or advertiser who sold product(s) to the data subject in question. Because they are our client, the seller or advertiser can then contact ChannelAdvisor to help facilitate your applicable request. Contacting the seller will also ensure that any other third parties with whom the seller or advertiser has shared the Personal Data will also be notified.

For EU Citizens: If you are an EU citizen, you have certain rights with respect to our use and disclosure of your Personal Data. However, ChannelAdvisor cannot help you exercise those rights without first obtaining additional information from the seller or advertiser who directed us to collect your data on their behalf. ChannelAdvisor processes Personal Data at the request of our clients (sellers and advertisers) in order to fulfill our contractual obligations with them. Your relationship is with the seller or advertiser who sold your product(s) to you, so we need the seller or advertiser to contact us directly in order to determine the account against which we should process a request regarding your Personal Data. In order for your data privacy request to be handled properly, please contact the seller or advertiser who sold your product(s) to you. If they need to contact us to help facilitate your request they will do so.  

How can I get more information from ChannelAdvisor about the GDPR?

If you have other GDPR-related questions regarding the handling of Personal Data in your ChannelAdvisor account please visit our Community Site.   If needed you can also contact us by using the information found on ChannelAdvisor’s Privacy Policy.