ChannelAdvisor And The General Data Protection Regulation

General Data Protection Regulation (GDPR)

All ChannelAdvisor systems and services are ready for the European Union’s General Data Protection Regulation (GDPR). Building on our membership with Privacy Shield Framework, ChannelAdvisor has ensured that its processes and other protections in place for personal data follow the GDPR. While ChannelAdvisor’s personal data protection standards include GDPR readiness they are not limited to citizens of the European Union, instead we apply the same level of protection for all personal data regardless of the individual’s location.

Found below are Frequently Asked Questions (FAQ) and related information regarding ChannelAdvisor and the GDPR, we will continue to update this page as appropriate.

FAQ
What has ChannelAdvisor done to be ready for the GDPR?
At ChannelAdvisor, the security of our systems and data has always been our top priority. With the enactment of the GDPR, ChannelAdvisor has taken additional steps to protect personal data in our systems (Privacy By Design), as well as to ensure that all of our related processes follow the GDPR. Every department at ChannelAdvisor has undergone an extensive internal analysis, in which they have reviewed and documented their personal data processing activities to align them with GDPR requirements. ChannelAdvisor has also engaged outside resources to review our readiness for GDPR and advise us on best practices to remain compliant.

How is personal data protected by ChannelAdvisor?
All personal data is encrypted both in transmission and when stored in our systems. ChannelAdvisor also has a robust set of security and organizational measures in place to protect personal data, such as physical and access controls in our hardware and software as well as our offices and the facilities where our applications are hosted.

Personal data is only retained as long as needed to meet contractual, regulatory, or other clearly identified and documented business needs. Further information about types of personal data collected by ChannelAdvisor are found in our Privacy Policy, which has been updated to reflect our data collection and handling practices.

How long is personal data retained by ChannelAdvisor?
The retention period for personal data varies according to the type of individual whose information is stored. Personal data is retained only as long as needed to perform our contractual obligations, or for other legitimate business reasons such as retention for financial or tax audits. The majority of personal data ChannelAdvisor maintains on behalf of customers is order-related information from the customer’s marketplaces and webstore accounts. This data is retained for no longer than 30 months after the order creation date in ChannelAdvisor’s systems. For customers who use our pixel tracking system, such as for our Digital Marketing solution, the IP address of the prospective buyer is retained for no more than 60 days.

As a ChannelAdvisor Client, what are my responsibilities under the GDPR?
Just like ChannelAdvisor, our customers also share in the responsibility of the personal data they choose to collect using our systems. Our customers must protect any personal data they transfer from ChannelAdvisor to their systems, using methods and processes which follow the GDPR. For personal data that ChannelAdvisor obtains from marketplaces and other channels, the customer is the “Controller” of that data, whereas ChannelAdvisor is the “Processor” of the data, as those terms are used in the GDPR. The GDPR strictly limits the retention and use of personal data, so it cannot be used for marketing directed towards a data subject unless that person has explicitly agreed to the use of their data for that purpose.

Does my contract with ChannelAdvisor need to be modified for GDPR?
Contractual requirements vary depending on the nature of the customer’s business and their location, so a customer should review its contract to determine whether it believes a change is needed regarding personal data processed on your behalf by ChannelAdvisor. ChannelAdvisor has a Data Processing Agreement (DPA) for use under the GDPR. To discuss the need for a DPA with ChannelAdvisor, please open a case on our Community site. As customer contracts are created and renewed they will also include a DPA where appropriate.

What if I have other GDPR-related questions regarding my ChannelAdvisor account?
If you have other GDPR-related questions regarding the handling of personal data in your ChannelAdvisor account please visit our Community site.