Store Information | Cross-border data transfers under GDPR

Shoplazza is committed to complying with international standards such as the General Data Protection Regulation (GDPR) (EU) 2016/679. To meet these requirements, Shoplazza's infrastructure is designed to support GDPR-compliant data transfers. Personal data of European data subjects is first received and processed by Shoplazza Inc. in Canada, then may be transferred to other entities when required.

GDPR cross-border data transfer requirements

When transferring the personal data of European residents out of the EU, GDPR requires safeguards to ensure continued data protection. These safeguards include:

• Legal adequacy: Data can be transferred to countries with privacy laws deemed adequate by the European Commission. Canada’s private sector privacy law, which governs how Shoplazza Inc. handles personal data, meets this standard under Article 45.
• International treaties: While treaties like the EU-US Privacy Shield previously facilitated data transfers, the European Court of Justice invalidated this mechanism on July 16, 2020, making it no longer valid.
• Standard Contractual Clauses (SCCs): Data transfers between European and non-European entities can be made using SCCs approved by the European Commission, offering a standardized framework for ensuring compliance.
• Internal policies: Personal data may also be transferred within a group of companies (e.g., from Shoplazza Inc. to Shoplazza Hongkong Limited) if appropriate internal data protection policies are in place.

Data infrastructure

When using Shoplazza services, your agreement includes a Data Processing Addendum (DPA) that outlines the roles of Shoplazza Inc. (Canada) and Shoplazza Hongkong Limited (Hong Kong) in processing personal data.

• Initial processing in Canada: As outlined in Section 2.1 of the DPA, data from EU data subjects is first received by Shoplazza Inc. This transfer qualifies under Article 45 of the GDPR, as Canada has received an adequacy decision (2002/2/EC) from the European Commission due to its PIPEDA law.
• Role of Shoplazza Inc.: In this context, Shoplazza Inc. is considered the data processor, and the merchant (you) is the controller providing services to EU customers. Transfers made to Shoplazza Inc. are therefore compliant with GDPR based on Canada's adequacy status.
• Use of sub-processors: Shoplazza Inc. may engage additional sub-processors located globally, depending on factors such as:
  • Your store’s location
  • Store configuration
  • Specific Shoplazza services in use
  • Level of support required

All sub-processors are bound by Canadian export and privacy regulations, and operate under Standard Contractual Clauses or equivalent legal frameworks to ensure GDPR compliance. For a full list of sub-processors, refer to the article Shoplazza Sub-processors.

Shoplazza remains committed to maintaining strong standards of data protection and privacy compliance. For more details, refer to our Data Processing Addendum  and consult legal guidance to ensure your obligations under GDPR are fully met, if applicable.