Shoplazza takes matters of privacy and data protection seriously, and we contractually commit to our merchants that we will comply with data protection laws such as the General Data Protection Regulation, Regulation (EU) 2016/679, (the “GDPR”). In order to do that, we have designed our infrastructure to transfer data across borders in compliance with the GDPR. In particular, we have structured our data flows such that all personal data about European data subjects is initially received and processed by our Canada entity. Shoplazza then transfers that data onwards to other locations, as we explain in more detail in this section.
GDPR cross-border transfer requirements
When personal data of European residents is transferred out of Europe, the GDPR requires that data to be protected under specific mechanisms which aim at protecting personal data after they have been transferred to a third country or an international organization, including:
- Law: the privacy law of the ‘destination’ country is determined to be adequate to ensure the data is protected (Article 45). The European Commission has determined that Canada’s private sector privacy law, which governs how Shoplazza Inc. processes data, adequately protects this data.
- Treaty: countries may enter into international treaties to allow the cross-border flow of personal data, such as the EU-U.S. Privacy Shield. The European Commission may decide any such treaty is adequate to ensure that data is protected (Article 50). However, the EU-U.S. Privacy Shield was invalidated by the Court of Justice for the European Union on July 16, 2020.
- Contract: personal data may be transferred between a European entity and a non-European entity under a contract with “Standard Contractual Clauses” (“SCCs”). The language of the SCCs is approved by the European Commission.
- Policy: personal data may be transferred within a group of companies (for example between Shoplazza Inc. and Dianjiang Technology Co., Ltd. if the companies have an internal policy or DPA for protecting data.
Our data infrastructure
When you use Shoplazza’s services you contract includes a Data Processing Addendum between you and Shoplazza’s two entities that offer our services in different jurisdictions: Shoplazza Inc. ( located in Canada), and Dianjiang Technology Co., Ltd. (located in Hongkong).
Per Section 2.1 of our Data Processing Addendum, when we receive data about a European data subject, that data is initially received from you and/or the data subject by Shoplazza Inc. located in Canada. While we cannot advise you on your obligations under data protection laws, in our view this personal data is transferred by you to Shoplazza Inc. To the extent that the GDPR applies to this transfer, this transfer from you, a controller offering service or goods to the data subject in EU thus subject to the GDPR pursuant to Article 3(2), to a processor located in Canada is conducted pursuant to Article 45 – a transfer on the basis of an adequacy decision. In this case, the transfer is to Shoplazza Inc., a Canadian company subject to Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). Because this transfer is to a company subject to PIPEDA, it is conducted under the European Commission’s adequacy decision 2002/2/EC.
Shoplazza Inc. then may use other subprocessors. These subprocessors are located around the world, and the specific subprocessors used will vary depending on specific circumstances (such as the location of your store, your store configuration, specific Shoplazza services you may use, the extent to which you use Shoplazza support, etc.). At present, we comply with the export requirements of Canadian privacy law and\or contractual commitment such as SCC or agreement with provisions materially similar to SCCs.