GDPR FAQ

The GDPR defines personal data as “any information relating to an identified or identifiable natural person”. In practice this includes name, email address, postal address, place of employment, health information, IP address, criminal background, etc. Note that context counts – a business name alone does not count as personal data, but it could if combined with other information to identify an individual.

Yes. TrueCommerce has customers in the EU and the member companies which form our larger organization include offices in multiple EU countries. TrueCommerce must remain compliant with the GDPR both in relationships with its customers and with its own employees.

In recognition of our obligation to follow the law, we formed a GDPR compliance project team under the guidance of our CISO and an executive steering committee. We have consulted with industry experts, outside legal experts, and leading security vendors to verify our approach to GDPR compliance. The project team has compiled a catalog of all systems in the organization, classified them by GPDR relevance, and cataloged the nature and purpose of all personal data processing, as required by the “Records of processing activities” requirement of the legislation. Further, the team has conducted gap and risk analyses for compliance with the law and to reduce risks of future compliance gaps or risks to individual privacy. The law calls for “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. We believe strongly that we have such measures in place.

We have updated our Privacy Policy to ensure compliance with GPDR requirements. From the policy:

In accordance with the purpose for which your Personal Data is collected, we use your Personal Data to

• Provide the Services to you
• To understand your usage of the Services so that we can make improvements to the Services
• To provide relevant marketing messages to you in connection with your use of the Services
• To analyze it in an effort to better understand our products, services and business in general
• To understand your behavior and preferences so we can offer additional products, services and other opportunities that we believe will be of value to you.

Privacy Policies for TrueCommerce and subsidiaries may be found in the following locations:
TrueCommerce https://www.truecommerce.com/legal
TrueCommerce UK https://www.truecommerce.com/uk-en/privacy-policy
TrueCommerce DK https://www.truecommerce.com/dk-da/truecommerce-denmark-aps-cookie-and-privacy-policy
TrueCommerce Nexternal https://www.nexternal.com/company/privacy-policy.asp
TrueCommerce Datalliance https://www.datalliance.com/company/legal-and-privacy

The legislation applies to companies active in the EU, regardless of whether this is because they are selling to consumers there, have offices there, or are conducting business to business transactions with EU companies. If your use of our services includes sharing any personal data for individuals residing in the EU, then the GDPR applies. This might include:

• Your employees in the EU who share contact information for support and billing purposes.
• Information about consumers in the EU that you collect and process using our service.
• Contact information for employees at your customers in the EU that is transmitted using our service for purposes such as billing, invoicing, or shipping.

According to the legislation, a Controller “determines the purposes and means of the processing of personal data”. If you are the one choosing to collect personal data from individual, as for example to market or sell a product to them, then you are acting as a Controller. A Processor acts on behalf of a Controller to process personal data. The Processor has not determined the purpose for the collection of the data, but rather is performing a service on behalf of the Controller.

As is true for many organizations, TrueCommerce acts as a Controller in some capacities and a Processor in others. Where our own employees and marketing efforts are concerned, we are a Controller. The services we provide to customers almost exclusively put us in the position of a Processor acting at the behest of our customer, the Controller.

TrueCommerce has taken appropriate technical and organizational measures to secure the data processed by our services. We have created contract addendums (Data Processing Agreements, see below) for our services which enable both parties to fulfill the contractual requirements for Controllers and Processors obligated by the GDPR. We are working to make sure that appropriate agreements are in place with our own vendors and sub-processors to ensure that the rights of individuals may be enforced on data transferred outside of TrueCommerce.

These agreements depend on a couple of concepts which must be accounted for by the Controller. The first is that they “…account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons…”. The second is that there is a “lawful basis for processing”, such as informed consent by the individual. You, as a Controller, must remain aware of the nature of the personal data you are processing using our services, the risks this activity might pose to the rights of individuals, that there is a lawful basis for the transfer of personal data to TrueCommerce, and that the agreements in place are consistent with these facts. Please seek legal counsel if you are unsure whether you meet these GDPR requirements in your activities.

Yes. We provide DPA’s as addendums to our service agreements. Please contact your sales representative for a version relevant to your use of our services.

What if I run into difficulty opting out of marketing communication? Individuals may contact our Data Protection Officer at [email protected] if they would like to exercise data subject rights under the GDPR.

Yes. In addition to maintaining policies and procedures which maintain our commitments to customers regarding data breach notifications, we will follow the GDPR requirements regarding notification for personal data breaches. In the event that we determine that a data breach has resulted in the loss of personal data, we will notify the relevant EU authorities in no more than 72 hours after the determination is made. Our commitment to notification of customers for personal data breaches is 24 hours. If we determine that a breach has “a high risk to the rights and freedoms of natural persons” for data where we act as controller, we will attempt to contact the individuals affected without undue delay. Procedures are in place for detection, response, and communications regarding security incidents by the technical and support groups within TrueCommerce and its member companies.

Our product roadmaps, project plans, development methodology, and vendor relationship management all incorporate concerns for security and the privacy. All such activities include considerations for the risks posed to information assets and risks to the privacy of individuals. The TrueCommerce Information Security program is backed by executive management and the responsibility for implementation is shared by all employees.

As security policy and technical implementation specifics vary by product line, please contact your sales representative for documentation relevant to your use of our services.