No matter if you're a data controller or data processor, the GDPR will change how you handle personal data in the cloud. Rich Returns helps you meet the new requirements. The GDPR requires that all organizations design and implement workflows and processes with privacy by design and by default. This means that your business should prioritize data protection from the very beginning of setting up new processes. Data protection should be an essential part of all services and not an extra option you add later.
Can I just choose a returns solution from any country for EU customers? Short answer, No.
As an eCommerce business operating a store you are the entity controlling the customer data. Under GDPR this is called the 'data controller'. You are required to audit all entities - your 'data-processors' e.g. a returns solution provider - and ensure that this provider is GDPR compliant.With the recent invalidation of the EU-US Privacy Shield, the Schrems II decision changed the way organizations manage personal data transfers overnight. To legally transfer personal data from the EU to a third country, it must be shown that the recipient country and company have an equivalent level of data protection to that of the GDPR.
All customer data is hosted in the EU with ISO 27001, 27017, 27018 and SOC1, SOC2, SOC3 compliant partners in order to comply with EU GDPR requirements.
For one thing, all Rich Returns employees are bound to data secrecy and data protection in general and are made aware of the consequences of any breach.For another thing, we run training and awareness programs regarding the handling of personal details, as well as data protection, on a regular basis. These programs also include new legislation such as the European General Data Protection Regulation (EU GDPR).
We generally assume that we are compliant with the essential requirements of the EU GDPR already today. This includes, in addition to the stipulations of article 25 of EU GDPR data protection by design and by default, supporting the customer in respecting the rights of data subjects such as the right to obtain erasure of personal details as well as the rights of access and data portability (ch. 3 of EU GDPR). Nevertheless, we make sure that the application, the underlying infrastructure and our organizational structure are suitably equipped at various levels to meet the requirements of the EU GDPR.
Yes, data protection is an integral element of our product strategy. Therefore, even at the development stage of our features and roadmap we carefully respect principles such as data economy and use state-of-the-art measures to ensure an adequate level of protection. In addition, when preparing for the EU GDPR, we reviewed the default settings of the entire application and adapted them to provide the highest-possible level of data protection while still ensuring user friendliness. Furthermore, the settings are generally adaptable to the customer’s individual needs. In order to continuously ensure this, we also defined a process for feeding legal requirements into the product development process on an ongoing basis and reviewing the application accordingly at set intervals.
In the unlikely event of a data breach at Rich Returns, if personal data of a customer is affected and the breach is likely to entail a risk to the rights and the freedom of the customer’s staff, Rich Returns will immediately notify the customer concerned, so as to enable them to fulfill their legal obligation to inform the regulatory authority and the individuals concerned.
For responsible disclosure please get in touch with us directly and include the following details:Web application and APIs:
– URL where the vulnerability was detected
– Account name
– Type of vulnerability
– Information on how the vulnerability can be reproduced
