The General Data Protection Regulation (GDPR) is a regulation in European law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
This regulation becomes enforceable on 25th May 2018. The GDPR is making many privacy-related regulations more clearly defined and is requiring many companies to pay close attention to this. It affects you, the marketplace admins, and Sharetribe, as the service provider.
This might be scary but don't forget there are no reasons to panic.
Is Sharetribe GDPR-compliant?
Sharetribe renewed its terms of service to be compliant with the GDPR. We also offer a separate Data Protection Agreement (DPA) so that you, as the marketplace admin, have a clear contract stating that their service provider (Sharetribe) is compliant with the GDPR practices. In a similar way, we make a DPA with the third-party service providers we use in order to offer you the service. That ensures that all the links in the chain are following the GDPR regulations and that proper measures for user data security are taken.
Regarding the storage of the data. We use Amazon Web Service (AWS) cloud hosting, located in the East USA Data Center. We have signed a DPA with AWS that includes the Modal Clauses that the EU currently requires to make sure the data storage partner outside the EU area is trusted enough to be used. The data is stored in a MySQL database where the access is limited to the Sharetribe employees who need it for work. With some critical information we take extra measures, for example, user passwords are only stored in an encrypted format and credit card details are not stored on our servers at all, only at the payment provider services that specialize in payment data handling.
You can find all documents below:
- Sharetribe's DPA
- Sharetribe's list of third parties used
Should my marketplace be GDPR-compliant?
If you have visitors and members in the European Union, yes.
And even if you don't, at least right now, it's probably a good idea to follow this regulation.
What should I do to be GDPR-compliant
As Sharetribe is striving to make the job of running a marketplace easier for you, we also help you to fulfill the requirements of GDPR on our part. There are a few things to consider and we've shared them below, to the best of our current knowledge.
Remember that users control their data
As marketplace admin, you'll need to be able to offer your users the rights that the GDPR requires, which include the possibility to see the data about them and correct it if needed and also request to "be forgotten" which means that the personal data should be deleted or anonymized to the extent possible.
It means that you can request a full database export from us any time to see what is stored and to share parts of that data to your users if needed.
The easiest way to get user data deleted is that the user logs in to their account and deletes their profile via account settings. It's important to note that while identifying data is deleted, some content may remain. For example, messages related to transactions might include important details that are vital to the other parties of the transactions, so they still have access to those messages they received, but they only see a "deleted user" as the sender so the data is anonymized in that sense.
Ask, during signup, consent from members to receive emails from administrators
When users sign up for your marketplace, they have to give unambiguous consent that they agree to receive occasional messages from you.
If they want to hear from you, they have to check the I accept to receive occasional emails from the My Marketplace team and understand that I can change my mind at any time box during signup. They can also edit this choice anytime, from their user settings.
If you email your marketplace members from your Admin panel, people who refused to receive email from you won't be included in the recipients.
If you export your user list, you can learn this information via the
accept_emails_from_admin field and filter accordingly.
Confirm consent from already registered members to receive emails from administrators
You should ask members of your marketplace who joined before the 25th of May 2018 that they still accept to receive emails from you.
Two possibilities for that:
- Contact Sharetribe support and share the email you'd like to send them asking them to go to their user settings to check the related box. Sharetribe support team will send the plain text email on your behalf and will unsubscribe all users so only people who accept can subscribe again.
- Email your users to ask for their consent, and gather the list of emails of people who agreed. Share that list with Sharetribe support team, other users will be unsubscribed.
Verify your tracking preferences
To improve Sharetribe's services and support, Sharetribe tracks marketplace members' activity. No personal data is collected and this can be disabled entirely.
It's also a good idea to mention Sharetribe as one of the services used in your project, as members' data is stored at Sharetribe.
We are unfortunately not able to help with your terms update but don't hesitate to contact someone with legal knowledge in your area.