What Is the GDPR and Why Does It Concern You?
The European Union (EU) is introducing a landmark regulation called the General Data Protection Regulation (GDPR in short) on the 25th of May.
The goal of GDPR is to give EU residents drastic improvements to their privacy rights and control over their personal data, and to protect them from privacy breaches and leaks.
Every organisation that handles, markets or tracks the personal data of EU residents is concerned, even if they are not based in Europe. In the case of software companies which typically sell their products globally, this means that this new regulation will apply to everyone, no matter where they are based.
There are strong penalties in place for non-compliance: up to €20m or 4% of global annual turnover, whichever is higher.
Making sure we were compliant, and in turn that the personal data of the customers buying your products was treated correctly, whilst continuing to provide a great customer experience has been an important focus for us over the past few months.
Here are the main concepts of the GDPR:
- Personal data requires lawful processing. This means that you shouldn’t buy email lists where you don’t know how consent was acquired, and we can’t enable newsletters to customers if we don’t know whether they have consented to them.
- Customers should specify exactly what communications they want to receive from you. This means that the language explaining how you will contact them needs to be very clear and respect certain rules - leading to fewer unsubscribes and spam reports.
- Customers will have a right to transparency around the collection and processing of their data. This means that they will be able to ask us for the data we store on them, and receive it in a simple format.
- Customers can request the right to be forgotten. This means that if they ask us, we will remove all their personal data - letting you focus on the best customers.
Implementing all of this could be complex (just ask our in-house GDPR experts who have been looking into its correct application!). We’re rolling out changes to ensure that it is simple and straightforward for you.
How We Operate As A Merchant Of Record
We act on your behalf as what is called a Merchant of Record (MOR).
From a legal point of view, this means that we are the reseller of your software. Most importantly, this also means that we assume responsibility for both compliance with local laws and regulations and handling of taxes on your behalf. We have to behave as if we had created the software ourselves.
Contracting with MOR gives considerable benefits to you, because you don’t need to do anything when it comes to dealing with compliance and taxes anywhere in the world: we handle everything for you automatically as part of our normal service. For more information, read our detailed explanation.
When it comes to GDPR, it means that when someone buys one of your products they are in fact contracting with us. Their personal data is protected under the GDPR, and we need a lawful reason to pass that data to you.
How We Handle Customer Data
We collect customer data during our checkout process for payment processing and order fulfilment purposes. These include name, location, contact details, and billing information.
The personal data provided to us is protected under the GDPR. Under the Merchant of Record model, the customer is actually contracting with us rather than the vendor, and this means we require a lawful reason to pass that data on to you. GDPR gives us two applicable scenarios that allow us to pass the data on, legitimate interest, and consent.
Paddle and our vendors have a legitimate interest to use customer provided data for product fulfilment, order processing, fraud prevention, and product support. We will pass customer data to vendors to enable these use cases, and this does not require additional consent from the customer. It is important that vendors only use customer data for those scenarios, or they will not be compliant with the GDPR. Our vendor terms and conditions are also being updated to reflect these obligations.
The customer can give also us explicit consent to be able to pass information on to you for reasons not covered by legitimate interests. The primary use case for our vendors is to collect explicit consent for marketing. We have made product changes to make this simple, clear, and easy.
Data Transfer & Sharing
Rules for transferring data outside of the EU haven’t actually changed under GDPR, and whilst we process data outside of the EU, we do so in a way which is fully compliant with EU law.
We process and store data in the US using infrastructure and data solutions provided by Amazon. Amazon is certified under the EU-US Privacy Shield, and as such, the transfer and processing is compliant without the need for additional consent.
During our checkout process customer data is securely shared with our payment providers. These providers are both GDPR and PCI DSS compliant. Sharing is necessary to facilitate the payment process. In addition, anonymized data is also shared with a number of GDPR compliant fraud monitoring platforms.
Our platform implements industry best practices for data security, including encryption at rest and in transit, access control, and auditing. Keeping customer data private and secure is extremely important to us at Paddle.
Cookies & Tracking
We use a small number of GDPR compliant tracking and monitoring platforms. These services use a combination of temporary and long lived cookies to be able to identify unique user journeys. These services are used internally only for platform diagnostics and product improvements.
The data collected is not shared with any outside parties, nor is used for any activities which would require further GDPR compliance or an opt-out. They are necessary to ensure the reliable operation of our platform.
How Vendors Can Access Customer Data
As a software business, you need to ensure on your side that you adhere to the new GDPR regulation. Our product changes make this as easy as possible, and a friendly experience for both vendors and customers.
- There are a number of GDPR Legitimate Interests that allow us to continue passing customer data to you, the vendor, without explicit consent. These include order fulfilment, order and product support, but exclude marketing. It is your obligation to only use customer information for those interests, unless further consent is given for marketing.
- We provide a simple way for you to additionally collect marketing consent during the checkout flow. We do this using GDPR compliant language permitting marketing updates and offers in the future. We will pass this consent information back to you in our Dashboard and APIs.
- Customers who previously opted-in to marketing consent, but did so in a manner which was not GDPR compliant (such as having the confirmation checkbox automatically checked) will have their marketing consent removed until they opt-in again.
For more information on these and the product changes we’re making as part of GDPR, read our GDPR announcement.