VPCart GDPR Statement
What is GDPR?
GDPR, also known as General Data Protection Regulation, is the new data protection regulation of the European Union that aims to secure people's privacy (personal data) and make sure that the online stores, the cloud services, and other companies with internet presence treat this personal data carefully.
GDPR is about to come into full effect by 25th of May 2018. By this, at the latest, all processing of EU citizens' personal data must comply with this regulation.
Personal Data and Data Protection Definitions
Personal data means any information that relates to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. It also includes any data that can be used with other sets of data to identify an individual. Typical examples of personal data are name, identification number, online identifier, email address, location data etc.
Processing means any operation which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Data Subject means the individual whose personal data is being processed.
Data Controller means the organization which determines how personal data is processed.
Data Processor means an organization which processes data on behalf of a Controller. This typically means a third party who is used by the Controller to process their data (eg. a marketing company used to send out marketing materials)
For more information about the GDPR data protection and key definitions, please visit the Information Commissioner's Office page at:
GDPR Penalties and Fines
The Information Commissioner's Office (ICO) has a range of corrective powers and sanctions to enforce the GDPR. These include issuing warnings and reprimands; imposing a temporary or permanent ban on data processing; ordering the rectification, restriction or erasure of data; and suspending data transfers to third countries.
The administrative fines are discretionary rather than mandatory; they must be imposed on a case-by-case basis and must be "effective, proportionate and dissuasive".
There are two tiers of administrative fines that can be levied:
1) Up to €10 million, or 2% annual global turnover – whichever is higher.
2) Up to €20 million, or 4% annual global turnover – whichever is higher.
The fines are based on the specific articles of the Regulation that the organization has breached. Infringements of the organization's obligations, including data security breaches, will be subject to the lower level, whereas infringements of an individual's privacy rights will be subject to the higher level.
Your GDPR responsibilities as VPCart Hosting Customers and Business Ready Plan Customers
When you use our services to store or process your personal data (including customer's or user's data), you are the Data Controller and we are a Data Processor. This will be true for any personal data you place on our servers either directly, via a hosted website, subscribe to our Business Ready Plan or by use of any of our other services.
The GDPR requires you, as a Data Controller, to ensure that any Data Processor services you use to process personal data are GDPR compliant. This means that when you use any of our services to process your personal data you need to carry out due diligence on our services and ensure certain contractual terms are in place.
This GDPR statement is our way of helping you meet these GDPR regulatory requirements and to offer you the assurance that we take GDPR and the security of your personal data as part of the everyday running of our services.
Your GDPR responsibilities as VPCart eCommerce Merchants
If you are selling products or services to EU citizens using our VPCart eCommerce software, here are the key steps to make your eCommerce store GDPR compliant:
1. Please check what data you are collecting
As an eCommerce store, there are forms where you would be asking for your customer's personal details:
During signup - name, address, email, phone number, company name, etc.
During checkout - name, address, email, phone number, company name, etc.
In any case, you should ensure that you collect only the required data. For instance, storing an email address is required to identify a customer uniquely. You have to tell the clients that you are storing their email address in your terms and conditions.
2. Mention the use of your customer's data in your terms and conditions
You can use our VPCart Page Manager to create your company (store) policies page and also terms & conditions page then display them in your top or bottom navigation menu using VPCart Menu Manager.
You can also enable config xlicenseagreement from your VPCart administration and setup your own HTML page for the config xlicenseurl that includes your statement about data protection etc.
When your customers are checking out, they will read this consent and they will decide if they want to continue giving their personal data or not. If they tick/check the checkbox on the agreement, then they can only continue to the next checkout page.
Our GDPR commitment
As an Australian company, Rocksalt International Pty Ltd. (VPCart) is committed to ensuring our business, services and internal processes are GDPR compliant. We utilize consultants to advise us on components of our services and how the GDPR changes affect our compliance. As such, this GDPR Statement provides our assurances to GDPR compliance.
By the GDPR implementation due date, we will have set up:
- Employee data protection training to ensure our company staff comprehends their role in the GDPR data protection compliance.
- Updated internal policies relating to data protection and responsibilities inside our organizations for ongoing GDPR compliance.
- Check all our systems, processes, cart features and services to ensure they meet the requirements of GDPR, particularly around security of data and our use of any external third-party services.
- Updated terms and conditions that meet the authoritative prerequisites of GDPR.
Our VPCart hosting services are compliant because:
- Our servers are working with ISO 27001.
The GDPR encourages the use of certification schemes like ISO 27001 to serve the purpose of demonstrating that the organization is actively managing its data security in line with international best practice.
- We have completely surveyed our own GDPR compliance both in terms of the services we offer to our clients and regarding our own internal policies and procedures.
- We limit technical support members access to our hosting billing administration. Only senior managers and those who role it is to manage customer accounts are allowed to access our customer records.
- All of our server passwords and main administrator passwords are changed regularly with strong password required enabled to ensure unauthorized persons are unable to access customers' personal data (which may have EU customers data inside).
VPCart Hosting Role as a Data Processor
You are the proprietor of the data you submit to our services (whether you are using our VPCart hosting or Business Ready Plan).
When your data is placed on our servers, you are the Data Controller and VPCart Hosting, as the Data Processor. We do not access the personal data you store on our services and any processing (as a Data Processor) is only in terms of the hosting services we provide to you. We do not utilize your data for any processing of our own.
We do not share or give access to any of your data with third parties unless required to do as such by law. Where law enforcement or other authorized parties ask for access to our servers, we follow strict internal policies for dealing with such requests in line with existing Australian law. Moreover, the third parties are required to exhibit they have a legitimate reason to access the data and under what authority level.
VPCart Hosting Servers Location
Your website data is stored on our own servers hardware. This hardware is co-located, in the datacentre located in Washington DC, USA. Our datacentre is ISO 27001 certified. Our datacentre has attained the international auditable standard of ISO/IEC 27001 by setting best practices for data privacy, security, and information governance that are applied to processes, IT systems, and people, by establishing and maintaining a company-wide Information Security Management System (ISMS).
Third Party Services