General Data Protection Regulation

On May 25, 2018, new data privacy regulations known as the General Data Protection Regulation (GDPR) were enacted in the European Union (EU). As a WineDirect client, here are some key information you should know.

GDPR is a complicated regulation, and many aspects should be considered. Especially if you have many EU customers or contacts, we encourage you to consult a lawyer to ensure you are fully prepared and compliant. Please note that this page does not constitute legal advice; we have gathered the information for your reference.

For further guidance, the following regulators within the European Union have provided specific guidance on the GDPR:

• Full text of the GDPR Regulations
• UK Information Commissioner's Office Guide to Data Protection
• Ireland's Data Protection Commissioner Guide to GDPR

As you evaluate what changes you might need to make to comply with GDPR, here are a few common issues you should consider:

Privacy Notice

You must provide a Privacy Policy or Notice to everyone whose data you process. This includes customers as well as non-customers.

Customer Consent

You must secure specific consent before processing an individual's data. This is of particular concern when opting people into your marketing emails. Ensure you specifically ask customers or tasting room visitors if they want to opt into these communications. The same is true for cookies: if you currently use cookies to identify visitors to your website, you'll want to review how you apply those to EU residents.

Note that receipt and order tracking emails are considered transactional communications and are exempt from this requirement.

Data Access and Portability

In certain circumstances, the GDPR gives individuals the right to request a copy of a company's data processing. The GDPR requires that you provide your customers with a copy of their data in a common, easily readable, and portable format so that they can use that data with a different service provider. This is covered in full in Article 20 of GDPR.

For WineDirect clients, all your customer data is accessible via the Admin Panel and can be easily exported to Excel via Reports. Please get in touch with support if you need help or have questions about accessing or exporting specific customer data.

Right to Erasure or "Right to be Forgotten"

In certain circumstances, the GDPR gives individuals the right to ask that their data be erased or that a company restrict the processing of their data. This is covered in full in Article 17 of GDPR. If you receive such a request, please get in touch with the support team or your Fulfillment Account Manager, and we can help you do this.

FAQs

What is GDPR?

GDPR stands for General Data Protection Regulation. It is the European Union's new data privacy law and governs how companies use and process the personal data of European users. It also gives individuals specific rights over their data, including a right to access, correct, delete, and restrict data processing.

When does it come into effect?

May 25, 2018

My winery/business is not located in Europe. Do I need to worry about this?

Yes. GDPR affects all businesses that use and process the personal data of any European Union (EU) citizen. It does not matter physically where your business is located.

What does "personal data" mean?

Personal data includes information linked to an individual, such as name, email address, and zip code. GDPR also considers information such as an IP address to be personal information. Click here for a full definition of what constitutes personal data under GDPR.

What do I do if a customer asks for a copy of their data or wants me to erase it?

You can use Reports to extract your customers' data from WineDirect - such as order history, credit card information, phone number, and address.

If you have questions or a customer requests a data erasure, email support@winedirect.com or your Fulfillment Account Manager, and we'll assist you in executing the request.

How can I erase customer data while maintaining accurate sales records for my business?

GDPR offers exceptions to the erasure of customer data. You may find that information in Article 17 of GDPR. GDPR states that you are allowed to retain data on customers for the following reasons:

• Compliance requirements enforced by governmental agencies.
• Defense, establishment, or exercise of legal claims.

Based on the above, it is valid for you to retain customer sales information due to the compliance reporting requirements of various governments. Also, customer sales information is required by enforcement agencies in cases where fraud is suspected.

What steps has WineDirect taken to ensure my customers' data is secure?

WineDirect is committed to maintaining the highest level of data security. We encrypt all data during transmission and take reasonable measures to ensure our system is secure and non-breachable. Learn more about our security and PCI Compliance.

What is the difference between a "Data Processor" and a "Data Controller"?

Data Processor and Data Controller are terms used in the GDPR. Data Controller refers to the party determining how and for what purposes personal data is processed. Data Processor refers to the party that processes personal data on behalf of the Controller. In this case, the Data Controller is you (the winery), and the Data Processor is WineDirect.

Have another question about GDPR? Please email us at support@winedirect.com or your Fulfillment Account Manager.