GDPR compliance for Ecommerce

Audit → Compliance → DPO outsourcing

Scroll below to review 3 steps to compliance in detail & request a quote

Why trust us?

We’ve got over 15 years of experience in the EU personal data protection and implementing ISO27001 grade information security, so we know the latest regulations intimately in both letter and spirit. We also have a general liability insurance of $500k, so you may feel safe in our hands.

Your risk profile

If you serve EU clients (eg. allow them to sign up, purchase goods), then you need to comply with GDPR, or potentially face harsh consequences – steep penalties, freezing your EU-facing business by the authorities, civil lawsuits (including class action), credibility crisis, loss of customers’ trust among them. Even if operating outside of the EU.

Is my platform compliant?

We won’t lie to you – becoming GDPR compliant isn’t only about upgrading your software to the latest version or installing a plugin or a module. GDPR isn’t prescriptive in terms of means of personal data protection, quite the opposite – it relies on our practical knowledge of the GDPR law and your knowledge of your own business, so the applied compliance solutions are optimal.

Step 1: GDPR Audit

Audit of your organization – usually 1-2 months depending on your team’s availability:

  • we conduct a series of written surveys, meetings, phone calls, we visit your offices, review your IT systems and physical security, gather existing documentation, in order to learn all about your data processing activities:
    • what is your organization structure,
    • what are the specifics of your data processing:
      • who? (identity of the data controller, the persons in charge of the processing operations and the data processors)
      • what? (categories of data processed, sensitive data)
      • why? (purposes of the processing)
      • where? (processing solutions, storage location, data transfers)
      • until when? (data retention period)
      • how? (security measures in place)
    • to what countries personal data is transferred,
    • what kind of personal data protection solutions exist so far,
  • after gathering enough information we analyze it in the context of the new GDPR regulations requirements and other specific legislation eg. employment regulations
  • as a result you get a report with a list of:
    • potential infringements and associated risks,
    • recommended corrective actions and data protection measures,

Step 2: Compliance implementation

Training sessions for your team

  • before we start implementing post-audit recommendations, we need to raise awareness of new regulations and discuss various scenarios of reaching compliance
  • workshops may be conducted separately in each location and/or in each department
  • end goal for each workshop is to agree on optimal solutions for your business

Compliance solutions implementation – usually 1-2 months depending on your team’s availability

  • together we implement solutions, so you can meet your legal obligations
    • for data processing throughout the whole data lifecycle:
      • data collection
      • data processing
      • data removal
    • respecting the rights of data subjects to
      • information about your processing activities:
      • data removal
      • data restriction
      • data portability
      • objection to data processing, including objection to automated decision making
    • we also implement various data protection measures, for example:
      • required best practices, such as:
        • train all the staff responsible for personal data protection,
        • sign personal data specific NDAs with all staff involved,
        • appoint a Data Protection Office, as a single point of contact and to animate as well as supervise data protection efforts,
        • limit personal data protection access and monitor it,
        • limit the scope and timeframes of personal data processing,
        • enable data subjects to exercise their rigths in a timely manner,
        • automate as many data protection processes as possible to improve efficiency and response times,
      • personal data security measures:
        • organizational
        • technical
        • physical
      • periodic checks, to:
        • perform follow-up compliance audits,
        • evaluate risks (PIA) and neccessary risk mitigation solutions,
        • evaluate effectivenes of applied security measures,
        • apply improved corrective measures,
      • efficient procedures in case of a security incident or a breach:
        • breach detection procedures,
        • breach investigation and documentation,
        • limiting brach impact and implementing corrective measures,
        • supervisory authority notification within 72 hours,
        • data subject notification, if neccessary,
      • last but not least, we document your accountability for personal data protection,
        • prepare a „Record of Processing Activities”, as required by Article 30,
        • complete data Protection Impact Assessments (PIA), as per Article 35,
        • sign written Data Processing Agreements with processors, as per Article 28
        • ensure legality of data transfers outside the EU, as per Articles 44-50,
        • prove legal basis for the processing, as per Article 6,
        • prove compliance with data subject information obligations,
        • apply various codes of conduct and certifications, as per Articles 40-43

Step 3: Data Protection Officer outsourcing

We serve as your expert Data Protection Officer, whose role is to:

  • answer any questions, guide and train your team,
  • coordinate personal data protection efforts,
  • monitor and evaluate personal data protection solutions,
  • respond to any breaches or incidents,
  • serve as a point of contact to all data subjects and the Data Protection Authority.

Request contact from us

About your personal data

At this point we’d like to explain how we’ll process your personal data submitted in this form.

Spark Solutions Sp. z o.o. based in Warsaw, Poland will be processing your personal data submitted in this form as a sole controller.

Your data shall be processed on the basis of your consent and to sign and perform our contract with you, so the legal ground for ours actions is Art 6 (1) (a,c) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Journal of Laws of the EU L, 2016 119, p.1).

We also inform you that you have the following rights:

  • you can access your data or rectify in any time,
  • you can erase your data, but only if they are no longer necessary,
  • in some cases you can demand restriction of your data processing,
  • you can ask to transfer your data to another controller (company),
  • you can withdraw your consent at any time, but please remember that will not have any effect on processing lawfulness carried out prior to your withdrawal,
  • at any time you can lodge a complaint with a supervisory authority about our processing of your data.

Your personal data shall be stored for 3 months since your submission.

The recipients of your personal data provided will be our employees, contractors, service suppliers, in particular in the field of hosting (Digital Ocean) and accounting.

In addition, the recipients of your data will be authorities, bodies and other public entities authorised by law, if so provided by law.

The provision of data and consent is fully voluntary but necessary for the purposes of conducting business with us. Without this data we cannot reply with a quote or sign a contract with you.

Therefore, you hereby agree to processing of your personal data by Spark Solutions Sp. z o.o., Warsaw, Poland, so that we can contact you, present you with a quote and sign a contract for our services.

Your personal data will be transferred outside of the European Economic Area to Digital Ocean based on Privacy Shield agreement compliance.

You may contact our Data Protection Officer at [email protected].

What clients say about us

Thank you for the wonderful job, you guys are (by far) the best company we’ve worked with so far. Keep it up! We will definitely continue to work with your agency! We appreciate your honesty, expertise and proactivity!

Sam Basilio Yuve Co-founder

Their timeline & budget estimates were very precise. And most importantly they delivered the working software within the estimated timeline and budget. Today, is the largest marketplace for luxury goods in the world serving members across the globe. Great job!

J.A. Edwards Founder

I would say their disposition and their ability to try to get stuff done in the best way possible is unique. Spark Solutions seems to have the attitude of wanting to make it right together. I think that’s hard to find in developers, especially offshore teams.

Reshma Chattaram Chamberlin B/C Designers Founder

Our happy clients

Technologies we use

Why work with us?

E-business Expertise

Our team is composed of seasoned web entrepreneurs and experienced developers who built e-commerce applications used by millions.

Technical Skills

We’re experts in building e-commerce solutions, online marketplaces and heavy load applications with great responsive interfaces.

Transparency & Agility

We are transparent, agile & work across multiple time zones – from California to Australia. Contact us and we’ll accomplish your goals.

Let’s talk via Skype or Google Hangouts

Contact us
Michal FaberGDPR for Ecommerce and Online Businesses