GDPR Compliance

Understand and implement GDPR requirements for handling customer data in your digital downloads business.

What is GDPR:

General Data Protection Regulation
EU law protecting personal data
Applies to EU residents
Applies to merchants selling to EU customers
Enforced since May 25, 2018

You must comply if:

✓ You're located in EU
✓ You sell to EU customers
✓ You process EU customer data
✓ You store EU customer information

Even if:

• Your business is outside EU
• Only occasional EU sales
• Small business/sole trader

In practice: If using Shopify and selling digital products, GDPR likely applies

Personal Data Collected

What Alva Digital Downloads collects:

Customer Information:

• Name
• Email address
• IP address (download tracking)
• Device/browser information
• Purchase history
• Download activity

Order Information:

• Order details
• Product purchased
• Payment information (via Shopify)
• Delivery status

1. Lawfulness, Fairness, Transparency

What it means:

Collect data legally
Be honest about use
Inform customers clearly

How to comply:

✓ Privacy policy on website
✓ Cookie consent banner
✓ Clear data collection notices
✓ Explain why you need data

2. Purpose Limitation

What it means:

Collect data for specific purposes only
Don’t use for unrelated purposes

Alva purposes:

✓ Order fulfillment
✓ Download delivery
✓ Customer support
✓ Fraud prevention
✓ Service improvement

Not allowed:

✗ Sell customer data
✗ Unrelated marketing (without consent)
✗ Share with third parties (unless necessary)

3. Data Minimization

What it means:

Only collect necessary data
Don’t collect “just in case”

Alva collects minimum:

Essential:
✓ Email (to send download link)
✓ Order details (to fulfill)
✓ IP address (security/fraud prevention)

Not collected:
✗ Phone number (unless customer provides)
✗ Address (digital products don't need)
✗ Social media (irrelevant)

4. Accuracy

What it means:

Keep data accurate and up-to-date
Allow customers to update information

How to comply:

✓ Customers can update email in Shopify account
✓ Delete incorrect data on request
✓ Regularly clean old data

5. Storage Limitation

What it means:

Don’t keep data longer than necessary
Delete when no longer needed

Alva retention:

Order data: 2 years (accounting/tax requirements)
Download logs: 1 year (fraud prevention)
Email logs: 90 days (troubleshooting)
Customer data: While customer account active

After retention period:

Automatically deleted OR
Anonymized (personal identifiers removed)

6. Integrity & Confidentiality

What it means:

Keep data secure
Prevent unauthorized access
Protect from loss

Alva security:

✓ Encrypted data transmission (HTTPS/TLS)
✓ Secure storage (Cloudflare R2, encrypted)
✓ Access controls (authentication required)
✓ Regular backups
✓ Secure CDN delivery

7. Accountability

What it means:

Demonstrate compliance
Document processes
Take responsibility

How to comply:

✓ Maintain privacy policy
✓ Document data processes
✓ Record consent
✓ Keep compliance logs
✓ Appoint DPO if required (large businesses)

Right to Be Informed

What: Customers know what data you collect and why

How to comply:

Privacy policy on website
Clear at checkout
Data collection notices

Example privacy policy section:

DATA WE COLLECT:
When you purchase digital products, we collect:
• Name and email address (to deliver your files)
• Order details (to fulfill your purchase)
• IP address (for fraud prevention)
• Download activity (to enforce download limits)

We use this data solely to provide our service and
improve your experience. We never sell your data.

Full privacy policy: [Link]

Right of Access

What: Customers can request copy of their data

How to comply:

When customer requests:

1. Verify customer identity
2. Gather all their data:
   • Orders
   • Download history
   • Email logs
   • Account information
3. Export to readable format (CSV/PDF)
4. Provide within 30 days (GDPR requirement)
5. Free of charge

Alva tools:

Export orders via dashboard
Download logs available
Email logs accessible

Right to Rectification

What: Customers can correct inaccurate data

How to comply:

Customer: "My email is wrong in your system"

You: Update email in Shopify admin
     Confirm update
     Notify customer

Timeline: Without undue delay, within 1 month

Right to Erasure (“Right to be Forgotten”)

What: Customers can request data deletion

When required:

✓ Data no longer needed for original purpose
✓ Customer withdraws consent
✓ Customer objects to processing
✓ Data processed unlawfully

When you can refuse:

✗ Need data for legal obligation (tax records)
✗ Legal claims/defense
✗ Legitimate interests override

Process:

Customer requests deletion:
```
"Please delete all my data"
```
Verify legitimate request:
- Check if exceptions apply (tax records)
- Confirm customer identity

Delete data:

✓ Order details (if past retention period)
✓ Download history
✓ Email logs
✓ Personal information

Anonymize if can’t delete:

If must keep order for accounting:
• Replace name with "Deleted User"
• Replace email with deleted-user-[id]@example.com
• Remove IP addresses
• Remove other personal identifiers

Confirm deletion:

Email: "Your data has been deleted as requested."

Timeline: Within 30 days

Right to Restrict Processing

What: Customer can limit how you use their data

Example:

Customer: "Don't use my data for marketing"

You: Mark account "no marketing emails"
     Only use for order fulfillment

Right to Data Portability

What: Customer can get data in machine-readable format

How to comply:

Export customer data:
• JSON or CSV format
• Structured and readable
• Easy to import elsewhere

Example JSON export:

{
  "customer": {
    "name": "John Smith",
    "email": "john@example.com"
  },
  "orders": [
    {
      "order_number": "1045",
      "date": "2024-01-15",
      "products": ["Course Bundle"],
      "downloads": 2
    }
  ]
}

Right to Object

What: Customer can object to data processing

Common objection:

"Don't use my data for marketing"

Response:

✓ Stop marketing immediately
✓ Confirm via email
✓ Keep data for fulfillment only

Step 1: Privacy Policy

Create comprehensive privacy policy:

Required sections:

1. What data we collect
2. Why we collect it (purpose)
3. How we use it
4. How long we keep it
5. Who we share it with
6. Customer rights
7. How to contact us
8. Cookies we use

Location:

Link in website footer
Link at checkout
Include in order confirmation

Tools:

Privacy policy generators (GDPR-compliant)
Shopify’s built-in privacy policy
Legal templates

If using cookies:

Implement cookie banner:

"We use cookies to improve your experience.
[Accept All] [Reject Non-Essential] [Settings]

Learn more: [Privacy Policy]"

Categories:

Essential: Required for site to work (no consent needed)
Analytics: Google Analytics, etc. (require consent)
Marketing: Facebook Pixel, ads (require consent)

Tools:

Cookie consent apps (Shopify)
Osano, OneTrust, Cookiebot

Step 3: Data Processing Agreement

If using third-party services:

Document processors:

Service: Cloudflare R2
Purpose: File storage and delivery
Data shared: Files, download logs
DPA: [Link to Cloudflare DPA]

Service: Postmark
Purpose: Email delivery
Data shared: Customer email, order details
DPA: [Link to Postmark DPA]

Ensure all processors GDPR-compliant

Step 4: Data Security

Implement security measures:

✓ HTTPS/SSL certificate on website
✓ Secure password storage (hashed)
✓ Access controls (authentication)
✓ Regular backups
✓ Encryption for sensitive data
✓ Secure API keys
✓ Monitor for breaches

Step 5: Breach Notification

Prepare for data breaches:

GDPR requirement:

Report to supervisory authority within 72 hours
Notify affected customers if high risk

Breach response plan:

1. Identify breach
2. Contain breach
3. Assess risk to customers
4. Report to authority (if required)
5. Notify customers (if high risk)
6. Document incident
7. Prevent future occurrences

Step 6: Customer Request Process

Document how to handle:

Data access requests:

1. Customer emails: "I want my data"
2. Verify identity (order number, email)
3. Export data (all orders, downloads, emails)
4. Send within 30 days
5. Log request

Deletion requests:

1. Customer emails: "Delete my data"
2. Verify identity
3. Check if exceptions apply
4. Delete or anonymize
5. Confirm deletion
6. Log request

Ongoing Compliance

Regular Reviews

Monthly:

☐ Review privacy policy (any changes needed?)
☐ Check cookie consent working
☐ Verify data retention rules applied
☐ Process any customer requests

Quarterly:

☐ Audit data collection practices
☐ Review third-party processors
☐ Update documentation
☐ Train team on GDPR

Annually:

☐ Full GDPR compliance review
☐ Update privacy policy
☐ Review DPAs with processors
☐ Consider DPO appointment (if applicable)

Documentation

Maintain records:

✓ Privacy policy (current + versions)
✓ Cookie policy
✓ Data processing agreements
✓ Customer consent records
✓ Data breach incidents (if any)
✓ Customer request log (access, deletion, etc.)
✓ Staff training records

Why: Demonstrate compliance if audited

Potential fines:

Tier 1 violations:

Up to €10 million OR 2% of global revenue
(whichever is higher)

Examples: Inadequate security, no DPA

Tier 2 violations:

Up to €20 million OR 4% of global revenue
(whichever is higher)

Examples: No consent, not honoring customer rights

In practice:

Fines rare for small businesses
Warnings usually first
Intent matters (accidental vs. negligent)
Compliance effort considered

Prevention: Implement compliance, document efforts

If doing marketing:

Consent required:

✗ Pre-checked boxes
✓ Explicit opt-in checkbox
✓ Separate from terms acceptance
✓ Clear what they're consenting to

Example:
☐ Yes, send me marketing emails about new products
  and special offers. I can unsubscribe anytime.

Unsubscribe:

✓ One-click unsubscribe
✓ No login required to unsubscribe
✓ Process immediately
✓ Confirmation email

Resources

Compliance tools:

Privacy policy generators: Termly, Shopify’s generator
Cookie consent: Osano, Cookiebot
DPO services: External data protection officers

Educational:

ICO (UK): ico.org.uk
GDPR.eu: gdpr.eu
EU GDPR portal: ec.europa.eu/info/law/law-topic/data-protection

Getting Help

When to consult lawyer:

• High-volume business (>$1M revenue)
• Sensitive data processing
• Complex data operations
• Previous complaints/investigations
• Uncertain about compliance

Legal advice:

GDPR compliance lawyers
Data protection specialists
Industry associations

Next Steps

Digital Product Licensing - Licensing and copyright
Download Security Settings - Protect customer data

GDPR Compliance

GDPR Overview

Does GDPR Apply to You?

Personal Data Collected

GDPR Principles

1. Lawfulness, Fairness, Transparency

2. Purpose Limitation

3. Data Minimization

4. Accuracy

5. Storage Limitation

6. Integrity & Confidentiality

7. Accountability

Customer Rights Under GDPR

Right to Be Informed

Right of Access

Right to Rectification

Right to Erasure (“Right to be Forgotten”)

Right to Restrict Processing

Right to Data Portability

Right to Object

Implementing GDPR Compliance

Step 1: Privacy Policy

Step 2: Cookie Consent

Step 3: Data Processing Agreement

Step 4: Data Security

Step 5: Breach Notification

Step 6: Customer Request Process

Ongoing Compliance

Regular Reviews

Documentation

GDPR Fines & Penalties

GDPR-Compliant Email Marketing

Resources

GDPR Tools

Getting Help

Next Steps