The GDPR is a regulation in EU law on Data Protection and Privacy for all individuals in the European Union and that goes into effect on May 25, 2018. The GDPR is designed to harmonize Data Privacy Laws across Europe, to protect, address the export of Personal data, and empower al EU citizens Data Privacy and to reshape the way organizations across the region approach Data Privacy.
If you’re a seller based in the EU, you need to understand the requirements of GDPR and take steps to ensure you comply. Additionally, you may need to make some changes in how you communicate with buyers and how you process any personal information that you collect.
If you’re a seller based outside of the EU but if your items available to EU buyers, you’ll also need to understand and comply with GDPR. If you don’t sell to buyers based in the EU, then no action is required.
Important: The penalties for non-compliance with GDPR can be significant – according to EU rules this can be up to €20m or 4% of annual global turnover, whichever is greater. Under the new law, EU residents can also initiate class-action lawsuits related to the protection and usage of their personal information, so it’s important that you understand and comply with the rules.
You’ll find everything you need to know about GDPR and the steps you need to take in how you collect and process any personal information at the EU’s official GDPR website.
How we prepared for GDPR
- Analyzed, mapped and documented the flow of personal information from the time we collect it to when we destroy it.
- Designed and implemented enhanced processes to allow users in the EU to exercise their rights, which include accessing, modifying and deleting their personal information. For several years, our policy has been to allow users worldwide to access the personal information that we have about them, even when we have no legal requirement to do so. This policy remains so users outside of the EU can also request this information from us.
- Implemented processes to fulfill the rights of users in the EU, which include access, modification, and deletion of their personal information within one month.
- Redesigned our registration process and privacy consent experience in our products to be more transparent and provide our users with more control.
- Rolled out privacy-by-design training to teams to incorporate privacy minimization concepts into our engineering processes, and to identify areas where we can improve privacy protections within existing products and services.