Dropshipping and GDPR – Legal Issues in Romania - Transfer of Personal Data to Third Countries

Have you ever thought about starting an online business with as little hassle as possible? Then you probably considered dropshipping e-commerce model. Dropshipping is essentially a way to run an online store without product inventory. The customer places an order, you (the dropshipper) forward it to the supplier, and the supplier ships the product directly to the buyer. The dropshipper has no involvement in packaging or shipment.

Sounds easy and profitable. However, although not an impediment, legal aspects are to be considered, because otherwise you may incur financial and reputation damages.

There are several legal issues for the dropshipper to handle, and this article tackles one of the most important ones: transfer of personal data to a country outside of the European Economic Area (EEA) – which is named a third country, in light of the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).

What are the GDPR issues within the dropshipping model?

Transfer of personal data to third countries is one of the most sensitive aspects. By its very nature, this business implies the transfer of personal data. We will mainly refer to the hypothesis where the dropshipper, as controller and data exporter, transfers the customers’ personal data to its suppliers, as processors. In other words, customers’ data must be passed to the supplier so as for the latter to be able to dispatch the parcel.

Nonetheless, the dropshipper, as any other business owner, may choose to use certain services (such as payment services, server maintenance and other services necessary for their operations) provided by companies located in third countries. Requirements related to transfer of personal data to third countries are applicable to any personal data that leaves the EEA.

It is well known the fact that the most sought-after suppliers are located outside of the EEA, such as China or USA, so the matters below are to be taken into account before starting operations.

Why is it such transfer a sensitive matter?

While for the dropshipping model the transfer of the clients’ data is actually the business core, from the GDPR perspective, such transfer (if to third countries) can be seen as an exception. The rule is that a transfer should not be made, because there could be risks that the personal data are accessed in a harmful way. The transfer could take place only if, subject to the other provisions of the GDPR, the conditions laid down in the provisions of the GDPR relating to the transfer of personal data to third countries are complied with by the controller or processor.

The transfer can be made under strict requirements, by several ways:

• There is an adequacy decision - if the European Commission decided that a third country offers an adequate level of data protection.

In such cases, transfers of personal data to that third country may take place without the need to obtain any further authorization.

For the time being, the European Commission issued adequacy decisions in case of Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. Even if the dropshipper transfers data to one of these countries, the above list must be periodically reviewed, because at any time there may be amendments or even withdrawal of the decision. Here are the countries for which adequacy decisions have been issued: Click!

• In case there is no adequacy decision – one of the transfer tools provided by GDPR must be used. Among the transfer tools are the following: Binding Corporate Rules (BCRs), Standard Contractual Clauses adopted by the European Commission (SCCs), codes of conduct, certification mechanisms. The choice is to be made on a case-by-case basis.

Which are the steps towards GDPR compliance?

The dropshipper must conduct an in-depth assessment and to reply to the following main questions:

1. What data are to be transferred?

The principle of data minimization must be observed, meaning that the dropshipper must transfer only the data strictly necessary for the performance of the sale contract. For instance, there is no need to transfer the customer’s bank details to your supplier since the customer made or will make the payment towards your company.

2. What third countries are the data to be transferred to?

Each country implied should be taken into consideration, as each country ensures different levels of data protection.

It is of paramount importance a recent decision of the Court of Justice of the European Union (CJEU) which invalidates the Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield (Case C-311/18). Practically, the US Privacy Shield was invalidated. In other words, as of July 16th, 2020, dropshippers supplying from USA must conduct case-by-case analyses to determine whether their data transfers meet GDPR standards.

3. What are the onward transfers?

The dropshipper must assess whether their suppliers (as processors) located outside of the EEA transfer the personal data the dropshipper entrusted to them to a sub-processor in another third country or in the same third country. For example, your Chinese supplier uses the transport services of a Chinese carrier, which handles your customers’ personal data (name, delivery address, phone number etc.).

4. What are the other details of my business scheme?

You should keep in mind the know-your-business principle at all times. There are plenty of details which could be relevant, and due care must be given to individuals’ right to data protection as a fundamental right. Limitations to this right may only be made if they have a lawful basis, are proportionate, and meet EU standards.

5. What is the transfer tool I rely on? Is it an adequacy decision or contractual clauses?

An adequacy decision is a true relief, as transfers to the respective country will be assimilated to intra-EU transmissions of data. Otherwise, due care must be given to contractual clauses between data exporter (the dropshipper) and data importer (third country suppliers etc.).

6. Is there anything in the law or practice of the third countries that may affect the effectiveness of the transfer tool I rely on?

Here comes another heavy part of the assessment. The characteristics of each transfer must be looked into and the dropshipper must evaluate what will be the impact on the effective exercise of the data subjects’ (your customers) rights they benefit from under GDPR.

7. If affirmative, what supplementary measures could I take to ensure the level of protection of the data transferred up to the GDPR standard?

In case the previous steps revealed that the transfer tool is not effective, you must identify supplementary measures of contractual, technical or organizational nature. Your suppliers, as data processors, should give you a hand in finding and implementing supplementary measures.

This evaluation may not be an easy task. However, the dropshipper must be aware that they are responsible for GDPR compliance, not the suppliers.

All in all, dropshipping could be a real success, to the extent legal matters are thoroughly scanned and settled up front.