Hi,
I set up a limited company and shopify shop recently, and received a letter from ICO (Information Commissioner’s Office) in UK. It states that I every company that holds customers information on a computer must pay an annual fee for Data Protection purposes. My shop has yet to start functioning, does anyone else from UK are aware of this? are we liable to pay this fee if using shopify?
Thank You
Let me know if you get a response on this.
I have received the same letter..
Whether you need to pay a fee will be based on whether or not you handle certain pieces of data about customers. The ICO has a self-assessment quiz to check if you are exempt: https://ico.org.uk/for-organisations/data-protection-fee/self-assessment/
For what it is worth, after I went through the quiz myself for a Shopify business, I was classed as exempt and there is no fee to pay. You may well be the same, but it is best to check given your own circumstances. It is a good idea to get ahead of all these requirements too (i.e. make sure you have a privacy policy, a cookie banner, and observe security best practices).
Perfect.
thank you very much! Seems as my business is exempt too! We have a privacy policy but will look into the other points you had mentioned!
Appreciate the help
stay safe
Hello – I too sell through Shopify. The ICO asks if I’m processing personal information
‘Processing’ means doing any of the following with the information:
obtaining it;
recording it;
storing it;
updating it; and
sharing it.
Honestly, I have no idea! The info that customers submit when they buy my products is submitted to Shopify and once I’ve dispatched the order, I have no further use for it. I do briefly ‘obtain it’ when I read it and write an address label, but does this mean I’m processing it…?
Thanks.
Sue
Hi Sue
as per ICO website
‘Organisations that do not decide how personal data is processed are exempt. You therefore do not have to pay a fee to the ICO’
shopify is in charge of collecting/processing the data so i’d imagine you are exempt.
I received letter in Feb for payment but never paid and haven’t heard anything since.
hope this helps
Interesting! Thanks Lorna. I might just give them a bell and double check – no doubt they’ll be quick to fine me if I get it wrong! I’ll pass on any more info I get.
UPDATE: Right – I finally got to speak to someone at the ICO and got completely contradictory advice from two different people! The first woman I spoke to said that as a Shopify user, I would be liable for the fee; she then passed me onto someone else who said I wouldn’t. I also process wholesale orders so assume that this means I am, but if you only sell B2C via Shopify, then I’d say, call them up and check – you might be lucky and get the man who says you don’t have to pay it! They don’t record calls, though, so I wouldn’t rely on it in court…
HELLO
i just received the same email. and I was hesitant if i should pay or not.
i went to ico live chat, and i asked there if i should pay or not. i explained to her that i’m selling by using shopify and i just use the personal informations for send the product to my costumers and i didn’t use it for anything else. and she tell me that Then there would be no requirement to register, as this is under the ‘Accounts and Records’ core business exemption. and she asked about my Companies House number.
finally she tell me that recorded that my company is exempt from paying the data protection fee, so there will be no further letters sent out about this company.
just contact them in live chat
Hey all,
I got the same letter from ICO today too, and I’m still not sure this question has been answered: Are we, the store owners, considered to be processing personal information, or is it Shopify? Did anyone have any follow-up since this question was asked in 2021?
Ideally, I’d like to see someone from Shopify official weigh in here…
FYI (from the ICO website):
What does processing mean?
Processing is a term to describe anything you can do with the personal information you have. This includes (but is not limited to) collecting, recording, organising, storing, using, retrieving, altering, erasing and disclosing it.
What is a data controller?
Data controllers are the main decision-makers of what happens with personal information and give instructions to data processors. They have control over how and why personal information is collected, used, stored and destroyed.
What is a data processor?
Data processors act on behalf of, and only on the instructions of, data controllers.
Can we be both a controller and processor?
Yes. You may be a processor for some of the personal information you collect, use, store and destroy - acting only on the instruction of a data controller. But, you may also handle personal information as a data controller eg you make the decisions about it.