Experiences with Snipcart regarding German & EU legal requirements?

woody · September 6, 2022, 6:27am

Hi everyone

I am currently looking into the usage of Snipcart. In this process, I am seeking for fellow users experience to see if it can be a good fit (which I would really like).

As I am located in Germany though, the whole Schrems II / Privacy Shield and GDPR topic (as well as specific German requirements) is something I need to be concerned with. A lawyer told me the best thing (until there is a new settled cooperation between US and EU) to mitigate any risks concerning these topics (apart from good legal texts and a given DPA) would be to find a solution from within the EU. If that is not possible, he continued, there will always be a little “risk” involved - even though this is tiny, especially for small e-commerce endeavours since it would affect thousands of shops…

Long story short: I guess everything in life is a little risky, so I am hoping to gather some real life insights from fellow German/EU humans using Snipcart if it is possible to take on all requirements and / or what your experiences are with the Snipcart solution regarding the above-mentioned requirements?

Any input is greatly appreciated.

Cheers,
Woody

slemieux · April 4, 2024, 2:47pm

We understand your concern regarding compliance with EU data protection laws and we are happy to provide you with the information you need.

Our product is fully compliant with GDPR regulations. All data collected on citizens must be either stored in the EU, so it is subject to European privacy laws, or within a jurisdiction that has similar levels of protection. In 2020 Schrems II invalidated the GDPR’s 2016 EU-US Privacy Shield, however, in 2022 a new agreement was reached, the Trans-Atlantic Data Privacy Framework. This new agreement allows data to flow freely and safely between EU and participating U.S. companies.

Our servers are located in the East U.S., and we are using Azure cloud service. We are confident that using our product guarantees you compliance with European Data Protection regulations.

If you have any further questions, please do not hesitate to contact us.

Best regards,

christianzehetner · June 3, 2024, 5:20pm

Thank you for your answer @slemieux.

As far as I know this agreement is only valid for companies who are licensed for the Data Privacy Framework, and when this is the case they need to show up as licensed in this list: Data Privacy Framework

I can not find Snipcart in there.
Is Snipcart officially registered for the Data Privacy Framework?

Best Regards, Christian

slemieux · June 3, 2024, 6:58pm

Hey @christianzehetner

We are aware of the DPF. We will be carefully examining the implications of certification, and will update you as and when Duda is DPF certified. We are also tracking the status of our vendors. In the meantime, all transfers of data to Snipcart in the US are secured by Standard Contractual Clauses, in connection with which we have completed a Transfer Risk Assessment which documents the legality of such transfer. The new DPF empowers the US Civil Liberties Protection Officer and the Data Protection Review Court (DPRC) to review cases of data transferred based on SCCs too; such that the regulatory profile of Snipcart’s transfers is even stronger now that the DPF has been agreed.

Best,

christianzehetner · June 4, 2024, 11:04am

Thx for your answer. Through your post I learned just now that Snipcart got aquired by Duda. New information. Alright. So in the future do I need to look for an entry of Duda and not Snipcart in the DPF-Listing?

Can you send me a link to those Standrad Contractual Clauses and this Transfer Risk Assessment?

Thx, Christian

jonasriyaa · July 17, 2024, 6:49am

Hi,

I think you should try this Navigating Schrems II, Privacy Shield, and GDPR compliance can indeed be complex for e-commerce in Germany. While Snipcart can be a convenient solution, it’s crucial to ensure they provide adequate safeguards and data protection measures. Many small e-commerce businesses in the EU use Snipcart successfully by carefully configuring it to meet GDPR standards and considering local legal advice to minimize risks associated with international data transfers. Gathering insights from fellow users can provide practical perspectives on its suitability for your specific needs.

Thanks