RENUDO's NY INC. GDPR Whitepaper

 

Disclaimer

Please note that this document is provided for informational purposes only. Its contents may be subject to change over time. The information contained in this white paper can not be interpreted as legal advice.

 

Table of contents

Disclaimer

 

Table of contents

1.0. Introduction

1.1. Terms

2.0. Global GDPR application GDPR to

2.1. Renudo’s NY inc.

2.2. Renudo’s partners

2.3. Customers

2.4. Data does the GDPR apply to

3.0. Controller vs. processor status

3.1. Processor obligations

3.1.1. Subprocessing

3.1.2. Data protection impact assessments

3.1.3. Personal data breach reporting

3.1.4. Appointment of a Data Protection Officer

 3.2. Controller obligations

3.2.1. Facilitating requests

3.2.2. Posting a privacy notice

3.3.1. Customers

3.3.2. Telephone support

3.3.3. Chat support

3.3.4. Forums

3.4.1. Complying with marketing and cookie regulations

3.4.2. Obtaining consent to process children’s data

4.0. Legal basis for processing

4.1. Data transfers

4.2.1. Within EEA

4.2.2. EEA to Canada

4.2.3. United States

4.2.4. Disclosures to third parties

4.2.5. Renudo’s partners ecosystem

4.2.6. App Store disclosures

5.0. Data subject rights

5.1. Erasure

5.1.1. Timing

5.1.2. Scope

5.2. Access

5.3. Data portability

5.4. Rectification

5.5. Automated decision-making

6.0. Data protection and security

6.1. Organisational measures

6.2. Technological measures

6.2.1. Monitoring and logging

6.2.2. Security controls

6.2.3. Security standards and certifications

7.0. Contractual agreements and data processing addenda

7.1. Renudo’s partners plans

8.0. Accountability and transparency

8.1. Data trasparency

8.2.1. laws

8.3.1. Contact informations

8.4.1. Renudo’s partners to host, business comply with GDPR

8.5.1. Renudo’s partners sign Standard Contractual Clauses

 

 

1.0.Introduction

Renudo’s NY inc. believes strongly in protecting our customers’ personal data, and understands that doing so is critical to help you preserve the trust and confidence of ours customers. This whitepaper presents Renudo’s NY inc. approach to GDPR preparation and compliance.

 

1.1.Terms

BCRs: ​Binding Corporate Rules.
Controller:​ Party that determines how and for what purposes personal data is processed.
Customer:​ Person visiting a store hosted by Renudo’s NY inc..
Datasubject: Person about whom personal data relates.
DPIA: ​Data Protection Impact Assessment.
EEA: European Economic Area. EEA countries currently include Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.
GDPR: ​General Data Protection Regulation.
Merchant: Party using Renudo’s NY inc. to host their store.
NDA: ​Non-disclosure Agreement
Partner: ​Party that creates Renudo’s NY inc. stores on behalf of merchants.

Personal data:​ Any information relating to an identified or identifiable person.
PIPEDA:​ Personal Information Protection and Electronic Documents Act.

Processor:​ Party that processes personal data on behalf of the controller.

 

2.0. Global GDPR application GDPR to:

2.1. Renudo’s NY inc.

The GDPR applies to any company that handles the personal data of residents in the European Economic Area (EEA). Because Renudo’s NY inc. works with merchants who serve customers in the EEA, and serves customers in the EEA directly, the GDPR applies to these elements of its business.

 

However, because Renudo’s NY inc. believes strongly in data protection and privacy, it gives all of ours customers the rights afforded by the GDPR to control their personal data, wherever they live. Additionally, Renudo’s NY inc. provides tools and processes for our customers to fulfill GDPR-related requests regardless of the customer’s location.

 

2.2. Partners

Separate from the way in which the GDPR applies to Renudo’s NY inc., the regulation also applies to Renudo’s NY inc.’s partners who operate in the EEA or offer goods or services to residents of the EEA.

 

Renudo’s NY inc. is ultimately responsible for ensuring that our business complies with the laws of the jurisdictions in which they operate or have customers.

 

Using Renudo’s NY inc. alone does not guarantee that a partners complies with the GDPR - customers must analyse their own business practices to ensure their compliance.

 

2.3. Customers

The GDPR also gives certain rights to identified or identifiable persons (referred to as ​data subjects), including customers visiting stores belonging to Renudo’s NY inc.. These include the right to request:

 

●  Deletion (erasure​) of their personal data

●  Correction (rectification)of their data

●  Access to their data

●  An export of their data in a common (​portable)format

This topic is discussed more fully in the ​Data subject rights​ section.

 

2.4. Data does the GDPR apply to:

The GDPR generally applies to the collection and processing of personal data. Under the GDPR, personal data means any information relating to a data subject. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as:

 

●  Name

●  Identification number

●  Location data

●  Online identifier (such as IP address or cookie ID)1

 

 

3.0. Controller vs. processor status

The GDPR separates data protection responsibilities into two categories: controllers and processors.

 

Controller:​ The party that determines for what purposes and how personal data is processed.2

Processor:​ The party that processes personal data on behalf of the controller.3

 

Under the GDPR, in most cases Renudo’s NY inc. as merchant collects information from ours customers as a controller. Generally, Renudo’s NY inc. acts as a processor with respect to such customer personal data (or, if Renudo’s NY inc. acts as a processor, ours partners acts as a subprocessor).

 

The one exception is for customers with whom ours partners has a direct existing relationship. For example:

 

●  Customers who use flash-sale app to access a merchant's store

●  Customers who use payment systems, which allows the customer to store their payment information, for use across different stores

●  Customers who use app to track the status of orders made from a Renudo’s store

 

Although in such cases Renudo’s NY inc. may also separately be a controller of the customer’s personal data, Renudo’s partners processes the personal data of these customers as a controller.

 

3.1. Processor obligations

To comply with the GDPR, generally the processor may only process personal data when authorised to do so by the controller.

 

Where a Renudo’s partners is a processor for a Renudo’s NY inc., it processes personal data on documented instructions from Renudo’s NY inc.. For example, when a Renudo’s NY inc., clicks ​Fulfill items,they give Renudo’s partners the instruction to process the data necessary to perform that action.4

 

Similarly, when a Renudo’s NY inc. selects a particular payment processor, or installs an application through the Renudo’s partners App Store, they give Renudo’s partners the instruction to transmit data to the relevant party.

 

The GDPR also places several other responsibilities on the processor, discussed below:

 

3.1.1. Subprocessing

Processors must notify and obtain consent from their controller when transmitting personal data to a subprocessor. Renudo’s partners uses a number of subprocessors to provide the service, including to:

 

●  Store platform data

●  Operate the forums and other portions of Partner's website

●  Respond to and manage support inquiries

 

When a Renudo’s NY inc. signs up for the Renudo’s partners service, Renudo’s NY inc. consent to allow Renudo’s partners to use subprocessors. A list of subprocessors is available upon request.

 

3.1.2. Data protection impact assessments

Renudo’s partners is formalising the process for conducting data protection impact assessments (DPIAs) any time a change in processing procedure occurs that is likely to result in a high risk to individuals’ privacy rights. Renudo’s partners will help answer reasonable questions a merchant has about Partner’s processing activities.

 

3.1.3. Personal data breach reporting

Processors must notify the controller after becoming aware of a personal data breach resulting from a breach of the processor’s security.

 

Renudo’s partners is committed to ensuring that its incident response program meets the requirements of the GDPR. The specifics of breach notification are handled through a Renudo’s NY inc. contract with Renudo’s partners.

 

3.1.4. Appointment of a Data Protection Officer

Processors must appoint a Data Protection Officer if they conduct certain types of personal data processing. Partner’s Data Protection Officer can be reached at ​renudo@renudo.biz.​ Merchants should consider whether they also need to appoint a Data Protection Officer.5

 

3.2. Controller obligations

Under the GDPR, the controller has the following responsibilities:

3.2.1. Facilitating requests

Controllers are obligated to help data subjects exercise their rights.6 partner’s merchants can do this easily from their admin as detailed in the Data subject rights​ section of this document.

 

3.2.2. Posting a privacy notice

when personal data is collected from a data subject, controllers must provide certain minimum information about the intended processing of the personal data, as well as information about how to contact and identify the controller.7

 

 

Renudo’s NY inc. are responsible for providing this information to their customers. Renudo’s partners provides this information in the partner’s Privacy Policy where it is a controller, and encourages Renudo’s NY inc. to provide this information in their own privacy policies.8

3.3.1. Customers

Renudo’s partners collects the following elements of personal data from customers on behalf of Renudo’s NY inc.:

 

●  Name

●  Shipping and billing addresses

●  IP address

●  Customer email or phone number (required by Renudo’s NY inc.)

●  Company name (required by Renudo’s NY inc.)

●  Information from cookies, stored temporarily as per Renudo’s partners

 

Cookie Policy (for example, which landing page the customer arrived from, how many times the customer has visited the site, device and browser used, and products stored in the cart)9

 

●  Information about the orders customers initiate so that Renudo’s partners may fulfill those orders.

 

If a customer contacts Renudo’s partners for customer support, Renudo’s partners also collects the following information:

 

3.3.2. Telephone support

Renudo’s partners collects:

Phone number
Call audio
Other personal information provided during the call

In accordance with Renudo’s partners Terms of Service, Renudo’s partners may request additional documentation during the call to verify identity.10

3.3.3. Chat support

Renudo’s partners collects:

●  Name

●  Email address

●  Information about the device and browser used

●  Network connection

●  IP address

●  Chat transcript

●  Other personal information provided during the chat

Inaccordancewith ourTerms of Service, Renudo’s partners request additional documentation during the chat to verify identity.11

3.3.4. Forums

Renudo’s partners collects:

●  Name

●  Email address

●  Website URL

●  Other personal information the user may post

3.4.1. Complying with marketing and cookie regulations

Controllers are responsible for making sure that they comply with marketing and cookie regulations in the jurisdictions in which they operate.

 

Renudo’s NY inc. with EU customers should make sure that they obtain appropriate consent for the use of cookies—the ePrivacy Directive generally requires some form of consent in order to use tracking technologies.12

 

Renudo’s NY inc. should similarly make sure that their email marketing practices comply with applicable e-marketing or anti-spam requirements.

 

Information on how Renudo’s partners handles cookies can be found in our Cookie Policy.13

 

3.4.2. Obtaining consent to process children’s data

 

When offering goods or services online directly to children under 16 years of age, the controller is responsible for obtaining verifiable consent from the child's parents for processing their data.14

 

Renudo’s NY inc. are responsible for assessing whether they need to obtain a higher level of consent for certain customers.

 

 

4.0. Legal basis for processing

Personal data cannot be processed except under a recognized legal basis (unless an exemption applies). The GDPR sets out a list of possible legal bases under which personal data may be processed. These reasons include:

 

Consent

 

●  Contractual obligations

●  Legal obligations

●  The public’s interests

●  Legitimate interests of the controller or third party, balanced

 

against the rights of the data subject15

 

Consent ​of the data subject means the data subject has agreed to the processing of their personal data with a clear affirmativeaction.16


This agreement must be:

 

●  Freely given

●  Specific

●  Informed

●  Unambiguous

 

Renudo’s NY inc., as controllers of their customers’ personal data, are responsible for ensuring they have a proper legal basis for doing so, including keeping evidence of consent when processing is based on consent.17

 

As its Renudo’s NY inc. processor, Renudo’s partners is not responsible for Renudo’s NY inc. legal bases but only processes customers’ personal data on behalf of and on the instructions of the Renudo’s NY inc.. In certain cases, however, the law may additionally require consent for certain types of processing (for example, when placing or retrieving cookies on a device). In such cases, the Renudo’s NY inc. is also responsible for obtaining appropriate consent. Upon request, Renudo’s partners will provide Renudo’s NY inc. with any reasonable information they require to obtain consent. Information on the cookies that Renudo’s partners places can be found in our Cookie Policy.18

 

4.1. Data transfers

Personal data of residents of the EEA can only be transferred to recipients outside the EEA if the recipient has adequate protections in place. These protections may include:

 

●  Adherence to domestic laws that have been deemed adequate by the European Commission

●  Negotiated agreements (such as the EU-U.S. Privacy Shield)

●  Contractual protections

●  Approved sets of internal policies (Binding Corporate Rules)

●  Approved codes of conduct or certifications

Renudo’s partners has protections for personal data in every step of its data flow, as described below. The following diagram illustrates Renudo’s partners data transfer structure:

 

4.2.1. Within EEA

EEA personal data is received and initially processed by Renudo’s partners Irish entity, Renudo’s partners International Ltd.

 

4.2.2. EEA to Canada

Data is exported from the EEA to Renudo’s partners Canadian parent entity, Renudo’s partners this export takes place within Renudo’s partners corporate structure.

Data within Renudo’s partners is protected under PIPEDA, Canada’s private sector privacy legislation, which is considered adequate under the GDPR.

4.2.3. United States

Renudo’s partners uses a combination of data centers and cloud service providers to store this personal data in the United States and Canada.

 

When personal data is transferred to the United States, it is either done so through the EU-U.S. and Swiss-U.S. Privacy Shield, for Renudo’s partners own storage, or through contractual data protection addenda (DPAs) with third-party service providers. The EU-U.S. and Swiss-U.S. Privacy Shields are also considered adequate under the GDPR. Renudo’s partners Privacy Shield certification statement can be found on PrivacyShield.gov.20

 

Additionally, Renudo’s partners is in the process of applying for approval of Binding Corporate Rules (BCRs) by the Irish Data Protection Commissioner. After they are approved, Renudo’s partners will rely on these BCRs to protect the personal data that is transferred between Renudo’s partners is a corporate entities worldwide.

 

4.2.4. Disclosures to third parties

Renudo’s partners will never independently sell personal data for commercial purposes. However, Renudo’s partners does disclose personal data to third parties or allow third parties to access personal data to help provide services—for example, to:

●  Store platform data

●  Operate the forums and other portions of Renudo’s partners website

●  Respond to and manage support inquiries

Additionally, Renudo’s partners may provide personal data, where permitted, to prevent, investigate, or respond to:

●  Potential fraud

●  Illegal conduct

●  Physical threats

●  Violations of any agreements with Renudo’s partners

Renudo’s partners also provides information to third parties when legally required to do so. Where Renudo’s partners believes it is legally required to provide information, and not legally prohibited from disclosing the existence of the legal order, it will notify the data subject and give the data subject a chance to seek a protective order.

More information on when Renudo’s partners discloses personal data will soon be provided on Renudo’s partners website under the heading Guidelines for Legal Requests for Merchant or Customer Data​.

4.2.5. Renudo’s partners ecosystem

Renudo’s NY inc. agrees to use a third-party service provider such as a payment processor, a sales channel, or an app that is not controlled by

Renudo’s partners, the respective service provider’s use of personal data is controlled by the Renudo’s NY inc. agreement with the provider. Renudo’s partners is not responsible for the data practices of these third-party service providers, and Renudo’s NY inc. should carefully evaluate these service providers as they would any third party.

Renudo’s partners recognises that it might be difficult Renudo’s NY inc. to obtain enough information from these service providers to conduct a careful evaluation. Renudo’s partners is working with these providers to make sure that they make information available to Renudo’s NY inc. about their data practices.

4.2.6. App Store disclosures

Similarly, Renudo’s partners is requiring all apps on the Renudo’s partners App Store to post disclosures about how the app handles personal data, but Renudo’s partners is not responsible for any app’s data collection or use, or for how the Renudo’s NY inc. uses the app. The Renudo’s NY inc. is responsible for reviewing these disclosures and to ensure that their use of the app complies with the laws of the jurisdictions in which the Renudo’s NY inc. operates or where it has customers.

 

 

5.0. Data subject rights

The GDPR provides data subjects (in this case, customers) with certain rights over their personal data. Generally, data subject requests must be addressed within one month, unless they are exceptionally complex or numerous.21 The following rights are granted to data subjects.

 

5.1. Erasure

Data subjects have the right to request that their personal data be erased in certain circumstances.

 

If a Renudo’s NY inc. receives a request from a customer to erase their personal data the Renudo’s NY inc. should:

 

●  Verify that the requester is the same as the data subject (that is, the requester is not asking to erase someone else’s personal data)

●  Confirm there is no legal reason to preserve this data

 

If both conditions are satisfied, Renudo’s NY inc. should navigate to the customer’s page in their admin, and click “Remove Personal Data”. This button is available to the Account Owner only.

 

After a request is received, Renudo’s partners will ensure that the relevant personal data is erased. Renudo’s partners will also send requests to the apps and channels that the Renudo’s NY inc. has installed to similarly redact that customer’s data. If erasing it is impossible, Renudo’s partners will let Renudo’s NY inc. know to what degree it is impossible, and why.

 

In addition to contacting Renudo’s partners, the Renudo’s NY inc. should also work with any relevant third parties to make sure that they delete or anonymise the personal data.

 

Renudo’s partners will email the Renudo’s NY inc. once the redaction is complete. Renudo’s NY inc. can then notify the customer.

 

5.1.1. Timing

Once an erasure request is submitted, Renudo’s NY inc. has a ten day grace period in which to cancel the request. To cancel the request, Renudo’s NY inc. can emailed ​Renudo’s partners and specify which customer’s redaction request should be cancelled.

 

Personal data will not be erased from Renudo’s partners if the customer has made an order within the last 180 days (the usual window in which a customer can make a chargeback). However, Renudo’s partners will log the erasure request, and automatically erase the data once this time has passed. If Renudo’s NY inc. wishes to override this 180 day hold, they may emailed​ to waive the waiting period.

 

If the customer makes another purchase after their information has been redacted, a new customer account will be created.

 

5.1.1. Scope

 

When processing a request for erasure, Renudo’s partners will anonymise the personal data of the customer, but keep non-personal data such as revenue information and order details. Order details that are retained include the gateway used to process payment, time of sale, amount paid, currency, subtotal, shipping cost, taxes added, shipping method, item quantity, item name, SKU, and payment method.

 

If no data erasure requests are received, Renudo’s partners will keep data for the lifetime of a store, and purge personal data within 90 days after a store is closed.

 

5.2. Access

Controllers must, upon request, explain to data subjects how their personal data is processed and provide access to this personal data.

 

If Renudo’s NY inc. cannot export data sufficient to fulfill the request from their admin, they can request the information from Renudo’s partners. Similar to a request for erasure, if a customer requests access to their personal data, the merchant should first validate the identity of the requester.

 

To submit a request, the merchant can navigate to the customer’s page in their admin, and click “Send Customer Data”.

 

When Renudo’s partners receives the request, it will:

●  Confirm whether personal data about a customer is being processed by Renudo’s partners

●  Confirm what categories of data are being processed by Renudo’s partners

●  Provide the customer or Renudo’s NY inc. with the relevant information

 

from Renudo’s partners systems

 

5.3. Data portability

Controllers who process data using automation must, in limited circumstances, provide data subjects with their personal data upon request. This data must be provided in a commonly used and machine-readable format.

Renudo’s NY inc. may export some data directly from their store’s admin page. Many data types can be exported to common formats such as Excel or CSV with one click:

 

●  Transaction histories

●  Payouts

●  Product lists

●  Customer lists

 

In addition, Renudo’s NY inc. contacts Renudo’s partners to request copies of processed data, Renudo’s partners will make the data available in a common format.

 

5.4. Rectification

Data subjects have the right to correct incomplete or inaccurate personal data held or processed by a controller.22

Renudo’s partners platform allows Renudo’s NY inc. to change customer records directly from their store admin.23

 

5.5. Automated decision-making

Data subjects have the right to object to processing based solely on automated decision-making (which includes profiling), when that decision-making has a legal effect on the data subject or otherwise significantly affects them.24 An example of a legal effect is a decision that impacts an individual’s legal or civil rights, or their rights under a contract. Examples of significant effects include decisions that have a financial impact on individuals, or impact their employment.

 

Renudo’s partners does not currently engage in fully automated decision-making that has a legal or otherwise significant effect using customer data.

 

Services that include elements of automated decision-making are highlighted in the table below:

 

Service

Implementation details

Temporary blacklist of IP addresses associated with repeated failed transactions

Persists for a small number of hours.

 

Temporary blacklist of credit cards associated with blacklisted IP addresses

Persists for a small number of days.

 

6.0. Data protection and security

Under the GDPR, controllers and processors are required to implement appropriate technical and organisational measures.25

 

Renudo’s partners has implemented many of the controls and processes identified in the GDPR, including:

 

●  Anonymising and encrypting personal data

●  Ensuring confidentiality, integrity, availability, and resilience of processing systems

●  Restricting who may access personal data

●  Ensuring availability and access to personal data in the event of a physical or technical incident

●  Performing regular testing, assessments, and evaluation of technical and organisational security measures

 

6.1. Organisational measures

Renudo’s partners has a robust, cross-functional data protection program that is integrated with its information security program and includes several teams across the organisation. In particular, the data protection program includes a designated Data Protection Officer, who reports to senior management, as well as individuals from:

Internal Security Legal

●  Legal Operations

●  Production Security

●  Processing Integrity

6.2.0. Technological measures

6.2.1. Monitoring and logging

Controllers—and where applicable, their representative—must maintain records of the personal data processing activities for which they are responsible.

Renudo’s partners maintains system and application logs relating to events and access to certain systems used for the processing of personal data. These logs are stored on log servers for approximately a month, and then moved to offsite backup locations, where they remain available for at least 12 months.

 

6.2.2. Security controls

Renudo’s partners encrypts data sent to and from merchants and customers using the HTTPS protocol.

 

Renudo’s partners also encrypts any sensitive stored information, and salts and hashes Renudo’s NY inc. and customer passwords using bcrypt.

 

Renudo’s NY inc. can also set up additional security features. An account holder can take the following actions from their Renudo’s partners admin:

 

●  Enable multi-factor authentication for staff

●  Define, to a certain extent, what personal data is collected from customers

●  View certain activity logs, including recent login activity by staff

Set role-based permissions for staff accounts

 

6.2.3. Security standards and certifications

Renudo’s NY inc. and all online stores powered by Renudo’s partners are Level 1 PCI-DSS compliant.26

Renudo’s partners uses third-party data centers with industry-standard certifications. Examples include:

 

●  Tier III

●  ISO 27001 PCI-DSS

 

SOC reports for all facilities, which include physical protections, can be provided to Renudo’s NY inc. on request under an appropriate NDA.

 

 

7.0. Contractual agreements and data processing addenda

Renudo’s partners Terms of Service, Data Processing Addendum, Privacy Policy, and Acceptable Use Policy can be found at TERMS

7.1. Renudo’s partners plans

Renudo’s NY inc. relationship with Renudo’s partners is governed by Renudo’s partners online Terms of Service, Renudo’s partners has automatically incorporated a Data Processing Addendum, which will apply to its processing of personal data. Just as Renudo’s partners is not able to negotiate its Terms of Service, it is not able to negotiate this Data Processing Addendum.

 

 

8.0. Accountability and transparency

8.1. Renudo’s partners is compiling data for a transparency report, to be released at the end of 2018.

 

8.2.1. laws

Contact a local lawyer who specializes in privacy or data protection law.

8.3.1. Contact for more information on Renudo’s partners practices

 

Contact:​ renudo@renudo.biz.​

 

8.4.1. Renudo’s partners to host, business comply with GDPR

Not automatically. While Renudo’s partners operations will comply with the GDPR, and Renudo’s partners will provide tools to help its Renudo’s NY inc. comply, it is the responsibility of each Renudo’s NY inc. to ensure that its business is compliant with the laws of the jurisdiction in which it operates.

 

Using Renudo’s partners platform alone does not guarantee that a company complies with the GDPR.

 

8.5.1. Renudo’s partners sign Standard Contractual Clauses

No. As described in the ​Data transfers section of this document, Renudo’s partners has structured its data flows so that Renudo’s NY inc. transfer data to Renudo’s partners Irish affiliate within Europe. For that reason, Standard Contractual Clauses are not appropriate, as they are approved for transfers between a European party and a non-European party.

 

In addition, regarding transfers directly to Renudo’s partners, Renudo’s partners would rely in such cases on the European Commission’s adequacy decision regarding Canada’s privacy law, which extends to Renudo’s partners as a Canadian corporation.

 

 

1 G​ eneral Data Protection Regulation, Article 4(1).

2 General Data Protection Regulation, Article 4(7).

3 General Data Protection Regulation, Article 4(8).

4 Renudo’s NY inc., can place Legal Data Processing Addendum.

5 General Data Protection Regulation, Article 37.

6 General Data Protection Regulation, Article 12(2).

7 General Data Protection Regulation, Article 13.

8see Renudo’s NY inc. Privacy.

9see Renudo’s NY inc. Cookies.

10 see Renudo’s NY inc. Terms.

11 see Renudo’s NY inc. Terms.

12 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). Will be replaced by the ePrivacy Regulation.

13 see Renudo’s NY inc. Cookies.

14 General Data Protection Regulation, Article 8. Individual member states may lower the age of consent.

15 General Data Protection Regulation, Article 6.

16 General Data Protection Regulation, Article 4(11).

17 General Data Protection Regulation, Article 7(1).

18 see Renudo’s NY inc. Cookies

19 P​ursuant to the European Commission’s adequacy decision 2002/2/EC​. Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (notified under document number C(2001) 4539), online at: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002D0002&qid=1415699250815.​


20 See:​ https://www.privacyshield.gov/participant?id=a2zt0000000TNSNAA4.

21 General Data Protection Regulation, Article 12(3).

22 General Data Protection Regulation, Article 16.

23 However, current orders cannot be modified.

24 General Data Protection Regulation, Article 21.

25 General Data Protection Regulation, Article 25, 32.

26 See: see Renudo’s NY inc. Terms ​.