GDPR Compliance – Our commitment to data privacy

What is the GDPR?

The EU General Data Protection Regulation (GDPR) will become effective on 25th May 2018 bringing new global data protections for individuals of the European Union (EU). The GDPR will replace the EU Data Protection Directive and is intended to harmonise data protection laws throughout the EU with a single data protection law.
GDPR applies to all organisations established in the EU and any organisations that process the personal data of EU subjects in connection with offering goods or services in the EU.

How have ECOM been preparing for GDPR?

In early 2017, ECOM began a full research process into GDPR and how it would affect ECOM and our customers. We consulted with internal and external counsel to understand the GDPR legal requirements. ECOM has also performed a Data Protection Impact Assessment to determine compliance with security requirements of GDPR.
Throughout 2017, ECOM made a number of product changes, policy updates and internal process changes in anticipation of GDPR. ECOM are committed to being GDPR complaint when it becomes enforceable in May of 2018.

What is ECOM doing?

Ensuring all ECOM employees continue to undertake mandatory data handling training. All ECOM employees are required to participate in the training program even if their role doesn’t require them to handle customer data.

Ensuring our vendors continue to adhere to the same high standards of security and privacy as ECOM.
Maintaining our no transfers out of the EU commitment for EU customers. ECOM does not transfer data out of the customer’s chosen geographical region. Data backups and redundancy sites all remain within the same geographical region.

Is ECOM a Data Processor or Data Controller?

ECOM operates as both a Data Controller and Data Processor when considering GDPR compliance:
ECOM is a controller in respect of individuals interacting with our business such as website visitors, customers and prospective customers of ECOM.
ECOM is also the processor in respect of our own data and that of our customers whose data we receive from users of our services. In some specific customer agreements, ECOM can also be a sub-processor.

What Personal Data does ECOM process for its customers?

ECOM processes customers Personal Data to provide products and services and for other limited purposes as defined in our Privacy Policy.

How does ECOM deal with Subject Access Requests (SAR)?

If the Subject Access Request relates to data processed, stored or hosted within our services, ECOM will refer the Subject Access Request to our customer – the data controller. ECOM will assist with requests made by our customers in relation to such Subject Access Requests.
Subject Access Requests received in relation to ECOM’s business will receive a response within 30 days of receipt. Subject Access Requests can be made at or in writing to:

Attn: Legal
ECOM UK Limited
2-3 Hovefields Lodge
Hovefileds Avenue,
Burnt Mills, Basildon,
Essex SS13 1EB

As a customer of ECOM, what action should we take?

As a customer of ECOM, you are a data controller and ECOM is acting as a processor for your data. In preparation for GDPR you should consider undertaking the following steps:
• You should ensure that your Terms of Service and/or Privacy Policy are up to date.
• Perform your own research, modelling, vendor audit, and strategy steps at your company to ensure you understand GDPR as it applies to your business.
• Obtain an updated Data Processing Agreement which is available upon request from

Contact Us

If you have any questions about GDPR, please contact If you are an employee of an ECOM customer, please contact your employer.