GDPR Support

GDPR are the data protection regulations for companies operating in the UK and EU. Move Fresh is a data processor under the GDPR and helps clients comply with their obligations.

As part of the contract there will be a Data Processing Agreement which meets the requirements of both GDPR and UK GDPR.

The first decision is on data retention. There is a requirement that data is not retained longer than it needs to be. Typically the personal data retention period will depend on:

• Traceability of products and lots is required in case there is a recall with consideration given to maximum shelf life.
• Auditors may need to check transactions before accounts are signed-off.
• Operational need to check sales and courier tracking for customer service and perhaps for any refunds.

The data retention period will be different for each client but taking these points into account, two years is a typical period.

Customers, known as “data subjects” in the language of GDPR have a right to redact personal information. This means their name, postal address, email and phone number will need to be removed from the database.

There are three methods that are supported for redaction.

For clients using the Shopify integration, the GDPR redaction process is automated, and any customer who requests a redaction in Shopify will have it automatically processed.

For clients using our API there is a GDPR redaction method that can be called on any order which will redact the personal details.

Finally, other clients using other platforms can search for the relevant orders on the web app and click on the Redact button.

Note that we retain backups for 21 days, so it will be 21 days after any deletion before the data is fully removed from our systems.