Model Merchant DPIA — PriceMux Installation
How to use this template. Sections marked PRE-FILLED are accurate for any merchant of PriceMux and need no change. Sections marked MERCHANT TO FILL depend on your own controller-level facts. This is a template for your Art. 35 DPIA where you act as controller; it is not legal advice.
1. Nature, Scope, Context, Purpose (Art. 35(7)(a))
PRE-FILLED. PriceMux receives, via Shopify webhooks, order-level metadata and persists only four fields per order: order ID (opaque Shopify GID), POS-channel boolean (derived from a cart attribute), shop ID, and timestamp. Other order-level fields present in the webhook payload (line items, shipping lines, taxes, addresses) are not extracted, stored, or further processed. No customer-identifying data is received or stored by PriceMux. PriceMux is Shopify Protected Customer Data Level 1.
MERCHANT TO FILL:
- Your customer base size and geographies:
- Your shopper notice / privacy policy URL:
- Whether your pricing rules differentiate prices by customer attribute:
- Whether you operate POS channels and where:
2. Necessity and Proportionality (Art. 35(7)(b))
PRE-FILLED. PriceMux’s data categories are minimised to those strictly required to evaluate pricing rules and enforce subscription tiers.
MERCHANT TO FILL. Document why PriceMux-enabled differential pricing is necessary and proportionate to your commercial purpose, and how your shopper-facing notice describes any rule-driven price variation.
3. Lawful Basis (Art. 6)
MERCHANT TO FILL. Most merchants will rely on Art. 6(1)(b) contract performance. If using PriceMux for promotional or loyalty pricing tied to shopper segmentation, you may need an additional basis. Consider also Art. 6(1)(f) legitimate interests for tier enforcement.
4. Special Categories and Automated Decisions
PRE-FILLED. PriceMux processes no Art. 9 special-category data and performs no Art. 22 automated decision-making with legal effects on the data subject.
MERCHANT TO FILL. Confirm your own pricing rules do not infer special-category attributes and do not produce legal effects.
5. Risks to Data Subjects (Art. 35(7)(c))
PRE-FILLED — PriceMux side. See PriceMux Processor DPIA §3 (sub-processor breach; misconfiguration; retention overshoot; Orlando single-site loss). All assessed Low to Low–Medium.
MERCHANT TO FILL — your side: (a) shopper surprise from price variation; (b) inadvertent discrimination through rule design; (c) failure to surface rule-driven pricing in your shopper notice.
6. Mitigations (Art. 35(7)(d))
PRE-FILLED — PriceMux side:
- TLS 1.2+ in transit, AES-256 at rest, HMAC-verified webhooks, automated retention.
- Sub-processors bound by SCC Module 3 / UK IDTA Addendum VERSION B1.0 / NZ adequacy.
- Shopify compliance webhooks honoured.
- Retention: raw per-order rows kept up to 13 months (12-month rolling window plus a reconciliation buffer of up to 30 days); deleted thereafter by the automated retention worker.
MERCHANT TO FILL — your side:
- Your shopper-facing privacy notice mention of rule-driven pricing:
- Your DSR process for PriceMux-touching requests:
- Your retention schedule reconciliation:
7. Cross-Border Transfers (Chapter V)
PRE-FILLED. PriceMux relies on (a) the Shopify-provided SCC mechanism (Shopify DPA Appendix C §II(B)(8)) for the upstream Shopify → PriceMux leg, and (b) EU SCCs Module 3 / UK IDTA / NZ adequacy for onward transfers to sub-processors.
MERCHANT TO FILL. Confirm acceptance of Shopify DPA and PriceMux DPA. If subject to additional sectoral transfer rules, document them.
8. Stakeholder Consultation (Art. 35(9))
MERCHANT TO FILL. Note any consultation with shoppers or shopper representatives, or document why disproportionate.
9. Outcome and Approval
MERCHANT TO FILL. Decision: proceed / proceed with mitigations / consult supervisory authority. Approver name, role, and date.
10. Review Cadence
MERCHANT TO FILL. At least annually; on rule-design changes; on PriceMux sub-processor list changes.