Part of the stipulations for GDPR are -
- Firms of over 250 employees must employ a Data Protection Officer (DPO). This person is responsible for ensuring that a business collects and secures personal data responsibly.
- GDPR will also apply to small businesses under 250 employees if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9.
So, my small business of less than 250 employees (ie. myself!) takes orders from ebay, manufactures and ships them, and then marks them as dispatched in ebay. End of story. The only data pertaining to those customers of mine exists solely on the ebay servers after I have done with it. Who is responsible for GDPR?