GDPR for e-commerce online shops

GDPR for E-commerce Online Shops: Important Guidelines


The General Data Protection Regulation (GDPR) has revolutionized data protection law in the European Union and presents e-commerce companies with new challenges. This article explains the most important guidelines of the GDPR for online shops and provides practical tips for implementation.

What is the GDPR?

  • Definition and objectives

    The General Data Protection Regulation (GDPR) is a European Union regulation that came into force on May 25, 2018. Its main objective is to strengthen the protection of personal data within the EU while ensuring the free movement of data within the internal market. The regulation replaces the previous Data Protection Directive of 1995 and ensures that data processing is transparent and secure. Companies are obliged to protect the privacy and rights of users by establishing and implementing clear data processing policies. This includes the obligation to inform users about the collection and use of their data (Articles 13 and 14 GDPR), obtaining users’ consent (Article 7 GDPR) and granting them the right to access, correct or delete their data (Articles 15 to 17 GDPR).

    The GDPR also stipulates that companies must take technical and organizational measures to ensure the security of data and prevent data breaches (Article 32 GDPR). These include measures such as pseudonymization and encryption of personal data. In the event of a data breach, companies must notify the competent supervisory authority within 72 hours (Article 33 GDPR). These regulations are intended to ensure that personal data is only processed under the strictest security precautions in order to guarantee the protection of users’ privacy and to strengthen trust in the digital single market.

  • Importance of GDPR for e-commerce

    E-commerce companies process a large amount of personal data, whether for processing orders, customer service or marketing purposes. The GDPR sets strict requirements for the processing of this data and requires companies to take comprehensive measures to protect data. For e-commerce companies, this means that they must ensure that all data collected is processed lawfully, transparently and for the intended purpose (Article 5 GDPR). They must provide clear and understandable privacy statements in which they explain the nature and purpose of the data processing (Article 12 GDPR). In addition, they are obliged to obtain the consent of users before using personal data for marketing purposes (Article 6 GDPR).

    Technical security measures, such as encrypting data and implementing access controls, are also required to protect data from unauthorized access (Article 32 GDPR). Compliance with the GDPR is not only a legal obligation, but also helps to gain customer trust and strengthen the company’s reputation. Companies must also ensure that they are able to handle requests from users regarding their data protection rights, including the right to information, rectification and erasure (Articles 15 to 17 GDPR). The GDPR thus creates a basis for the responsible handling of personal data and promotes a high level of data protection awareness throughout the e-commerce industry.

Legality of data processing

  • User consent
    One of the most important requirements for lawful data processing is the user’s consent. This must be voluntary, informed and unambiguous (Article 7 GDPR). Users must be informed clearly and comprehensibly about which data is processed for which purpose. Consent must be given in an easily accessible form and users have the right to withdraw their consent at any time. Without valid consent, data processing is not permitted and can result in significant fines. Companies must therefore ensure that they obtain verifiable and documented consent from users.
  • Contract fulfillment
    Data may also be processed if this is necessary to fulfill a contract (Article 6 Paragraph 1 Letter b GDPR). This is the case, for example, if an online shop needs a customer’s delivery address to deliver an order. Such data processing is essential in order to fulfill contractual obligations to the customer. Without this data, contract fulfillment would not be possible and the contract could not be processed properly. However, companies must ensure that processing is limited to what is necessary and that no superfluous data is collected.
  • Legal obligation
    In some cases, the processing of personal data may also be based on a legal obligation (Article 6(1)(c) GDPR). This is often necessary to meet tax or accounting requirements. Companies need to process this data to comply with legal requirements and avoid penalties. Examples include retaining invoices and transaction data for tax audits. Companies are obliged to store this data securely and to ensure that it is only kept for the period required by law.

Information obligations toward users

Data protection

Every e-commerce company must provide a privacy policy on its website. This must explain clearly and comprehensibly which data is processed for what purpose and what rights users have.

Transparent data processing

The GDPR requires transparency in data processing. Users must be able to understand at any time how and why their data is processed. This also includes information about the duration of data storage and the recipients of the data.

Rights of the persons affected

  • Right to information
    Users have the right to request information about the data stored by them. Companies must provide detailed information about the data processed, the purpose of processing and the recipients of the data upon request.
  • Right to rectification
    Users can request the rectification of incorrect or incomplete data. Companies must make the necessary corrections immediately.
  • Right to erasure (right to be forgotten)
    Under certain circumstances, users have the right to request the erasure of their data. This applies in particular when the data is no longer necessary for the purposes for which it was collected or when consent has been withdrawn.
  • Right to data portability
    Users have the right to receive their data in a structured, common and machine-readable format and to transmit it to another provider.

Data security and technical measures

Pseudonymization and encryption

To ensure data security, companies should use measures such as pseudonymization and encryption (Article 32 GDPR). These technologies help protect data against unauthorized access by minimizing the identifiability of the data. Pseudonymization makes the data unintelligible to third parties, while encryption ensures that only authorized parties have access to the data. These measures are crucial to reduce the risk of data breaches and maintain the confidentiality of personal data.

Access controls

It is important that only authorized employees have access to personal data (Article 32 GDPR). Companies should implement strict access controls and regular audits to ensure that only authorized personnel can access sensitive information. This includes the use of password protection, two-factor authentication, and other security protocols. Regular reviews and audits help identify and close security gaps before they can be exploited. These measures significantly reduce the risk of unauthorized data access.

Contract processing and third parties

Contracts with processors

If companies pass on data to third parties, such as service providers who process the data on their behalf, they must ensure that they also comply with the GDPR requirements (Article 28 GDPR). This requires the conclusion of data processing contracts that clearly regulate how the data may be processed. The contract must ensure, among other things, that the data processor takes appropriate technical and organizational measures to protect the data. In addition, the processor must be obliged to process the data only on documented instructions from the controller.

Transfer of data to third countries

The transfer of personal data to countries outside the EU is only permitted under certain conditions (Article 44 GDPR). Companies must ensure that an appropriate level of data protection is guaranteed, for example through standard contractual clauses or binding corporate rules. These measures are intended to ensure that the data is adequately protected even in countries with less strict data protection laws. Without these protective mechanisms, the transfer cannot take place lawfully and could result in significant fines.

Data protection obligations of third parties

It is crucial that third parties that process personal data on behalf of a company adhere to strict data protection obligations (Article 28(3) GDPR). This means that they may only act on documented instructions from the company and must take appropriate technical and organizational measures to protect the data. These obligations should be set out in detail in the data processing agreements. In addition, third parties must be regularly audited to ensure that they continuously comply with data protection requirements.

Regular reviews and audits

Companies should conduct regular reviews and audits of data processors to ensure that they comply with GDPR requirements (Article 28 paragraph 3 letter h GDPR). These audits help to identify potential security gaps and ensure that the contractually agreed data protection measures are actually implemented. Companies should have documented procedures for these reviews and take corrective measures if necessary. Regular audits strengthen confidence in data security and minimize the risk of data breaches.

Cookie policy and tracking

Obligation to consent to cookies

Cookies that store personal data or track user behavior may only be set with the user’s explicit consent. Consent must be obtained and documented in advance.

Opt-out mechanisms

Users must have the option to withdraw their consent and object to the use of cookies at any time. This should be simple and user-friendly.

Data Protection Impact Assessment (DPIA)

Companies must carry out a data protection impact assessment if data processing is likely to result in a high risk to the rights and freedoms of data subjects. This helps to identify potential data protection risks at an early stage and to take appropriate measures.

Reporting obligations in the event of data breaches

In the event of a data breach, companies must inform the relevant supervisory authority immediately, but no later than within 72 hours. Affected users must also be notified if the data breach poses a high risk to their rights and freedoms.

Fines and sanctions

Failure to comply with GDPR can result in significant fines, up to €20 million or 4% of a company’s annual global turnover, whichever is higher. It is therefore essential to take GDPR requirements seriously and implement them.

Best practices for e-commerce businesses

  • Regular training
    Employees should be regularly trained on data protection issues (Article 39 paragraph 1 GDPR). This ensures that everyone involved understands the importance of data protection and implements the policies correctly. Training helps to raise awareness of data protection and ensure that employees are informed of the latest legal requirements and internal policies. Regular training helps to minimize errors and reduce the risk of data breaches.
  • Internal data protection policies
    Companies should implement clear data protection policies and procedures (Article 24 GDPR). These policies must be regularly reviewed and updated as necessary to comply with the latest legal requirements. Internal data protection policies define how personal data is collected, used, stored and protected. They are an essential tool to ensure that all employees adhere to the same standards and that data protection requirements are implemented consistently.
  • Data security and encryption
    Data security is a central part of the GDPR (Article 32 GDPR). E-commerce companies should ensure that all personal data is protected by encryption techniques. This applies to both the transmission and storage of the data. Encryption helps to protect the data from unauthorized access and ensures that even in the event of data loss, the information cannot be easily read or used.
  • Pseudonymization
    Pseudonymization is a technique that helps protect personal data by making it more difficult to directly identify individuals (Article 32 GDPR). E-commerce companies should use this technique to increase data security. By separating personal data and its identification features, the risk of data misuse can be significantly reduced. This is especially important when processing large amounts of data.
  • Regular security reviews
    Regular security reviews and audits are crucial to ensure that the data protection measures taken are effective (Article 32 paragraph 1 GDPR). E-commerce companies should regularly review their IT infrastructure and data processing processes to identify and fix vulnerabilities. This includes reviewing access controls, encryption techniques and other security measures. Regular audits help to ensure compliance with the GDPR and build customer trust.
  • Access controls
    Only authorized employees should have access to personal data (Article 32 GDPR). Companies should implement strict access controls to ensure that only authorized personnel can access sensitive data. This can be achieved through password protection, two-factor authentication and other security mechanisms. Regular reviews and updates of access controls are necessary to ensure data security.
  • Data Protection Impact Assessment (DPIA)
    A data protection impact assessment (DPIA) is required if the data processing is likely to result in a high risk to the rights and freedoms of the data subjects (Article 35 GDPR). E-commerce companies should carry out a DPIA to identify potential risks at an early stage and take appropriate measures. This helps to prevent data breaches and ensure that all data protection requirements are met.
  • Data breach contingency plans
    E-commerce companies should develop and implement data breach contingency plans (Article 33 GDPR). These plans should include procedures for quickly identifying, assessing and reporting data breaches to the relevant authorities and data subjects. A well-thought-out contingency plan can help minimize damage and maintain customer trust. Regular testing and updating of the contingency plan is essential.
  • Data processing contracts
    When working with third parties, e-commerce companies must ensure that they comply with the GDPR (Article 28 GDPR). This requires the conclusion of data processing contracts that clearly specify how the data may be processed. The contract must ensure that the processor takes appropriate technical and organizational measures to protect the data. Regular reviews and audits of the processors are also necessary.
  • Data protection through technology design and through data protection-friendly default settings
    E-commerce companies should integrate data protection into their systems and processes from the outset (Article 25 GDPR). This means that technical and organizational measures must be taken to take data protection into account already in the development phase of IT systems. Data protection-friendly default settings should ensure that only the most necessary data is collected and processed by default. This practice helps to ensure compliance with the GDPR and strengthen user trust.

Common mistakes and how to avoid them

  1. Inadequate privacy policy : An incomplete or difficult to understand privacy policy can lead to warnings. Make sure that your privacy policy presents all the required information clearly and understandably.
  2. Lack of consent for cookies : Do not set cookies without the explicit consent of users. Implement a suitable consent management tool.
  3. Lack of data security : Avoid security gaps through regular audits and the implementation of technical protection measures such as encryption and access controls.


The GDPR places high demands on e-commerce companies, but also offers the opportunity to strengthen customer trust. By implementing the GDPR guidelines, companies can not only minimize legal risks, but also improve their reputation.


1. What happens if an online store does not comply with the GDPR? Failure to comply with the GDPR can result in significant fines of up to 20 million euros or 4% of annual global turnover.

2. Do all cookies have to obtain the consent of the user? Yes, all cookies that store personal data or track user behavior require the explicit consent of the user.

3. How can users withdraw their consent to cookies? Users should have the opportunity to withdraw their consent at any time, for example through an opt-out mechanism on the website.

4. What is a data protection impact assessment (DPIA)? A DPIA is an evaluation of the risks that data processing poses to the rights and freedoms of data subjects. It helps to identify potential data protection risks at an early stage and to take appropriate measures.

5. How can e-commerce companies ensure data security? Companies should implement technical measures such as pseudonymization, encryption and access controls to ensure the security of data.

Globeria Consulting GmbH zeichnet sich als einer der führenden DSGVO-Dienstleister in Deutschland aus und bietet umfassende Lösungen durch zertifizierte Datenschutzbeauftragte (DSB). Unsere Dienstleistungen decken das gesamte Spektrum der DSGVO-Compliance ab und stellen sicher, dass Ihr Unternehmen alle rechtlichen Anforderungen effizient erfüllt. Vertrauen Sie auf unsere Expertise für ein beispielloses Datenschutz- und Privacy-Management.

Wir bedienen Berlin, Frankfurt, München, Magdeburg, Sachsen-Anhalt, Hamburg und ganz Deutschland.
Arbeitszeiten: Montag-Freitag, 09:00-17:00
© 2024 Globeria Consulting GmbH. Alle Rechte vorbehalten.