GDPR in E-Commerce — A Complete Guide to Online Shop Obligations
Running an online shop involves intensive personal data processing at every stage — from account registration, through order fulfilment, to marketing and after-sales service. At the same time, e-commerce is a sector where UODO and European supervisory authorities are increasingly active in conducting audits, and customers are increasingly exercising their GDPR rights.
This article covers all key GDPR obligations that an online shop must fulfil — from the privacy policy, through cookies and newsletters, to profiling and handling customer requests.
What Data Does an Online Shop Process?
A typical online shop processes diverse categories of personal data:
Registration data — first name, surname, email address, password, phone number (when creating an account).
Transaction data — delivery address, billing address, tax ID (for businesses), payment data (though card data is usually processed by the payment operator, not the shop).
Behavioural data — order history, products viewed, time spent on site, clicks, shopping cart contents. This data is collected by analytics tools (Google Analytics, Hotjar) and recommendation engines.
Marketing data — newsletter consents, communication preferences, customer segmentation.
Customer service data — email correspondence, chat, complaints, returns.
Cookie data — cookie identifiers, IP address, device and browser information.
The scope of processed data is broad — and each category requires a separate analysis of its legal basis, purpose, and retention period.
Legal Bases for Processing in E-Commerce
An online shop uses several legal bases simultaneously:
Contract performance (Article 6(1)(b) GDPR) — processing data necessary for order fulfilment: name, surname, delivery address, contact details, billing information. This is the primary legal basis for most e-commerce operations.
Legal obligation (Article 6(1)(c) GDPR) — retaining data for tax and accounting purposes (tax law, accounting law). Invoices and accounting documents must be retained for 5 years from the end of the tax year.
Consent (Article 6(1)(a) GDPR) — newsletter, email marketing, analytics and marketing cookies. Consent must be voluntary — it cannot be a condition of placing an order.
Legitimate interest (Article 6(1)(f) GDPR) — direct marketing to existing customers (but only to a limited extent and with the right to object), pursuing claims, fraud prevention, business analytics on anonymised data.
Most common mistake: relying on consent where the correct basis is contract performance. If data is necessary for order fulfilment, there is no need to ask the customer for “consent to process data for order fulfilment” — the basis is the contract, not consent.
Privacy Policy — What It Must Contain
Every online shop must have a privacy policy meeting the requirements of Article 13 GDPR. The policy should cover:
Identity and contact details of the controller — full company name, address, tax ID, contact details.
DPO contact details — if designated.
Purposes and legal bases of processing — separately for each purpose: order fulfilment (contract), marketing (consent), accounting (legal obligation), cookies (consent or legitimate interest).
Data recipients — courier companies, payment operators, hosting provider, e-commerce platform provider, accounting firm, analytics tools, marketing platforms.
Transfers outside the EEA — if you use Google Analytics, Mailchimp, Facebook Pixel, or Stripe, data goes to the US. State the transfer mechanism (DPF, SCCs).
Retention periods — specific for each purpose: order data (fulfilment period + limitation period for claims + tax document retention period), newsletter (until consent is withdrawn), customer account (until account deletion + archiving period).
Customer rights — access, rectification, erasure, restriction, portability, objection, consent withdrawal.
Right to lodge a complaint with the supervisory authority.
Information about profiling — if the shop uses product recommendations or customer segmentation.
Cookie information — brief note with a link to the full cookie policy.
Form and accessibility: The privacy policy must be easily accessible — a link in the website footer, visible on every page. It should be written in plain language, not legal jargon.
Newsletter and Email Marketing
The newsletter is one of the most common sources of GDPR issues in e-commerce. Key rules:
Newsletter consent must be voluntary — it cannot be a condition of placing an order or receiving a discount. The “I want to receive the newsletter” checkbox must not be pre-ticked. The customer must actively check the box.
Double opt-in — recommended practice of sending an email with a confirmation link. It protects against sign-ups without the person’s knowledge and serves as evidence of consent.
Consent wording must be specific — instead of a generic “I agree to marketing,” write: “I want to receive a newsletter with information about new products and promotions to the email address provided.”
Consent withdrawal must be easy — every email must include an “Unsubscribe” link. Withdrawal must be as simple as giving consent.
Consent documentation — you must be able to demonstrate when and how the customer gave consent (date, consent text, IP address, method). The mailing platform should store this data.
Cookies in an Online Shop
Online shops typically use many types of cookies — from essential to marketing. Obligations:
Essential cookies (session, cart, login) — do not require consent.
Analytics cookies (Google Analytics, Hotjar) — require consent before activation.
Marketing cookies (Facebook Pixel, Google Ads remarketing, affiliate pixels) — require consent. These carry the highest legal risk.
The cookie banner must offer equivalent options — “Accept,” “Reject” (or “Necessary only”), and “Settings.” Scripts must be blocked until consent is obtained (prior blocking).
Google Consent Mode v2 — if you use Google Analytics or Google Ads, configure Google Consent Mode v2, which adjusts Google tag behaviour based on the user’s decision in the cookie banner.
Customer Account — Registration and Guest Checkout
Guest checkout — the GDPR does not expressly require offering purchases without registration, but the data minimisation principle (Article 5(1)(c)) strongly supports this option. If a customer wants to buy a product, they should not be forced to create an account — data collected should be limited to the minimum necessary for order fulfilment.
Customer account — registration requires a privacy notice at the time of registration. The customer should be able to delete their account (right to erasure — Article 17 GDPR), although the controller may retain data necessary for accounting purposes or pursuing claims.
Password storage — passwords must be stored in hashed form (not plaintext). Inadequate password protection is a violation of Article 32 GDPR.
Profiling and Product Recommendations
Many online shops use product recommendation engines, content personalisation, customer segmentation, or dynamic pricing. This constitutes profiling within the meaning of the GDPR (Article 4(4)).
Profiling obligations:
Informing customers — the privacy notice must include information about profiling, its logic, and consequences (Article 13(2)(f) GDPR).
Legal basis — profiling for marketing purposes may be based on the controller’s legitimate interest (Article 6(1)(f)), but the customer has the right to object (Article 21 GDPR). Profiling leading to automated decisions with legal effects (e.g., automatic credit refusal, discriminatory dynamic pricing) is subject to Article 22 GDPR.
DPIA — if profiling is carried out on a large scale, a DPIA is required.
Right to object — the customer may object to profiling for marketing purposes, and the controller must cease processing.
Processors in E-Commerce — Who Needs a DPA
An online shop uses many service providers with whom a data processing agreement must be concluded:
E-commerce platform provider (e.g., Shopify, WooCommerce hosting, Shoper) — processes customer data on your server or in the cloud.
Hosting provider — stores data on its server.
Payment operator (e.g., Stripe, PayPal, local providers) — processes payment data. Note: the payment operator may be a separate controller for payment data processing — review their terms.
Courier company / postal service — processes address data. The situation is complex — courier companies may be separate controllers for their transport service.
Mailing platform (e.g., Mailchimp, GetResponse) — processes subscriber email addresses.
Accounting firm — processes invoice and bookkeeping data.
Analytics tools (Google Analytics, Hotjar) — process user behavioural data.
CRM system — processes customer data.
Chatbot / live chat provider — processes conversation data.
For each of these entities, check whether you have a signed DPA (or a DPA in the service terms) and whether it covers all required elements from Article 28 GDPR.
Customer Rights — Most Common Requests in E-Commerce
Right to erasure (Article 17 GDPR) — the customer requests deletion of their account and all data. The shop may refuse to delete data it must retain under law (invoices — 5 years, warranty documents — warranty period). However, it should delete the account, marketing data, and behavioural data.
Right of access (Article 15 GDPR) — the customer requests information about what data the shop holds. The shop has one month to respond and must provide a copy of the data in electronic format.
Right to data portability (Article 20 GDPR) — the customer requests their data in a machine-readable format (e.g., CSV, JSON). This applies to data the customer provided themselves and which is processed automatically on the basis of consent or contract.
Right to object to marketing (Article 21 GDPR) — the customer objects to profiling or direct marketing. An objection to marketing is absolute — the shop must cease immediately.
Newsletter consent withdrawal — immediately effective, no justification required.
Data Security in E-Commerce
Online shops are a frequent target of cyberattacks — making data security particularly important:
SSL/TLS certificate — encryption of data transmission between the customer’s browser and the server. Mandatory for every shop.
Database encryption — personal data in the database should be encrypted at rest.
Secure password storage — hashing with salt (bcrypt, Argon2). Never store passwords in plaintext.
Regular updates — of e-commerce platforms, plugins, and libraries. Outdated software is the most common cause of breaches.
Backups — regular, tested for recoverability.
Access control — restricted access to the admin panel, MFA for administrators.
Security monitoring — detecting unusual activity (e.g., mass downloading of customer data).
Checklist — GDPR for Online Shops
- Prepare a privacy policy meeting Article 13 GDPR — place a link in the footer.
- Implement a cookie banner with prior blocking — equivalent accept and reject options.
- Prepare a cookie policy with a cookie table.
- Configure the newsletter in compliance with GDPR — opt-in checkbox, double opt-in, unsubscribe link.
- Offer guest checkout — data minimisation.
- Prepare privacy notices on forms — registration, contact, newsletter.
- Conclude DPAs with all service providers.
- Define data retention periods — for each purpose.
- Implement a customer request handling procedure — access, erasure, portability, objection.
- Secure data technically — SSL, database encryption, password hashing, backups.
- If you use profiling — disclose it in the privacy policy and assess the need for a DPIA.
- Identify transfers outside the EEA — conduct a TIA.
- Prepare a ROPA — include all e-commerce processes.
- Train customer service staff — how to respond to GDPR requests.
- Regularly update shop software and test security.
Need a GDPR Audit for Your Online Shop?
E-commerce is a high-risk GDPR sector — extensive data, numerous processes, many providers, and many cookies. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we conduct GDPR audits dedicated to online shops — from privacy policies and cookies, through newsletters and profiling, to supplier agreements and data security.
Contact us — we will check whether your shop is GDPR-compliant.
