What is the GDPR?
In 2016, the European Parliament adopted the EU General Data Protection Regulation. Under this new law, all e-commerce retailers selling in EU countries were required to make various changes to their online shop by no later than 25 May 2018. These changes related in particular to the following areas:
Duties to inform
The goal of the GDPR was to standardise online privacy protection throughout all EU member states. This benefits not only consumers, but also shop operators. For example, the one-stop shop (OSS) principle simplifies international e-commerce. Now, shop operators no longer need to coordinate with multiple privacy protection authorities regarding a single data process; instead, they can deal with just one central authority.
easy to understand
easy to access
1. Data controller and contact
The data controller (the party in charge of collecting the data, usually your company)
The controller’s legal representative (usually the CEO or managing director of your company, if applicable)
The controller’s data security officer (if applicable)
2. Personal data
After that, you must explain:
... which data your shop collects and processes.
... at which point(s) the data collection takes place.
... for which purpose(s) this is done.
... who receives the data.
... for how long the data is stored.
3. Legal basis
For each type of data you collect, you must specify the legal basis. Most online retailers do so by referring to the specific article of the GDPR. For example, one common legal basis is article 6.1.f of the GDPR: ‘processing is necessary for the purposes of the legitimate interests pursued by the controller [...]’. You must also specify what those legitimate interests are. For example, if you are collecting your visitors’ IP addresses, then use the following table to determine the legal basis and which legitimate interests you should cite:
|Personal data||IP address|
|Time of collection||When the connection to your server is established|
|Legal basis||Art. 6.1.f of the GDPR|
|Purpose and legitimate interest||To enable us to make our website available to you|
4. Data subjects’ rights
The GDPR also requires online shops to inform users (data subjects) of their rights under the law. These include the following:
|GDPR article||Data subjects’ right||Description|
|15||Right to information||Data subjects have the right to be informed of whether a shop operator is processing personal data. If so, then the shop operator must also list which types of personal data they process and describe the data processing in greater detail.|
|16||Right to rectification||If the data that your shop has stored about a customer is incorrect, then the customer has the right to request that you correct it.|
|17||Right to erasure (‘right to be forgotten’)||Customers can also request that their data be erased. You must comply if you no longer have a legitimate interest or legal basis for storing the data, or if other conditions under article 17 of the GDPR apply.|
|18||Right to restriction of processing||Customers have the right to request that you restrict the processing of their data.|
|20||Right to data portability||This right applies to data that is necessary for fulfilling a contractual obligation, or that your customers have granted their consent for you to process. It allows customers to request that you, the data controller, provide the collected data to them in a structured, conventional and electronically readable format that they can then transfer to other data controllers. Alternatively, the customer may ask that you transfer the data directly to another data controller.|
|21||Right to object||In certain cases, data subjects have the right to object to the processing of their personal data, even if the processing is considered legal under article 6 of the GDPR. Data subjects always have the right to object to their personal data being processed for the purpose of direct advertising.|
|77||Right to file a complaint with an oversight authority||Visitors to your site may always make a complaint to the data protection authorities in your country if they have reason to believe that their data is being processed unlawfully.|
How do we collect your data?
What do we use your data for?
What are your rights as a data subject?
Are there other privacy protection rules that are important in e-commerce?
Social media plugins
When a customer wants to enter their personal data on your site (for example, during checkout or when signing up for your newsletter), they need to fill in a web form. To ensure that the web forms on your site comply with the GDPR, they must meet two important requirements:
Data minimisation: As a shop operator, you are only allowed to request the minimum amount of data necessary for you to fulfil your contractual obligation (for example, to fill an order). So, during checkout, all you really need to ask is the customer’s name and address. If your customer only wants to sign up for your email newsletter, you cannot require them to also provide you with their postal address and phone number.
Confidentiality: As an online retailer, you are obligated to make sure that all your customers’ personal data is protected from unauthorised or unlawful processing. That means that any transfer of data needs to be encrypted.
Article 32.1.a of the GDPR requires shop operators to ensure that their data transfer is encrypted. It’s a good idea to use the HTTPS protocol to secure communications on your website. You can also use an SSL certificate to ensure that...
... communication partners are authorised via an asymmetrical encryption process.
... data transfer is secured end-to-end with a symmetrical encryption process.
... the integrity of the transported data is not compromised.
To learn more about how to obtain an SSL certificate and which other security measures you can take, check out our article on eCommerce security.
Ever since the GDPR came into effect, online shops have been required to use a double opt-in process to gain the customer’s consent for processing their data (for example, when a customer signs up for your newsletter). That means a customer who is interested in receiving information or advertising from you must consent to this when they give you their contact information (for example, by ticking a box to indicate that they wish to receive advertising emails from you). After that, you must also send them a confirmation link via email, which they must click to complete the sign-up process. This means that they twice give their consent to receive future information/offers from you. If you don’t obtain this double consent, you are not allowed to send advertising or marketing messages to the customer’s email address. If the customer does not click on the confirmation link, you are not allowed to use or store their email address for marketing purposes.
Items in the shopping cart
The table below shows examples of which kinds of cookies are considered technically necessary and which are not:
|Technically necessary||Not technically necessary|
|Session cookies for storing user settings, such as language preferences||Tracking and analytics tools|
|Flash cookies to display page contents||Affiliate marketing services|
|Payment cookies from integrated payment service providers (which are only used for completing a payment and are not used to analyse user behaviour)||Social media plugins|
|Cookies from live chat systems||Online map services|
Social media plugins
In the past, social media plugins could start collecting user data the moment a visitor arrived on your site. The GDPR changed all of that. Under the new rules, social media plugins must always be inactive by default when a user arrives on a site. When a plugin is correctly embedded on your site, it is a passive button that only becomes active when the user clicks on it. By clicking the button, the user gives their consent for their data to be transferred to whichever social media platform the plugin is for. After all, if a user clicks the button, it’s logical to assume that they wish to use it (for example, to share content from your website via social media).
Social media plugins are very common in e-commerce and usually appear in the form of Shariff buttons. In addition, you can use a two-click consent principle for social media buttons on your site (similar to the double opt-in principle for newsletters). Under the two-click system, the user first clicks the social media button they want to use. Then your shop explicitly asks if they consent to you transferring their data to the social media platform.
As a shop operator, you probably work with many service providers, such as:
Payment service providers
These service providers also process personal data related to your customers, so the GDPR requires you to enter into a data processing agreement (DPA) with each partner. Without a DPA, you have no legal grounds for transferring customer data to a third party. Although creating a DPA takes a little extra effort, it offers you more security than you had in the past. For example, a DPA clearly defines who is responsible in the event of a data leak.
Privacy protection in your online shop: a summary of things to consider
|Data control||Who is responsible for collecting data in your online shop?||The site owner; your company’s data security officer|
|Type and scope of data collection||Which user data is collected and processed by your website?||IP address, name and address|
|At which point on your website does the data collection occur?||When the user submits a contact form; when the site is accessed; when the user clicks a social media button|
|What happens to the data?||It is stored for a set period of time|
|For which purpose do you collect and process data?||Marketing purposes; to complete an order|
|How long is data stored?||Until the order is completed; until the user opts out|
|Is the data shared with any third parties? If so, why?||Google Analytics; your logistics partners|
|Which measures have you put into place to ensure data security on your site?||Use of HTTPS protocol|
|Legal basis||What is the legal basis for your data collection?||Art. 6.1.f of the GDPR|
|Right to object||When do users have the right to object to their data being processed?||For direct advertising: anytime; for all other purposes: only when they have specific reasons|
|Other users’ rights||Which other rights do your site’s visitors have?||Right to be informed; right to rectification of data; ‘right to be forgotten’|