GDPR in E-Commerce (Part 2)

12.06.2025

You know the basics of GDPR – but it's in practice that things get really exciting. What happens when agencies, tracking tools, or international providers come into play?

In part 2, you'll learn how to take your data protection strategy to the next level – with clear responsibilities, data-secure tools, and practical workflows. No legal jargon – just concrete help for your everyday shop operations.

Roles & responsibilities in data protection

Hands on a laptop keyboard with data protection symbols—lock, monitor, chat, internet, email, and smartphone—symbolize IT security and GDPR in online commerce. Data protection in e-commerce | Source: Canva

Whether it's an agency, hosting provider, or analytics tool: as soon as you start working with external partners, the key question arises – how is responsibility for personal data correctly distributed?

In this section, we clarify how you can legally classify order processing, joint responsibility, or sole responsibility – and which contracts you need for this.

Order processing or joint responsibility?

Whether an agency is considered a processor or (joint) controller depends on who decides on the purpose and means of data processing.

You can find more information on the basics of order processing in Part 1 of this blog series.

In practice, it is particularly important that you check how the roles are distributed in each collaboration—and whether a data processing agreement or a joint responsibility agreement is necessary.

Order processing (Art. 28 GDPR)

The agency acts exclusively on your behalf—for example, in the case of:

System maintenance or technical support
Web analysis with provided data
Creation and dispatch of newsletters via tools such as CleverReach or Mailchimp

In this case, you need a written data processing agreement that regulates the following points, among others:

Type and purpose of data processing
Categories of data processed
Obligations and rights of the controller
Technical and organizational measures (TOMs)
Support for data subject rights

Graphic showing six key elements of data processing according to the GDPR: support for rights, type of data processing, data category, obligations of the controller, technical measures – each with icons in color. Elements of data processing according to the GDPR | Source: maxcluster

Joint responsibility (Art. 26 GDPR)

Joint responsibility exists when the shop and agency jointly decide on the purpose and means of data processing—for example, in the case of:

Jointly developed campaign platforms
Co-branding projects
Customer loyalty programs with coordinated CRM access

Practical example:

The shop sets retargeting goals.
The agency develops the tracking concept and evaluates data.
Both jointly determine which data is collected and how long it is stored.

What needs to be done?

Then you need a written agreement in accordance with Art. 26 GDPR, which regulates:

Who is responsible for which tasks (e.g., for requests for information or deletion)
How data subjects are informed
Who acts as the central contact person

In addition:

The processing must be documented in the record of processing activities.
Depending on the risk, a data protection impact assessment (DPIA) must be carried out.

What often goes wrong

In practice, the following stumbling blocks often arise:

No processing agreement despite data processing by third parties

Tracking tools integrated without prior consent

Cooperation with agencies without clarity of roles

Tools with third-country transfers without checking the legal basis

No update of the contractual basis in the event of tool or legal changes

Circular graphic showing six common GDPR compliance challenges: outdated contracts, third-country transfers, unclear roles, missing AV contracts, tracking without consent – represented by icons and color coding. Typical GDPR challenges in e-commerce | Source: maxcluster

Who is liable in the event of an emergency?

The entity responsible within the meaning of Art. 4 (7) GDPR is the entity that decides on the purposes and means of processing—usually the shop operator.
Agencies are only liable on their own if they:

act without a contractual basis, or
do not adhere to the agreed rules.

In the case of pure order processing, the main responsibility lies with the shop.

Service providers' own responsibility

Not every external collaboration is order processing. Some providers decide independently on the processing – in this case, they are responsible for their own data protection.

Typical examples:

Payment service providers (e.g., PayPal, Klarna, Stripe)
Shipping and logistics companies
Tax advisors and law firms

No data processing agreement is required in these cases, but:

The processing must be presented transparently in the privacy policy.
It is sufficient to name the category of the recipient (e.g., “payment service providers,” not “Klarna”).
Third-country transfers must be specified with a legal basis (e.g., SCCs or DPF certification).

Checklist: Working with service providers

Before you use a new tool or work with an agency, check:

Who decides on the purpose and means of data processing?
Is it contract processing or joint responsibility?
Is there a written contract (DPA or Art. 26 agreement)?
Has it been checked whether the service provider bears its own responsibility?
Has the role been correctly documented in the privacy policy and in the directory?

Summary: Who is responsible for what?


Type of cooperation	Example	Contract necessary?
Order processing	Hosting, newsletter tool	AV contract (Art. 28 GDPR)
Joint responsibility	Campaign platform	Agreement according to Art. 26 GDPR
Own responsibility	Payment providers, logistics service providers	No AVV, but information in privacy policy

Data in the US? How to remain GDPR-compliant

Do you already use tools such as Google, Meta, or Stripe? Then you know that particularly strict requirements apply as soon as personal data is transferred to a third country.

In Part 1, we clarified the basics – here we show you how to check whether a provider is GDPR-compliant, what alternatives you have, and what you need to consider when using them.

Check: Third-party providers based in the US

Is the provider DPF certified?
What types of data are transferred (e.g., payment data)?
Are there additional protective measures (e.g., encryption, pseudonymization)?
Is data processing documented and explained in the privacy policy?

The current legal framework: EU-US Data Privacy Framework (DPF)

Since July 2023, data transfers to the US have been possible again – but only if the US company is DPF certified. You can check whether your provider is certified here: https://www.dataprivacyframework.gov

If certified: Document the legal basis and adapt the privacy policy.
If not certified: Standard Contractual Clauses (SCCs), additional technical protection measures (e.g., encryption, pseudonymization), and a documented risk assessment are mandatory.

Practical tip: How to check third-party providers for GDPR compliance

Questions you should ask yourself before using a provider:

Is the provider DPF-certified or do SCCs apply?
Where are the servers located – really in the EU?
What types of data are transferred? (e.g., payment data or usage behavior)
Who decides on the purpose and means of data processing?
Does an AV contract have to be concluded?

If you want to avoid third-country transfers altogether, you can rely on EU-based tools:

Web analytics: Matomo, Piwik PRO, etracker
Newsletters: CleverReach, Brevo (Sendinblue)
CRM: weclapp, CentralStationCRM

These solutions offer greater data protection control, minimize your risk, and build trust among your customers.

Panel with the inscription “Cookie banner” and the selection fields “yes” and “no,” next to it a padlock – symbolizing the consent request in accordance with the GDPR. Cookie banner | Source: Canva

Do you use a consent banner? Excellent. But how secure is the technology behind it? In part 1, we explained what a legally compliant banner must do. Now we'll look at the technical implementation:

How do you control consent via Google Tag Manager?
How do you ensure that scripts only load after consent has been given?
And which tool is right for your shop?

Best practices for technical implementation

Use a CMP that can be connected to your tag manager
Block all scripts before consent – including embedded content such as YouTube
Document each consent in an audit-proof manner: timestamp, tool version, settings
Provide a simple revocation option (e.g., via a footer link)

Tip: Even with a visually appealing banner, if the technology is not right, the consent is invalid. Therefore, rely on proven CMPs such as Iubenda, Consentmanager, or Complianz.

Why technical implementation is crucial

Even a visually appealing consent banner is not enough—correct technical implementation in the background is crucial. Only if scripts are actually loaded after consent has been given and data processing is technically controlled will your shop comply with legal requirements.

In practice, this means:

Scripts must remain blocked until consent has been given – e.g., through the use of Google Tag Manager in conjunction with a consent management platform (CMP).
The CMP must be able to centrally control when which tools are activated – based on the selected preferences.
Each consent must be logged and stored in a traceable manner, e.g., with a timestamp, the version of the banner used, and the user's selection.
It must be possible to change or revoke the decision at any time – without any obstacles.

Funnel diagram of the consent management process with four stages: script blocking, consent control, consent recording, and consent change – color-coded for clarity. The consent management process | Source: maxcluster

CMPs are designed to technically implement and document legally compliant consent processes. They block all unnecessary services by default and can be easily integrated into common shop systems. Many CMPs also offer automatic scans, customization options, and flexible export functions.


Tool	Strengths
Iubenda	GDPR-compliant, easy integration into common shop systems
Consentmanager	Automatic website scan, good customization options
Complianz	Particularly suitable for WordPress shops, good user guidance

Note: The providers mentioned are part of the team.blue group, which stands for a common quality and data protection strategy.

We show you how to use cookie banners correctly and tools such as iubenda in a data protection-compliant manner in the article Data protection compliance for online shops.

Typical mistakes in practice

Even shops that use a CMP often make the same mistakes:

Scripts are loaded before consent is given (e.g., through direct integration in HTML)
IP anonymization is not enabled in Google Analytics
Consent is not documented
YouTube, Google Maps, etc. are embedded immediately, even though they require consent
Old tracking scripts remain active despite new banner configuration

To-dos for your shop

To be on the safe side, you should regularly check the following points:

Does your shop really only load tracking tools after consent has been given?
Is every consent documented?
Is revocation possible at any time – e.g., via a footer link?
Are new tools (e.g., plug-ins) checked for GDPR compliance before use?
Is your CMP regularly updated and maintained?

Analysis & tracking – only with clean configuration

Laptop with analytics software open and hands on keyboard, surrounded by analytics symbols – bar charts, curves, gears, lock, user icons, and data protection elements. Analytics meets data protection | Source: Canva

If analysis tools such as Google Analytics or Hotjar are running in your shop, a consent banner alone is not enough – the right configuration in the background is crucial.

Minimum technical requirements

Activate IP anonymization (mandatory for GA4, for example)
Only load scripts after active consent has been given – ideally via Google Tag Manager
Document consent in an audit-proof manner (e.g., via CMP)
Check tools regularly – especially after updates or configuration changes

Data transfer to a third country? Then you also need a legal basis (DPF certification or SCCs). ➝ See chapter: “Data in the US?”

Practical tip: Even if you use GDPR-compliant tools such as Matomo or Piwik PRO: Without correct technical implementation, you still risk violations.

Server-side tracking: Less data loss, more data protection?

Many shop operators are increasingly relying on server-side tracking to prevent data loss due to ad blockers and browser protection mechanisms.
But it's not just data quality that improves – the model also offers advantages in terms of data protection:

More control: You decide on the server side which data is collected and passed on.
Better security: Central processing facilitates technical protective measures such as pseudonymization.
More reliable database: Tracking is less disrupted by ITP/ETP or consent blockers.

Graphic showing three advantages of server-side tracking: Greater control (gear wheel), better security (shield with hook), more reliable database (diagram with arrow) – shown in yellow, orange, and red. Why server-side tracking? | Source: maxcluster

But beware: The GDPR also applies to server-side tracking – consent (e.g., via CMP) remains mandatory.

Obtain and document consent
Pseudonymize data before it is sent to external tools
Legally secure third-country transfers
Record data flow in the directory of processing activities

Suitable tools & providers (examples):


Tool	Advantages
Piwik PRO Edge	GDPR-friendly, EU hosting
Matomo Tag Manager	Self-hosted, flexibly expandable
GTM Server Side (GTM-SS)	High performance, but complex to secure

Analysis tool correctly integrated (e.g. via GTM + CMP)
IP anonymization active
No data processing before consent
Logging of consents ensured
Third-country transfer legally secured

Tip: If you want to avoid tools such as Google Analytics, you can use privacy-friendly alternatives such as Matomo, Piwik PRO, or etracker – preferably self-hosted or hosted in the EU, e.g., with maxcluster.

Access protection & system security: Implementing TOMs correctly

Technical protective measures in e-commerce | Quelle: Canva

The GDPR obliges you, as a shop operator, to protect personal data through appropriate technical and organizational measures (TOMs).
The goal: to minimize risks, prevent misuse, and be able to react quickly in an emergency.

Technical protection measures: What does your shop need to be able to do?


Area	Measure
Data transmission	TLS/SSL encryption for all pages and APIs
Access management	2-factor authentication (e.g., authenticator app) for administrators
Rights assignment	Role-based access concepts (RBAC) – only authorized users can see sensitive data
Monitoring	Logging & monitoring of suspicious access
Data backup	Scheduled, encrypted, and geo-redundant backups

Practical tip: Tools such as Bitwarden, JetBackup, or Fail2Ban make it easier to implement these standards.

Organizational measures: Who does what—and how often?

In addition to technology, clear responsibilities are needed within the team:

Who is responsible for updates and patch management?
Who is authorized to assign or change user roles?
How often are backups tested?
Are there fixed processes for data leaks or support requests?

Document these processes regularly – they are part of your accountability under Art. 5 (2) GDPR.

Documentation: Easily fulfill your accountability obligations

Person holding a large stack of paper documents with paper clips – symbolic image for data protection documentation, procedure directories, or GDPR documentation requirements. Documentation requirements under the GDPR | Source: Canva

The GDPR not only requires you to protect personal data—you must also be able to prove how you do so at any time. This so-called accountability (Art. 5 (2) GDPR) applies to every online store, regardless of size.

What you need to document

A comprehensive data protection concept includes both technical and organizational measures. You should regularly maintain the following documents and processes:

Record of processing activities (Art. 30 GDPR)
All processes in which personal data is processed – from newsletters to payment processing.
Concluded data processing agreements
Contracts with service providers who process personal data on your behalf – for example, for hosting, newsletters, or web analytics – are an essential part of GDPR compliance. Not only is the contract important, but so are the provider's security measures.

Documentation of the protective measures you have implemented – e.g., encryption, 2FA, backup routines.

Consent logs
Traceable storage of consents – including timestamps, tool version, and selected settings.
Data protection processes & responsibilities
Who is responsible for data protection in the company? How are requests from data subjects handled? What happens in the event of a data leak?

Our tip: Pay particular attention to data protection and technical security when it comes to hosting.

As a managed hosting provider, we at maxcluster attach great importance to a data protection-compliant infrastructure. Our security measures include:

ISO 27001-certified data centers located in Germany.

Regular backups and a redundant infrastructure to prevent data loss.

Encrypted storage and differentiated authorization management that specifically controls access to sensitive data.

Documentation: Easily fulfill accountability requirements | Source: maxcluster

Tip: Even if you don't need a data protection officer, keep a written record of responsibilities and ensure clear processes for support, technology, and management.

Tools for data protection documentation


Tool	Functions
Iubenda	Privacy policies, cookie banners, AV contract management
heyData	Data protection platform for SMEs – with automated checks
DataGuard	Complete solution for data protection management & audits

How to keep your documentation up to date

Check once a year – or whenever there is a change (e.g., new tool)
Regularly review roles and access rights – who has access to what?
Document updates – even minor changes should be included in the directory
Record training courses – internal or with service providers

Artificial intelligence (AI) in the shop – compliant with data protection regulations?

Artificial intelligence (AI) in stores. Artificial intelligence in stores | Source: Canva

From personalized product recommendations to automated customer communication, AI has long since arrived in e-commerce. However, processing large amounts of personal data raises new GDPR issues. Read our article AI security and fraud prevention in online retail to find out how to use AI safely and responsibly in your online store and what role fraud prevention plays in this.

Typical areas of application for AI in e-commerce:

Dynamic pricing
Product suggestions based on usage behavior
Chatbots & automated support
Risk assessments for payments

AI-driven e-commerce improvements | Source: maxcluster

Data protection challenges in AI systems


Challenge	GDPR Requirement
Opaque "black-box" decisions	Transparency obligation – Users must understand how and why a decision was made
Fully automated decision-making	Art. 22 GDPR – Users must not be subject to purely automated decisions
Processing of sensitive data	Only permitted with explicit consent or legal basis
Sharing personal data with external providers	Only allowed with a DPA and clear purpose limitation

What Online Shops Should Do Now

Label AI systems - Disclose when AI is used (e.g., in the privacy policy)
Avoid or secure profiling - Automated decisions must be traceable & human-reviewable
Obtain explicit consent - e.g., for personalized recommendations or dynamic pricing
Conduct a Data Protection Impact Assessment (DPIA) - For processing activities with high risks to users' rights
Implement data minimization & pseudonymization - Especially for sensitive information

What Does the EU AI Act Mean for Your Shop?

The EU AI Act - the new EU law regulating Artificial Intelligence - has been in force since August 2024. Online shops using AI (e.g., for product recommendations or dynamic pricing) will face new obligations, depending on the risk level of the deployed system.

Relevant for shop operators:

Transparency requirements: Users must recognize when interacting with AI - e.g., chatbots or dynamic pricing.
Documentation: You must document how the AI works, which data it uses, and how decisions are made.
Human oversight: For sensitive decisions (e.g., order rejections, credit assessments), human intervention must be possible.

Deadlines to note: Rules apply in phases based on risk class - latest by August 2026. Many shops should review processes and tools now.

Tip: Audit AI-based systems early and align them with data protection and IT security measures - this saves effort later and avoids fines.

Download the complete GDPR checklist now and ensure long-term data protection compliance for your online shop.

With this checklist, you have all relevant requirements clearly organized in one place – ideal for daily operations, internal audits, and collaboration with service providers.

Download the checklist as PDF

Conclusion

GDPR isn't just about compliance - it's a key success factor in e-commerce. Strategic thinking minimizes risks and builds trust with customers, partners, and vendors.

With the right tools, clear processes, and practical implementation, you can keep your shop legally secure long-term while optimizing collaboration with agencies and third parties.

Read more: Part 1 of our blog series: GDPR in E-Commerce - How to Make Your Shop Legally Secure (Part 1).

Disclaimer: This guide is for informational purposes only and does not constitute legal advice. While we strive for accuracy, we assume no liability for completeness or timeliness. Implementation is at your own risk. For legal questions, consult a qualified attorney.

Published on 12.06.2025 | GDPR in E-Commerce (Part 2) | KS

You have questions, requests, criticism, suggestions or just want to tell us your opinion about our blog? Here you have the opportunity to contact us directly.

Send e-mail