GDPR in E-Commerce: How to protect your store

This guide provides you with pragmatic solutions on how to not only implement data protection in your store, but use it as a real advantage.

What does the GDPR mean for online stores?

The GDPR (General Data Protection Regulation) has been binding throughout the EU since May 25, 2018 - and is a key issue for online stores. It applies to all companies - regardless of where they are based - that process the personal data of customers in the EU. This therefore also applies to stores from Switzerland, the USA or the UK, provided they offer their goods or services (including free of charge) to customers in the EU.

What is the aim of the GDPR?

The core objective is to create a uniform data protection standard and give everyone more control over their data - particularly relevant in e-commerce, where large amounts of personal data are processed every day.

What is personal data?

The GDPR defines personal data as any information relating to an identified or identifiable natural person. In the context of an online store, this typically includes

• First name and surname
• E-mail address
• Phone number
• IP address
• Delivery and billing address
• Payment data (e.g. credit card data, PayPal ID)
• Usage behavior (clicks, purchases, length of stay)

Device identifiers, location data or tracking cookies can also be personal data - if they allow conclusions to be drawn about a person.

Does the GDPR also apply to small stores?

Yes - there are no exceptions. Even sole traders with a WooCommerce or Shopify store must fully implement the GDPR as soon as they process the personal data of EU citizens. The decisive factor is not the size, but whether data is processed.

What are the penalties for violations?

Anyone who does not comply with the GDPR must expect the following consequences

• Fines: Up to €20 million or 4% of annual global turnover (source: Article 83 GDPR, eur-lex.europa.eu).
• Warning letters - e.g. for missing or incorrect privacy policy
• Legal disputes - e.g. if rights of access or erasure are violated

According to a Cisco study, 96% of German consumers would not buy from a store that they did not trust in terms of data protection (source: Cisco).

Important terms briefly explained

• Personal data: All information that can identify a person - e.g. name, email, IP address, payment data.
• Consent (opt-in): Active consent to the use of data - e.g. by ticking a box in the newsletter.
• Legitimate interest: Data processing is permitted if it serves legitimate interests and does not outweigh the rights of the data subjects - e.g. IP storage for fraud prevention.
• Order processing (AV): Processing of personal data by a service provider (processor) on behalf of a company (controller). The processor acts exclusively on the instructions of the controller and may not use the data for its own purposes.
• Rights of data subjects: Persons whose data is processed have numerous rights under the GDPR. These include, in particular, the right of access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, objection and the right to lodge a complaint with a supervisory authority.

GDPR in practice: Your obligations as a store operator

The GDPR is not just a bureaucratic monster - it provides you as a store operator with clear rules. If you know and implement them, you not only protect your customers, but also your business.

Here are the four most important principles that you must observe in your online store:

1. lawfulness & transparency

You may only process personal data if there is a legal basis for doing so. Particularly relevant for online stores:

• Consent - e.g. for newsletters or tracking
• Contract fulfillment - e.g. for processing orders
• Legitimate interest - e.g. for fraud prevention or IT security

Other legal bases such as vital interests, legal obligations or tasks in the public interest are provided for in the GDPR, but do not usually play a practical role in e-commerce.

Example: On the basis of contract fulfillment, you may use a customer's email address for order confirmation - but not for advertising purposes without consent.

2. purpose limitation & data minimization

Only collect and use as much data as you really need - and only for the stated purpose.

• No date of birth for a simple product purchase
• No disclosure or use for other purposes without new consent

3. storage limitation & deletion obligation

Data may not be stored “in reserve”. As soon as the purpose no longer applies or legal deadlines expire, you must delete it.

Example: Order data must generally be stored for up to ten years due to tax and commercial law regulations - specifically according to Section 147 AO (German Fiscal Code) and Section 257 HGB (German Commercial Code). After that, the GDPR principle of data minimization applies: The data may not be stored for longer than is necessary for the respective purpose - it should therefore be deleted or anonymized after the deadline has expired.

4. technical & organizational measures (TOMs)

You are obliged to protect data from misuse, loss or access. This includes, among other things:

• TLS/SSL encryption
• Access controls (e.g. via 2-factor authentication)
• Backups and recovery strategies
• Firewalls, monitoring, security updates

Privacy policy & consent management

A GDPR-compliant privacy policy and clean consent management are the basis of any legally compliant data protection strategy in e-commerce.

Privacy policy: What should be included?

Your privacy policy should not only be available, but also understandable, easy to find and up-to-date. It must transparently explain all relevant processing activities - including tools and third-party providers.

Overview of the mandatory content of a privacy policy in accordance with Art. 13 GDPR:

• What personal data is collected? (e.g. name, email address, IP address)
• What is the purpose of the processing? (e.g. order processing, web analysis, marketing)
• What is the legal basis for the processing? (e.g. consent, fulfillment of contract)
• Which legitimate interests are being pursued? (if Art. 6 para. 1 lit. f GDPR is relevant)
• How long will the data be stored or what criteria are used to determine the duration?
• Who are the recipients or which categories of recipients receive the data? (e.g. payment services, tracking providers)
• Is data transferred to a third country - and on what legal basis? (e.g. EU-US Data Privacy Framework or standard contractual clauses)
• What rights do data subjects have? (The rights are clear: information, objection, withdrawal of consent, rectification, erasure/restriction of processing, data portability, complaint to the supervisory authority)
• Is there a right to withdraw consent?
• Are automated decisions including profiling carried out?
• Contact details of the controller and, if applicable, the data protection officer

Practical tip: Use generators such as the Datenschutz-Generator from eRecht24 or Datenschutzexperte.de to create a legally compliant privacy policy.
Find out more: You can find out how to set up your store in a legally compliant manner and develop a GDPR-compliant data protection strategy in our guide ➝ Data protection compliance for online stores.

Obtaining consent: how to do it right

Many processes in your store require active, voluntary and informed consent - for example for

• Newsletter registrations
• Tracking & analysis tools
• Remarketing (e.g. meta pixels)
• Integration of external media (e.g. YouTube videos)

Important criteria for valid consent:

• Voluntary - No disadvantages for refusal
• Informed - Purpose must be clear
• Unique - No pre-ticked box
• Verifiable - Document time & content
• Revocable - At any time with one click (e.g. via footer link)

Practical example: A double opt-in is mandatory for the newsletter - i.e. registration + confirmation by e-mail.

Consent management: technically correct implementation

A cookie banner or pop-up alone is not enough - the technical implementation must be GDPR & TTDSG-compliant.

Your banner must:

• Disable all optional cookies by default
• Offer a real choice (“Reject” ≠ hidden)
• Do not load scripts before consent
• Show transparently which services are active
• Enable an easy change of selection (e.g. via footer link “Cookie settings”)

Practical tip: Tools such as Consentmanager or Iubenda offer GDPR and TTDSG-compliant solutions - including automatic blocking of cookies that are not permitted and simple integration into store systems.

Tracking, newsletters & remarketing - what is allowed?

Tracking tools, newsletter marketing and personalized advertising are part of everyday e-commerce - but they encroach on privacy. The GDPR (and in Germany also the TTDSG) sets out clear rules: no data processing without consent.

Newsletter: only with double opt-in

Email marketing is effective - but only permitted if recipients have actively consented.

What you need to look out for:

• Double opt-in: registration + confirmation link in the email
• No hidden or pre-ticked checkboxes: Consent must be actively given - checkmarks must not be preselected.
• Clear indication of purpose, content and frequency: e.g. “Monthly technical information on our products and services”
• Every newsletter needs an unsubscribe link

Tip: Email marketing tools such as Mailchimp or CleverReach store all consents in a legally compliant manner.

Web tracking: Only after active consent

Tools such as Google Analytics, Meta Pixel or Hotjar collect personal data - such as IP addresses, user behavior or cookies. The following applies so that such tools can be used in compliance with the GDPR

• Activate tracking only after consent: Scripts may only be loaded if valid consent has been given - e.g. via a consent banner.
• Anonymize IP addresses: With Google Analytics 4, IP anonymization is mandatory and should be set up correctly.
• Log consents: Use a consent management platform such as Consentmanager or Iubenda to document consents in a traceable manner.
• Secure data transfer to third countries: If personal data is transferred to a third country, suitable guarantees must be in place - e.g. Standard Contractual Clauses (SCCs). In the case of US providers, also check whether they are certified in accordance with the EU-US Data Privacy Framework.

Alternative: GDPR-friendly tools such as Matomo or Piwik PRO, which are best operated on your own servers or at least hosted within the EU.

Remarketing & retargeting: only with opt-in

Remarketing via e.g. Meta, TikTok or Google Ads uses cookies, IDs and user data - therefore strictly regulated:

• Only activate after opt-in for marketing cookies
• Mention in the privacy policy
• Conclude an order processing contract (AVV) with providers - and also use standard contractual clauses (SCCs) for providers from third countries
• The same obligations also apply to server-to-server solutions (e.g. Meta Conversions API!

Thinking outside the box: data protection worldwide

Data protection laws also apply outside the EU - in some cases with significantly different rules:

• USA - CCPA (California Consumer Privacy Act): opt-out model - users must object to data processing instead of actively consenting to it.
• Brazil - LGPD (Lei Geral de Proteção de Dados): Very similar to the GDPR, but with its own requirements for data protection officers (DPO).
• China - PIPL (Personal Information Protection Law): Particularly strict rules for sensitive data. State approval is required for data transfers abroad.

Tip: If you sell internationally, you should adapt your consent management and privacy policy in particular to the respective legal requirements in the target market.

Technical security - hosting, access & backups

Data protection is not only a legal responsibility, but also a technical one. The GDPR obliges online stores to protect personal data from loss, unauthorized access or manipulation through technical and organizational measures (TOMs).

Encryption: your first line of defense

What is mandatory:

• TLS/SSL encryption for all connections → Your website must be accessible via https://
• End-to-end encryption for particularly sensitive data (e.g. payment information)
• Database encryption with e.g. AES-256 standard

Practical example: Payment data in the checkout is transmitted via TLS, stored pseudonymized and deleted after processing.

Access control & identity management

Not every employee should have access to all customer data. This is why the GDPR requires a concept for role-based access control (RBAC).

Your tasks as a store operator:

• Restrict access rights: Only those who need data may see it.
• Secure admin areas with 2FA - e.g. via Authenticator app or YubiKey.
• Lock or log out of sessions regularly (session timeouts).
• Implement password management: Complex, regularly rotating access data.

Tip: Password managers such as 1Password or Bitwarden make it easier to manage logins securely.

Backups & emergency plans

Data loss can happen for various reasons - whether due to technical errors, ransomware attacks or human error. Backups not only save store operations in an emergency, but also GDPR compliance.

Best practices for backups:

• Regular incremental backups of your database and systems
• Encrypted offsite backups, e.g. in a second data center
• Georedundant storage (at least EU-based, ISO 27001-certified)
• Disaster recovery tests: Backup is only good if it can be restored

Hosting: Why your provider must be GDPR-compliant

A secure online store starts with the foundation - hosting. Hosting providers are generally considered processors under the GDPR, as they process personal data on behalf of others - regardless of whether they actively access it. This means:

• You must conclude an order processing contract (AVV) in accordance with Art. 28 GDPR.
• The provider should host in compliance with the GDPR - ideally within the EU.
• Certifications such as ISO 27001 or SOC 2 provide additional security.

An example of GDPR-compliant managed hosting is maxcluster, which offers the following security measures:

• ISO 27001-certified data centers for maximum security.
• Regular backups & redundant infrastructure to prevent data loss.
• Encrypted storage and differentiated authorization management to control data access.

Payment processing & third-party providers - what you need to look out for

Payment processes are particularly sensitive: this is where personal data, payment information and security requirements come together. If you use third-party providers such as PayPal, Klarna, Stripe or Amazon Pay, you need to know exactly who is responsible for what - and whether the GDPR is being complied with.

Who is responsible?

A common misconception: Payment providers such as PayPal, Klarna or Stripe are not automatically processors. In practice, they usually act as independent controllers - for example for payment processing, credit checks or fraud detection.

What you should do:

• Check the legal status of each provider
• If necessary, conclude an AV contract
• Provide transparent information in the privacy policy:
  ○ Which payment services you use
  ○ Why data is processed
  ○ Whether data transfer to third countries takes place
  ○ Link to the privacy policies of the providers

Technical security: protecting payment data

In addition to transparency, the GDPR also requires technical security measures, in particular

• TLS/SSL encryption for all payment pages
• PCI-DSS-compliant gateways if you offer credit card payments
• Tokenization: Do not store credit card data, but replace it with tokens
• Enable 3D Secure (e.g. for Visa & Mastercard)

Read more: Find out how to ensure PCI-DSS compliance in your online store in our article ➝ PCI-DSS: What e-commerce merchants need to know!

Data minimization: less is more

Only pass on the data that is really necessary for payment processing.

Examples:

• Do not send a telephone number to PayPal if it is not required
• Only transmit address data if it is required for risk assessment or authentication

Regularly check your interfaces, payment plugins and the transmitted fields - especially for automated interfaces.

Accessibility & data protection - mandatory from 2025

From June 28, 2025, accessibility will become a legal requirement for many online stores - based on the Accessibility Reinforcement Act (BFSG). The aim is to give people with disabilities equal access to digital services.

What does this mean for your store?

In future, websites must be keyboard accessible, logically structured and have alt text, among other things. Particularly critical: form fields, cookie banners and login processes - they must also be usable for screen readers or assistive technologies.

Data protection and accessibility go hand in hand here, e.g. when displaying content banners or using data protection-compliant CAPTCHA alternatives.

Tip: Use accessibility checks (e.g. Google Lighthouse, WAVE) to identify weaknesses and adapt them at an early stage.

You can find detailed implementation tips and practical examples in the article Barrier-free online store: How to implement the requirements.

Internal accountability: don't forget!

The GDPR not only requires secure processes - you must also document them in a comprehensible manner. Specifically, this means:

• Checking data processing contracts with all service providers and keeping them up to date
• Log consents in an audit-proof manner
• Record data protection processes (e.g. deletion routines, access controls) in writing
• Regularly update internal data protection guidelines and communicate them within the team

Tip: Use templates from the BfDI or tools such as DataGuard, heyData or pridatect to reduce the effort.

Conclusion

The GDPR places clear requirements on data protection in e-commerce - from a transparent privacy policy and clean consent management to technical protective measures such as encryption and access control. Those who take these requirements seriously not only protect customer data, but also fulfill their legal obligations and strengthen customer trust.

Data protection is not a one-off project - it is a continuous process that needs to be regularly reviewed and adapted.

Note: The contents of this blog post are for general information purposes only and do not constitute legal advice. Although we endeavor to keep the information provided up to date and correct, we assume no liability for its accuracy, completeness or timeliness. The implementation of legal requirements is at your own risk. For specific legal questions, we recommend consulting an expert legal advisor.

Published on 22.05.2025 | GDPR in e-commerce: How to protect your store | KS