GDPR in E-Commerce: How to Protect your Shop

In this guide, you will find pragmatic solutions for not only implementing data protection in your shop, but also using it to your advantage.

What does the GDPR mean for online shops?

The GDPR (General Data Protection Regulation) has been binding throughout the EU since May 25, 2018 – and is a key issue for online shops. It applies to all companies – regardless of their place of business – that process personal data of customers in the EU. This also affects shops from Switzerland, the US, or the UK, provided they offer their goods or services (even free of charge) to customers in the EU.

What is the aim of the GDPR?

The core objective is to create a uniform data protection standard and give everyone more control over their data – particularly relevant in e-commerce, where large amounts of personal data are processed every day.

What is personal data?

The GDPR defines personal data as any information relating to an identified or identifiable natural person. In the context of an online store, this typically includes:

• First and last name
• Email address
• Phone number
• IP address
• Shipping and billing address
• Payment details (e.g., credit card details, PayPal ID)
• Usage behavior (clicks, purchases, time spent on site)

Device identifiers, location data, and tracking cookies can also be considered personal data if they allow conclusions to be drawn about an individual.

Does the GDPR also apply to small shops?

Yes—there are no exceptions. Even sole traders with a WooCommerce or Shopify shop must fully implement the GDPR as soon as they process personal data from EU citizens. The decisive factor is not the size of the business, but whether data is processed.

What are the consequences of non-compliance?

Anyone who does not comply with the GDPR must expect the following consequences:

• Fines: Up to €20 million or 4% of global annual turnover (source: Article 83 GDPR, eur-lex.europa.eu).
• Warnings – e.g., for missing or incorrect privacy statements
• Legal disputes – e.g., if rights to information or deletion are violated

According to a Cisco study, 96% of German consumers would not buy from a shop they do not trust in terms of data protection (Source: Cisco).

Important terms explained briefly

• Personal data: All information that can identify a person – e.g., name, email address, IP address, payment details.
• Consent (opt-in): Active agreement to the use of data – e.g., by checking a box on a newsletter.
• Legitimate interest: Data processing is permitted if it serves legitimate interests and does not outweigh the rights of the data subjects – e.g., IP storage for fraud prevention.
• Contract processing (CP): Processing of personal data by a service provider (contract processor) on behalf of a company (controller). The contract processor acts exclusively on the instructions of the controller and may not use the data for its own purposes.
• Data subject rights: According to the GDPR, individuals whose data is processed have numerous rights. These include, in particular, the right to information, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, objection, and the right to lodge a complaint with a supervisory authority.

GDPR in practice: Your obligations as a shop operator

The GDPR is not just a bureaucratic monster—it provides you, as a shop operator, with clear rules. If you know and implement these rules, you will not only protect your customers, but also your business.

Here are the four most important principles you need to consider in your online shop:

1. Legality & transparency

You may only process personal data if there is a legal basis for doing so. Particularly relevant for online shops:

• Consent – e.g. for newsletters or tracking
• Contract fulfillment – e.g., for processing orders
• Legitimate interest – e.g. for fraud prevention or IT security

Other legal bases such as vital interests, legal obligations or tasks in the public interest are provided for in the GDPR, but do not generally play a practical role in e-commerce.

Example: On the basis of contract fulfillment, you may use a customer's email address for order confirmation – but not for advertising purposes without consent.

2. Purpose limitation & data minimization

Only collect and use as much data as you really need – and only for the specified purpose.

• No date of birth for a simple product purchase
• No disclosure or use for other purposes without new consent

3. Storage limitation & deletion obligation

Data may not be stored “in reserve.” Once the purpose no longer applies or legal deadlines expire, you must delete it.

Example: Order data must generally be stored for up to ten years due to tax and commercial law regulations – specifically according to § 147 AO (German Fiscal Code) and § 257 HGB (German Commercial Code). After that, the GDPR principle of data minimization applies: Data may not be stored longer than is necessary for the respective purpose – it should therefore be deleted or anonymized after the deadline has expired.

4. Technical & organizational measures (TOMs)

You are obliged to protect data from misuse, loss, or access. This includes, among other things:

• TLS/SSL encryption
• Access controls (e.g., via two-factor authentication)
• Backups and recovery strategies
• Firewalls, monitoring, security updates

Privacy Policy & Consent Management

A GDPR-compliant privacy policy and clear consent management form the basis of any legally compliant data protection strategy in e-commerce.

Privacy Policy: What should it include?

Your privacy policy should not only be available, but also understandable, easy to find, and up to date. It must explain all relevant processing activities transparently—including tools and third-party providers.

Mandatory content of a privacy policy in accordance with Art. 13 GDPR at a glance:

• What personal data is collected? (e.g., name, email address, IP address)
• For what purpose is the data processed? (e.g., order processing, web analysis, marketing)
• On what legal basis is the processing carried out? (e.g., consent, contract fulfillment)
• What legitimate interests are pursued? (if Art. 6 (1) lit. f GDPR is relevant)
• How long is the data stored and according to which criteria is the duration determined?
• Who are the recipients or which categories of recipients receive the data? (e.g., payment services, tracking providers)
• Is data transferred to a third country—and on what legal basis? (e.g., EU-US Data Privacy Framework or standard contractual clauses)
• What rights do data subjects have? (The rights are fixed: information, objection, revocation of consent, correction, deletion/restriction of processing, data portability, complaint to the supervisory authority)
• Is there a right of revocation if consent has been given?
• Are automated decisions, including profiling, carried out?
• Contact details of the controller and, if applicable, the data protection officer

Practical tip: Use generators such as the data protection generator from eRecht24 or Datenschutzexperte.de to create a legally compliant privacy policy.

More on this: Find out how to set up your shop in a legally compliant manner and develop a GDPR-compliant data protection strategy in our guide ➝ Data protection compliance for online shops.

Obtaining consent: How to do it right

Many processes in your shop require active, voluntary, and informed consent, such as:

• Newsletter subscriptions
• Tracking & analysis tools
• Remarketing (e.g., Meta Pixel)
• Integration of external media (e.g., YouTube videos)

Important criteria for valid consent:

• Voluntary – no disadvantages if consent is refused
• Informed – purpose must be clear
• Unambiguous – no pre-ticked checkboxes
• Verifiable – document the time and content
• Revocable – at any time with one click (e.g., via footer link)

Practical example: A double opt-in is mandatory for newsletters – i.e., registration + confirmation by email.

Consent management: Technical implementation

A cookie banner or pop-up alone is not sufficient – the technical implementation must be GDPR & TTDSG compliant.

Your banner must:

• Disable all optional cookies by default
• Offer a real choice (“Reject” ≠ hidden)
• Do not load any scripts before consent
• Show transparently which services are active
• Allow easy modification of the selection (e.g., via footer link “Cookie settings”)

Practical tip: Tools such as Consentmanager or Iubenda offer GDPR- and TTDSG-compliant solutions – including automatic blocking of unauthorized cookies and easy integration into shop systems.

Tracking, newsletters, and remarketing—what is permitted?

Tracking tools, newsletter marketing, and personalized advertising are part of everyday e-commerce – but they invade privacy. The GDPR (and in Germany, the TTDSG) sets clear rules: no consent – ​​no data processing.

Newsletter: Only with double opt-in

Email marketing is effective – but only permitted if recipients have actively consented.

What you need to pay attention to:

• Double opt-in: Registration + confirmation link in the email
• No hidden or pre-checked boxes: Consent must be actively given – check boxes must not be pre-selected.
• Clear reference to purpose, content, and frequency: e.g. B. "Monthly technical information about our products and services"
• Every newsletter requires an unsubscribe link

Tip: Email marketing tools such as Mailchimp or CleverReach store all consents in compliance with the law.

Web tracking: Only after active consent

Tools such as Google Analytics, Meta Pixel, or Hotjar collect personal data – such as IP addresses, usage behavior, or cookies. To ensure that such tools can be used in compliance with the GDPR, the following applies:

• Only activate tracking after consent: Scripts may only be loaded if valid consent has been given – e.g., via a consent banner.
• Anonymize IP addresses: IP anonymization is mandatory for Google Analytics 4 and should be configured correctly.
• Log consents: Use a consent management platform such as Consentmanager or Iubenda to document consents in a transparent manner.
• Secure data transfers to third countries: If personal data is transferred to a third country, appropriate safeguards must be in place – e.g., Standard Contractual Clauses (SCCs). For US providers, also check whether they are certified according to the EU-US Data Privacy Framework.

Alternative: GDPR-friendly tools such as Matomo or Piwik PRO,, which are best run on your own servers or at least hosted within the EU.

Remarketing & Retargeting: Only with opt-in

Remarketing via, for example, Meta, TikTok, or Google Ads uses cookies, IDs, and user data – therefore strictly regulated:

• Only activate after opt-in for marketing cookies
• Specify in the privacy policy
• Conclude a data processing agreement (DPA) with providers – and additionally use standard contractual clauses (SCCs) for providers from third countries
• The same obligations also apply to server-to-server solutions (e.g., Meta Conversions API)!

Think outside the box: Data protection worldwide

Data protection laws also apply outside the EU – with some significantly different rules:

• USA – CCPA (California Consumer Privacy Act): Opt-out model – users must object to data processing instead of actively consenting to it.
• Brazil – LGPD (Lei Geral de Proteção de Dados): Very similar to the GDPR, but with its own requirements for data protection officers (DPO).
• China – PIPL (Personal Information Protection Law): Particularly strict rules for sensitive data. Government approval is required for data transfers abroad.

Tip: Anyone selling internationally should adapt their consent management and privacy policy to the respective legal requirements in the target market.

Technical security – hosting, access & backups

Data protection is not only a legal responsibility, but also a technical one. The GDPR requires online shops to protect personal data from loss, unauthorized access, or manipulation through technical and organizational measures (TOMs).

Encryption: Your first line of defense

What is mandatory:

• TLS/SSL encryption for all connections → Your website must be accessible via https://
• End-to-end encryption for particularly sensitive data (e.g., payment information)
• Database encryption with, for example, AES-256 standard

Practical example: Payment data in the checkout is transmitted via TLS, stored pseudonymously, and deleted after processing.

Access control & identity management

Not every employee should have access to all customer data. That is why the GDPR requires a concept for role-based access control (RBAC).

Your tasks as a shop operator:

• Restrict access rights: Only those who need data should be able to see it.
• Secure admin areas with 2FA – e.g., via an authenticator app or YubiKey.
• Lock or log out of sessions regularly (session timeouts).
• Implement password management: Complex, regularly rotating access data.

Tip: Password managers such as 1Password or Bitwarden make it easier to manage logins securely.

Backups & emergency plans

Data loss can occur for a variety of reasons – whether due to technical errors, ransomware attacks, or human error. In an emergency, backups not only save your shop's operations, but also your GDPR compliance.

Best practices for backups:

• Regular incremental backups of your database and systems
• Encrypted offsite backups, e.g., in a second data center
• Geo-redundant storage (at least EU-based, ISO 27001-certified)
• Disaster recovery tests: A backup is only good if it can be restored

Hosting: Why your provider must be GDPR-compliant

A secure online shop starts with the foundation—hosting. According to the GDPR, hosting providers are generally considered processors because they process personal data on behalf of others, regardless of whether they actively access it. This means:

• You must conclude a data processing agreement (DPA) in accordance with Art. 28 GDPR.
• The provider should host in compliance with GDPR – ideally within the EU.
• Certifications such as [ISO 27001](https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Zertifizierung-und-Anerkennung/Zertifizierung-von-Managementsystemen/ISO-27001-Basis-IT-Grundschutz/iso -27001-basis-it-grundschutz_node.html) or SOC 2 provide additional security.

An example of GDPR-compliant managed hosting is maxcluster, which offers the following security measures:

• ISO 27001-certified data centers for maximum security.
• Regular backups & redundant infrastructure to prevent data loss.
• Encrypted storage and differentiated authorization management to control data access.

Payment processing & third-party providers – what you need to look out for

Payment processes are particularly sensitive: they involve personal data, payment information, and security requirements. If you use third-party providers such as PayPal, Klarna, Stripe, or Amazon Pay, you need to know exactly who is responsible for what—and whether the GDPR is being complied with.

Who is responsible?

A common misconception: Payment providers such as PayPal, Klarna, or Stripe are not automatically data processors. In practice, they usually act as independent controllers – for example, in payment processing, credit checks, or fraud detection.

What you should do:

• Check the legal status of each provider
• Conclude a data processing agreement if necessary
• Provide transparent information in your privacy policy:

1. Which payment services you use
2. Why data is processed
3. Whether data is transferred to third countries
4. Link to the providers' privacy policies

Technical security: Protect payment data

In addition to transparency, the GDPR also requires technical protective measures, in particular:

• TLS/SSL encryption for all payment pages
• PCI DSS-compliant gateways if you offer credit card payments
• Tokenization: Do not store credit card data, but replace it with tokens
• Activate 3D Secure (e.g., for Visa & Mastercard)

More on this: Find out how to ensure PCI DSS compliance in your online shop in our article ➝ PCI DSS: What e-commerce retailers need to know!

Data minimization: Less is more

Only pass on the data that is really necessary for payment processing.

Examples:

• Do not transmit your phone number to PayPal if it is not required.
• Only transmit address data if it is necessary for risk assessment or authentication.

Regularly check your interfaces, payment plugins, and the fields transmitted—especially for automated interfaces.

Accessibility & data protection—mandatory from 2025

From June 28, 2025, accessibility will become a legal requirement for many online shops – based on the Barrier-Free Accessibility Act (BFSG). The aim is to enable people with disabilities to have equal access to digital services.

What does this mean for your shop?

In future, websites must be operable via keyboard, logically structured and provided with alt text, among other things. Particularly critical: form fields, cookie banners and login processes – they must also be usable for screen readers or assistive technologies.

Data protection and accessibility are intertwined here, e.g. in the display of consent banners or the use of data protection-compliant CAPTCHA alternatives.

Tip: Use accessibility checks (e.g., Google Lighthouse, WAVE) to identify weaknesses and make adjustments at an early stage.

Detailed implementation tips and practical examples can be found in the article Accessible online shop: How to implement the requirements.

Internal Accountability: Don't forget!

The GDPR not only requires secure processes – you must also document them clearly. Specifically, this means:

• Review and keep data protection agreements with all service providers up to date
• Record consents in an audit-proof manner
• Record data protection processes (e.g., deletion routines, access controls) in writing
• Update internal data protection policies regularly and communicate them within the team

Tip: Use templates from the BfDI or tools such as DataGuard, heyData, or pridatect to reduce the effort.

Conclusion

The GDPR sets clear requirements for data protection in e-commerce – from a transparent privacy policy and sound consent management to technical protective measures such as encryption and access control. Those who take these requirements seriously not only protect customer data but also fulfill their legal obligations and strengthen customer trust.

Data protection is not a one-time project – but an ongoing process that must be regularly reviewed and adjusted.

Note: The content of this blog post is for general information purposes only and does not constitute legal advice. Although we strive to keep the information provided up-to-date and correct, we assume no liability for its accuracy, completeness, or timeliness. The implementation of legal requirements is at your own risk. For specific legal questions, we recommend consulting a qualified legal advisor.

Published on 22.05.2025 | GDPR in E-Commerce: How to Protect Your Shop | KS