Running an online store inevitably involves processing the personal data of customers — from order placement, through payment and delivery, to returns and marketing communications. Each of these stages is a separate processing activity requiring an appropriate legal basis, a privacy notice, and in many cases a separate consent.

GDPR ecommerce compliance is one of the areas where non-compliance is relatively easy to detect — both by supervisory authorities and by customers themselves. Data protection authorities across Europe increasingly audit online stores and issue fines not only for data breaches but for incorrect cookie banners, missing opt-out mechanisms for marketing, and outdated privacy policies.

This article covers all the key GDPR obligations for online store owners — practically and without unnecessary legal jargon.

What personal data does an online store process

Before addressing specific obligations, it is worth mapping what data the store actually processes. This is the starting point for all GDPR documentation.

A typical online store processes personal data across at least several areas:

Order fulfilment — name, delivery address, email address, phone number, invoice data (including VAT number for business customers).

Payments — data required to process transactions, passed to payment operators. The store typically does not store card data — this is handled by the payment operator as a separate controller or processor.

Customer accounts — order history, saved addresses, preferences. Data is processed for the duration of the account and for the required period after its deletion.

Newsletter and marketing — email address, first name, purchase history (where profiling is used). Requires a separate consent.

Analytics and cookies — IP address, session data, user behaviour on the site. Requires a properly implemented cookie banner.

Returns and complaints — correspondence data, product information, bank account details for refunds.

Couriers and fulfilment partners — customer data passed to delivery companies to fulfil orders.

Each of these areas is a separate processing activity with its own legal basis and retention period.

Privacy policy — the information obligation towards customers

A privacy policy is not a document for lawyers — it is a tool for informing customers about what happens to their data. Under GDPR, every customer must be informed about the processing of their personal data before or at the point of collection.

The privacy policy of an online store must include:

• the controller’s details (name, address, contact information),
• the DPO’s contact details — if the store has appointed one,
• the purposes and legal bases for processing for each data category,
• information about recipients of data (courier companies, payment operators, mailing systems),
• information about data transfers outside the EEA (e.g. US-based tools),
• data retention periods,
• data subject rights (access, rectification, erasure, objection, portability),
• the right to lodge a complaint with the supervisory authority,
• information about cookies and profiling.

The most common mistake: a copied template describing tools the store does not use, or failing to mention those it actually does. A privacy policy must be tailored to the specific store.

Legal bases for processing data in ecommerce

For every processing activity, the store owner must identify the correct legal basis. In ecommerce, three bases are most commonly used:

Performance of a contract (Article 6(1)(b)) — data necessary to fulfil the order: delivery address, invoice data, information needed for payment processing and returns. No separate consent is required.

Legal obligation (Article 6(1)(c)) — data required by law: issuing and archiving invoices for five years, data for tax purposes.

Legitimate interest (Article 6(1)(f)) — direct marketing to existing customers (subject to the right to object), pursuing legal claims, fraud prevention and transaction security.

Consent (Article 6(1)(a)) — newsletter for new subscribers, analytical and marketing cookies, advertising profiling.

A frequent mistake is collecting consent for everything — including order fulfilment. Consent to process data for the purpose of completing an order is invalid, because the person has no real choice: without providing a delivery address, the order cannot be fulfilled.

Cookies in an online store — the banner and consent management

An online store almost always uses cookies — for shopping cart sessions, analytics (Google Analytics, Hotjar), remarketing (Meta Pixel, Google Ads), and product recommendation systems.

Strictly necessary cookies (session, cart, login) do not require consent. All others — analytical, marketing, profiling — require active, freely given consent from the user before they are activated.

A compliant cookie banner in an online store must:

• offer an equivalent option to accept and decline,
• not activate tracking scripts before consent is given,
• allow granular selection of cookie categories,
• allow consent to be withdrawn at any time.

Supervisory authorities have issued fines against ecommerce stores for banners that offered only an “Accept” button with no decline option. Full guidance on correct implementation is in the article on GDPR cookie banners.

Newsletter and marketing — consent and its documentation

Email marketing in an online store requires particular attention, because GDPR and ePrivacy rules overlap here.

For new subscribers — people who are not yet customers — an explicit consent to marketing communications is required. The checkbox must be:

• unchecked by default (no pre-ticked boxes),
• separate from agreement to the terms and conditions and privacy policy,
• clearly described (specifying what the subscriber will receive),
• easy to withdraw via an unsubscribe link in every email.

For existing customers who have purchased similar products, the store may send marketing on the basis of legitimate interest — but must inform them of this basis and provide an easy opt-out.

Marketing consents must be documented: when they were given, by whom, in which version of the form, and for what exactly.

Data processing agreements with service providers

An online store uses dozens of external tools and providers to which it passes customer data. Each of them, if they process data on behalf of the store, is a data processor requiring a data processing agreement under Article 28 GDPR.

Typical recipients of data requiring processing agreements in ecommerce:

• the ecommerce platform (Shopify, WooCommerce on external hosting, Magento),
• hosting provider and server,
• mailing system (Mailchimp, Klaviyo, GetResponse),
• payment operator — depending on the model,
• CRM and customer service system,
• courier company — where the store passes customer data on the customer’s behalf,
• analytics system (where it processes identifiable data),
• accounting firm handling the store’s finances.

The absence of processing agreements with providers is a violation of Article 28 GDPR — and one of the areas regularly checked during supervisory authority inspections.

Data retention — how long to keep customer data

One of the most frequent mistakes in online stores is retaining customer data indefinitely. GDPR requires that data be deleted once the purpose for which it was collected no longer applies.

Indicative retention periods for ecommerce:

• order data (for tax and complaints purposes) — 5 years from the end of the tax year,
• invoices — 5 years under tax legislation,
• customer account data — for the duration of the account, and after deletion for the limitation period for claims (typically 3–6 years),
• newsletter data — until consent is withdrawn,
• contact form data — until the matter is resolved plus the limitation period for claims.

Detailed guidance on managing retention periods is available in the article on personal data retention.

Personal data breaches in an online store — what to do

Online stores are frequent targets of cyberattacks — customer database leaks, phishing, unauthorised access to user accounts. Any event that leads to the accidental or unlawful disclosure of personal data may constitute a breach requiring notification.

If a breach is likely to result in a risk to the rights and freedoms of customers — the store has 72 hours to notify the supervisory authority. If the risk is high — affected individuals must also be informed.

The store should have an incident response procedure in place: who assesses the event, who decides whether to notify, and how to document the course of action.

Record of processing activities for an online store

Every online store that processes data on a regular basis — and every store does — should maintain a record of processing activities. The formal obligation applies to organisations with more than 250 employees, but in practice every store should maintain one — because without a record it is impossible to demonstrate compliance during a supervisory inspection.

Typical processing activities in the record of an online store:

• order fulfilment,
• payment processing,
• handling returns and complaints,
• managing customer accounts,
• sending newsletters,
• remarketing and profiling,
• website analytics,
• invoice archiving,
• handling enquiries via contact form.

Summary

GDPR ecommerce compliance is not a one-time implementation — it is ongoing management of documentation, consents, agreements, and incident response. The store owner as data controller is responsible for the entire processing chain — from the order form through external systems to courier companies.

Key obligations in brief:

• a privacy policy tailored to the store’s actual processes,
• a compliant cookie banner with an equivalent decline option,
• separate marketing consent — no pre-ticked boxes,
• processing agreements with all providers handling customer data,
• a record of processing activities covering all processes,
• an incident response procedure within the 72-hour notification window,
• data retention aligned with processing purposes.