In e-commerce, where by its very nature a large amount of personal data must be processed, there are also a particularly large number of data protection guidelines that must be observed and correctly complied with.
The Europe-wide General Data Protection Regulation (GDPR) already came into force on May 25, 2018. It initially caused a great deal of turmoil among companies or website operators of all sectors. The numerous to-dos to be taken into account and the enormous penalties for non-compliance led to some e-commerce companies even deciding to take their online stores (temporarily) completely offline.
In the meantime, the dust has settled somewhat. For most e-commerce companies, dealing with the GDPR or data protection has become a normal part of their business. However, there is still a great deal of uncertainty in some areas. For online store newcomers in particular, the GDPR often represents a significant barrier. But even established e-commercers stumble over new regulations again and again.
The most important facts you should know about data protection in e-commerce and central tips as well as a checklist for complying with the GDPR are provided in this article.
Note: It should be mentioned that this article does not replace professional legal advice or should be considered as such. For a fully secure GDPR-compliant e-commerce, you should definitely consult a proven expert.
Particularly important for e-commerce companies: data protection in the online store is required by law.
The question "Why protect data?" in the sense of "Do we have to implement data protection measures or not?" should therefore not even arise.
But what is the legislator's intention with the data protection regulations?
As an e-commerce operator, it is certainly helpful to be aware of the principles of the applicable data protection rules in order to be able to implement the corresponding requirements efficiently.
According to Section 1 (1) of the old German Data Protection Act (BDSG), the primary objective of data protection is "to protect individuals from having their personal rights infringed by the handling of their personal data". Ultimately, this means that all entities that process personal data in any way must comply with the statutory data protection rules. If they do not do so, they are liable to prosecution.
Since May 25, 2018, data protection rules have been regulated in the GDPR at European as well as national level. Special attention is paid here to the protection of natural persons when processing personal data. The "new" data protection regulation is actually not that different from the previous provisions in Germany. In this country, comparatively great importance has always been attached to the conscious handling of personal data. Nevertheless, there have been some innovations - and during the effective period of the GDPR, some additional points important for e-commerce have definitely been added.
In addition to the direct protection of individuals and personal data, the GDPR also aims to make companies and website operators more aware of how to handle personal information. Optimally, as little data as possible is requested, and only the data that is really necessary for the respective business activity.
A definition of personal data can be found in Article 4 of the GDPR.
Accordingly, it is "any information relating to an identified or identifiable natural person (hereinafter 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
In short, personal data is information that allows it to be associated with a specific individual.
In this context, it is very important for e-commercers that personal data also includes typical technical information that accumulates when you simply visit a web store - even if you don't buy anything and don't make any contact. This applies above all to the IP address or online store cookies used.
What personal data is subject to data protection?
In detail, the following personal data is relevant data protection information:
Data protection is not a completely static matter. Individual areas are adapted time and again. Thus, it is absolutely appropriate to review the specifications and the topicality of one's own measures from time to time.
Companies with an online store are specifically required to ensure that their visitors can see as transparently as possible within the cookie banner used which cookies are set for what purpose and what type of data is collected with them. The collection of corresponding information may only take place if users actively permit this. Consent can be given, for example, by selecting a checkbox for each cookie type. In addition, e-commercers should refer to the privacy statement in the cookie banner.
Preset checkboxes and a quick prompt for visitors to hit the "Ok" button or similar tactics are not GDPR-compliant. To be on the safe side when it comes to cookies, consent for analytics, etc., it is advisable to use an up-to-date consent tool.
The processing of personal data transmitted online naturally entails a certain risk. Online stores are vulnerable in various ways. If a hack occurs and personal data falls into criminal hands, this always means a whole lot of trouble for the company and its online store.
However, it becomes particularly difficult when it emerges that the stolen information was not adequately secured. In this case, massive penalties are to be expected, which may well threaten the existence of the company.
HTTPS encryption with an SSL certificate is therefore an absolute must, especially for data-sensitive store areas and processes such as contact forms, customer accounts and order processes. In principle, however, the entire online presence should be encrypted today.
A comprehensive privacy statement should be provided in a precise, transparent, understandable form and, last but not least, easy to find in the online store.
In Article 13 of the GDPR, there are explicit specifications as to what a legally compliant privacy statement must contain. This includes in particular (but not exclusively) the following elements.
- Identity and contact details of the responsible person or company.
- Specification of the data protection officer.
- Clarification on the processing purposes and legal basis of the processing.
- Information on the legitimate interest of the data collection.
- Naming of recipients in the event of data transfer (is always relevant in e-commerce).
- Information on the duration of data storage.
- Listing of the rights of the data subjects in connection with their personal data.
- Clarification of the necessity of collecting data for online business.
Today, the contact form is one of the standard support channels in e-commerce and should practically not be missing in any online store. Since personal data is directly requested here, the GDPR naturally has a special eye on corresponding processes.
For e-commerce companies, this means that they must inform users of a contact form comprehensively about the relevant data processing and, in accordance with the principle of data minimization, should only request the information that is actually absolutely necessary for processing an inquiry.
In addition to the data collection or own processing of corresponding information, e-commercers practically always pass on personal data to third parties.
- Data transfer for creditworthiness information: For a creditworthiness check, there is a high level of business relevance or a corresponding legally justified interest, in particular for transactions with a certain economic risk. The processing of data for this purpose occurs either on the basis of the customer's consent or the seller's legitimate interest.
- Cooperation with payment service providers: Payment service providers, such as PayPal or Sofortüberweisung, are very popular with customers. Therefore, most e-commerceler can not do without it. Although payment data is often transmitted directly from the customer to the service provider or is already available there through registration prior to a transaction, the persons concerned should nevertheless be informed that these offices may receive certain order information once again for correct processing. The legal basis is centrally the necessity of the transmission for the fulfillment of the purchase contract obligations.
- The use of shipping service providers: in most cases, e-commerce companies work with external shipping service providers who deliver the goods ordered by customers. Without specific personal data, these partners cannot perform the delivery. The legal basis for the exchange of data here is once again the fulfillment of the merchant's business obligations.
The penalties that e-commerce companies face if they do not comply with data protection regulations are clearly regulated by the EU legislator and the GDPR.
- Legal basis of the GDPR - Articles 83, 84
- Maximum penalty for breach 20 million euros or four percent of global annual turnover (whichever is higher)
- Data subject claims Damages under Article 82 I GDPR as a direct claim (also applies against the data processor).
The fine is primarily measured by the severity of the breach. Therefore, you do not necessarily have to fear the maximum immediately in the case of a penalty claim.
Very important in this context: penalties from the legislator are one thing, which should sensitize e-commercers in dealing with personal data. In addition to these sanction options, however, there is another danger whose occurrence is actually much more likely! Article 8 of the GDPR creates the option that warnings can be issued by competitors or by competition or consumer protection associations.
- Draw up or, if necessary, adapt data protection declaration
- Adapt forms so that customers are adequately informed about data processing and only data that is actually required is requested.
- Ensure sufficient encryption - in some contexts, a more specialized SSL certificate or deeper encryption is also appropriate.
- Question analysis tools and, if necessary, adapt the way they are used - for example, clear information about the use of data, consent options and anonymized IP addresses should be ensured.
- Adapt cookie banners so that users can specifically agree to the use of corresponding information or not, depending on the purpose.
- Customize newsletter or organize address data used for email marketing correctly - consent by recipient, documentation of sources, privacy notice, etc.
- Create or adapt general data protection documentation - e-commercers are required by the GDPR to be able to demonstrate compliance with all legal requirements.
- Create or adapt protection for minors if data of underage visitors is processed - i.e. provide an explicit consent option for parents or guardians.
Correct data protection is and remains a difficult matter.
In e-commerce in particular, there are very many places where personal information has to be used. This is not a legal problem as long as store operators really only process data that is important to the business and as little data as possible, while adhering to certain rules. With the information from this article, you are basically well positioned for a GDPR-compliant e-commerce. However, you should not do without professional legal advice!
- Support with the DSGVO-compliant application and implementation of your online media.
- Optimization of your email marketing and legally compliant newsletter distribution.
- Design and implementation of meaningful KPIs for the evaluation of your pages or applications. Individual development of dashboards that give you an overview of the relevant key figures.
- DSGVO-compliant implementation of analysis tools (Matomo / Google Analytics etc.) in your pages / applications.
Benefit from our know-how also in the following topics: