GDPR in E-commerce — Customer Data Protection for Online Stores

What Customer Data Does an Online Store Process

An online store processes a wide range of customer personal data:

Identification data: first name, last name, email address, phone number, delivery and billing address, tax ID (for businesses)

Transaction data: order history, payment methods, transaction amounts, invoice data

Behavioral data: viewed products, time spent on pages, abandoned carts, clicks, search history

Technical data: IP address, cookie identifiers, browser fingerprint, geolocation data

Loyalty program data: points, preferences, rewards history

GDPR (General Data Protection Regulation) requires that each data category has a defined legal basis for processing, a purpose, and a retention period.

Legal Bases for Data Processing in E-commerce

GDPR requires every processing of personal data to have one of 6 legal bases. In e-commerce, the most commonly used are:

Contract performance (Art. 6(1)(b))

• Processing data necessary for order fulfillment
• Delivery address, invoice data, contact details
• Does not require separate consent

Legal obligation (Art. 6(1)(c))

• Storing data for tax and accounting purposes
• Retention period based on regulations (e.g., 5 years for invoices)

Legitimate interest (Art. 6(1)(f))

• Direct marketing to existing customers
• Fraud prevention
• Analytics and store optimization
• Requires a legitimate interest assessment

Consent (Art. 6(1)(a))

• Newsletter and marketing to potential customers
• Profiling and personalization (marketing cookies)
• Must be freely given, specific, informed, and unambiguous

Common GDPR Violations in Online Stores

The most frequent GDPR violations in e-commerce that supervisory authorities fine:

Missing or flawed cookie policy

• Automatically setting marketing cookies before obtaining consent
• Cookie banner without a reject option or with “dark patterns”
• No ability to withdraw consent

Customer data leaks

• Unsecured customer database
• No encryption of data in transit and at rest
• Failure to report a breach to the supervisory authority within 72 hours

Excessive data collection

• Requiring data unnecessary for order fulfillment (e.g., national ID, date of birth)
• Lack of data minimization in forms

Failure to fulfill data subject rights

• Not implementing the right to erasure (right to be forgotten)
• No data export capability (right to data portability)
• No information about data processing by third parties

Improper data processing agreements

• Missing data processing agreements with vendors (hosting, marketing, analytics)
• Data transfers outside the EEA without adequate safeguards

GDPR Technical Requirements for E-commerce

GDPR requires implementing “appropriate technical and organizational measures” (Art. 32). For e-commerce, this means:

Data encryption:

• TLS 1.2+ for all pages (not just checkout)
• At-rest database encryption
• Backup encryption

Access control:

• Multi-factor authentication for the admin panel
• Principle of least privilege
• Logging and monitoring access to personal data

Infrastructure security:

• Firewall and WAF protecting the application
• Regular penetration testing of the platform
• Security monitoring 24/7
• Incident detection and response system

Vulnerability management:

• Regular platform and plugin updates
• Vulnerability scanning
• Critical patch management procedures

Backup and recovery:

• Regular backups with recovery testing
• Business continuity plan (BCP) and disaster recovery plan (DRP)

Breach Notification — What to Do After a Data Leak

In case of a personal data breach, an online store must:

Within 72 hours of detection:

• Report the breach to the supervisory authority (Art. 33 GDPR)
• The notification must include: nature of the breach, categories and approximate number of affected individuals, likely consequences, measures taken to address it

Without undue delay (if high risk):

• Notify affected data subjects (Art. 34 GDPR)
• Communication must be clear, understandable, and include recommended protective actions

Documentation:

• Document the breach, its consequences, and actions taken
• Documentation must be available upon request by the supervisory authority

We recommend preparing an incident response procedure before an incident occurs — as part of a security audit, we identify procedural gaps and help develop a response plan.

GDPR Fines in Practice — E-commerce Examples

Fines for GDPR violations in the e-commerce sector are increasing:

Examples of fines in Poland:

• Morele.net — PLN 2.83 million for a data breach affecting 2.2 million customers (inadequate technical safeguards)
• Online store — PLN 40,000 for failing to cooperate with the supervisory authority after a breach

Examples of fines in Europe:

• H&M (Germany) — EUR 35.3 million for illegal employee monitoring
• Notebooksbilliger.de — EUR 10.4 million for camera surveillance without legal basis
• Amazon Europe — EUR 746 million for data processing without legal basis

Maximum fines:

• Up to EUR 20 million or 4% of annual global turnover (whichever is higher)
• Fines can be imposed for each violation separately

Financial penalties are not the only cost — indirect costs (customer loss, reputation damage, legal fees) often far exceed the fine itself.

---

Cybersecurity for Your Industry

Learn more about cybersecurity in your industry:

• Cybersecurity for Finance & Banking
• Cybersecurity for E-commerce & Retail