Here's how to tell if your shop is GDPR compliant 📜
Do you process personal data in your online store? Then you must comply with the General Data Protection Regulation (GDPR). Many shops violate the GDPR – often unknowingly. This can be costly. Here's how to check if your shop is legally compliant. 1. Do you have a privacy policy, and is it up to date? Every shop needs a complete privacy policy. It must explain precisely:...
E-news for ambitious developers - read up to speed - How to tell if your shop is GDPR compliant 📜 – Do you process p…
Dive with Sophie into the world of expertise! Sophie is
Content Manager at STM - PowerContent 4u
with the specialist areas Content strategy, SEO texts, keyword research.
Sophie Wishing you much success and inspiration while reading! 🚀
Do you process personal data in online retail? Then you must comply with the regulations. Datenschutz-Grundverordnung (DSGVO) Many online shops violate the GDPR – often unknowingly. This can be costly. Here's how to check if your shop is legally compliant.
1. Is a privacy policy available and up-to-date?
Every shop needs one full privacy policyShe needs to explain exactly:
What data you collect
What you use them for
What rights do users have?
How they can have their data deleted or changed
Do not use old texts or templates without checking them. There are reputable generators like... eRecht24.
2. Cookie Banner: Consent required before setting
Tracking and marketing cookies are subject to approvalA correctly implemented cookie banner must:
Only set technically necessary cookies in advance.
Obtain active consent for all other cookies
Allow revocation at any time
Tools like Cookiebot help you keep track of things.
3. SSL encryption is mandatory
When you transfer customer data (e.g., at checkout), you must HTTPS Use it. This protects against access by third parties.
Your shop must support these functions technically and organizationally – via customer account or support request.
5. Order processing with external service providers
You use tools like:
Newsletter software (e.g. Mailchimp)
Cloud services
payment provider
Then you need a data processing agreement (DPA) with these providers. Otherwise, you risk receiving a cease and desist letter.
6. Legal notice and terms and conditions: complete and up-to-date
Even if it's not directly GDPR: Your shop needs one. Legally compliant imprint and terms and conditionsThey must be clear, easy to find, and up-to-date.
An optional feedback field? No problem. But don't make it mandatory unless absolutely necessary.
8. Data protection information regarding tracking and analysis
Do you put Google Analytics or Meta Pixel? Then you need to:
anonymize the IP address
Conclude a data processing agreement
Provide correct data protection information
Alternatives like Matomo They are hosted locally and are easier to use in compliance with GDPR.
9. Newsletter: Double Opt-In
For the Shipping do you need a verifiable consent. That means:
Double opt-in with confirmation link
Logging of consent
Unsubscribe link in every email
10. Technical and organizational measures
You must ensure that your data is protected – even internally:
Regular backups
Strong passwords and access controls
Firewall, antivirus programs
⚖️ FAQ: How to tell if your shop is GDPR compliant
The critical checkpoints that protect you from fines of up to €20 million
€ 20 million Maximum fine
72 hrs Notification deadline
4% from sales
€
What are the actual fines for GDPR violations in e-commerce?
Typical penalties for small shops:
• Missing privacy policy: €5.000-20.000
• No cookie banners: €5.000-15.000
• Newsletter without DOI: €10.000-€30.000
Theoretically, fines can reach up to €20 million or 4% of annual revenue. In practice, small shops usually pay €5.000-€50.000 for initial violations. The most common penalties are: missing privacy policy (€5.000-€20.000), no cookie banners (€5.000-€15.000), newsletters without double opt-in (€10.000-€30.000), and failure to report a data breach (€20.000+).
📄 Does my privacy policy really need to be 20 pages long?
No, but it must be complete! Average for online shops: 8-12 pages. Mandatory information: Responsible party, legal basis, all tools/services (Google Analytics, etc.). Facebook Pixels, etc.), storage duration, data subject rights, recipients of the data, cookies in detail. Shorter versions are usually incomplete and can lead to legal action.
🍪 Cookie banners annoy customers – what is the legal minimum?
Technically necessary cookies: No banner needed. Everything else (analytics, MarketingExplicit consent is required BEFORE cookies are set. Minimum: A "Decline" button must be equivalent to an "Accept" button, no pre-selection, and granular selection is possible. "By continuing to browse, you agree" is illegal and expensive (€5.000-€15.000).
€10-30k risk
📊 Will Google Analytics still be possible in 2025 without consent?
No! GA4 also requires consent. ECJ ruling 2022: US data transfers problematic. Solution: Consent Mode v2, IP anonymization, data processing agreement (DPA), cookie banner. Alternative: Matomo or Plausible (GDPR-compliant without a banner). Penalty for lack of consent: €10.000-€30.000.
✉️ Newsletter subscription – is single opt-in sufficient for existing customers?
⚠️ Double opt-in is mandatory!
Documentation: Timestamp + IP address + consent text
Old lists without DOI: Register again or delete!
No! Double opt-in is mandatory, even for existing customers. Exception: Soft opt-in for similar products after purchase. Documentation is crucial: save the timestamp, IP address, and consent text. Errors can cost €10.000-€30.000. Old lists without a double opt-in (DOI): Re-register or delete!
☁️ Customer data in the cloud (Shopify, WooCommerce) – GDPR problem?
Shopify: US servers ⚠️ WooCommerceEU hosting ✓ Without AV: €5-20k
It depends! Shopify: Standard Data Processing Agreement (DPA) is okay, but US servers are problematic. WooCommerce: Self-hosting in the EU is more secure. Important: Data processing agreement (DPA) with EVERY service (hosting, payment, shipping). Without DPAs: Fines of €5.000-€20.000 are possible.
⏱️ What rights do customers have to information and how quickly do I have to react?
Response time: 1 month (extendable to 3 months in complex cases). Rights: Access to stored data, rectification, erasure, restriction of processing, data portability. Provide free of charge! Format: Structured, common, machine-readable (PDF/CSV). Ignoring this will cost €5.000-€50.000.
👤 Does my small shop really need a data protection officer?
A data protection policy is mandatory for businesses with 20 or more employees involved in data processing, or for those processing sensitive data on a large scale. Most shops with less than €1 million in revenue don't need one. However, data protection documentation is still mandatory! A record of processing activities is required for businesses with 250 or more employees, or for those processing data regularly.
72-hour deadline!
🚨 Data breach in the shop – when do I need to inform the authorities?
Report immediately to:
• Hack or data loss
• Accidental publication
• Customer data affected Penalty for failure to report: €10.000-100.000!
72 hours from the time you become aware of a risk to those affected! Hacking, data loss, accidental publication = reportable. Inform the authorities AND affected customers in cases of high risk. Always document, even if not legally required to report. Failure to report: €10.000-€100.000 fine. Example: Customer data CSV accidentally published online = report immediately!
🛠️ Which tools and plugins will make my shop more GDPR-compliant immediately?
Cookie banner: Borlabs Cookie, Cookiebot (€300-500/year). Analytics: Matomo instead of Google Analytics. Privacy policy: Händlerbund, IT law firm (€10-30/month). Data processing agreement manager for contracts. GDPR tools for WordPress. Important: Tools alone are not enough; correct configuration is crucial!
✅ GDPR quick check for your shop
🚨 Critical (Check immediately)
⚠️ Important (This Week)
✓ Optimization (This month)
⚖️ Disclaimer: This is not legal advice!
If you are unsure, always consult a specialist lawyer for data protection law.
Have you already checked your shop?
Which tools do you use for data protection and cookie management? Let us know in the comments – or ask your questions. Let's learn from each other.
Thank you so much for this comprehensive guide! The GDPR is truly complex...
SB
Stefan Bauer - Multi-channel retailer from Geesthacht
6 months ago
As the operator of several online shops, I can only say: GDPR implementation is complex,...
PH
Petra Hansen - Jewelry/Accessories from Ahrensburg
6 months ago
Great article! The practical examples make this dry topic much easier to understand. Especially...
★★★★★
Thank you so much for this comprehensive guide! GDPR It's a really complex topic, but you manage to explain everything clearly. As the owner of an online shop for sustainable fashion, transparency is particularly important to me – including when it comes to data protection. Your tips help me implement this. One point that seems important to me is raising employee awareness. Even the best data protection is useless if employees aren't trained. We regularly hold internal workshops on this topic.
As the operator of several online shops, I can only say: GDPR implementation is complex, but doable. Your article summarizes the most important points well. What I'm missing: a mention of the different requirements depending on company size. Shops with over 250 employees are subject to stricter rules in some cases. The topic of data protection impact assessments could also be covered in more detail. Nevertheless, it's a solid overview for beginners!
Great article! The practical examples make this otherwise dry topic much easier to understand. I especially appreciate that you also address the most common mistakes. The tip about regular data protection audits is invaluable – I hadn't even considered that. As the owner of a small online jewelry shop, it's difficult to keep track of all the requirements. Your checklist is a godsend!
Perfect timing! We're launching our organic food shop next month, and GDPR compliance was still on our to-do list. The checklist is incredibly useful. The point about data minimization is especially important – we tend to collect too much data "for later." But that's exactly the wrong approach! Only collect what you really need. I do have one more question: What about customer reviews? Are they also considered personal data if they include a name?
Thank you for this comprehensive guide! As the owner of a small pottery workshop with an online shop in Wedel, I was completely overwhelmed by all the GDPR stuff. I found your explanation of the legal bases for data processing particularly helpful. I always thought I needed consent for everything, but the fact that contract fulfillment is often sufficient makes things much simpler. However, I would have liked more specific tool recommendations. Which cookie consent tool is good? Which newsletter provider is GDPR-compliant? Are there any good templates for privacy policies? Perhaps you could write a follow-up article on that? Otherwise, excellent work! I feel much more confident now and will implement the tips step by step. I now also see investing in data protection as a quality indicator – it builds trust with customers.
As the owner of a gaming shop in Elmshorn, all I can say is: GDPR It's a necessary evil. Yes, it's annoying. Yes, it costs time and money. But let's be honest – our customers entrust us with their data. Credit card numbers, addresses, purchasing behavior… That's a responsibility! The article hits the nail on the head: It's better to do it right from the start than to have problems later. What I'm still missing: A mention of the documentation requirement. You have to be able to prove everything you do. Screenshots of cookie banner settings, employee training records, contracts with service providers… Collect everything! If necessary, you have to prove to the supervisory authority that you are compliant.
Finally, some straight talk! I'm an electrician and I also run a small shop for electrical accessories on the side. GDPR It's a real nightmare for non-lawyers. But your article gives me hope that even a layperson can manage it. I'll print out the checklist and work through it point by point. What I'd also like to know is: What about marketplaces like eBay or Amazon? Does the GDPR apply to me as a seller there as well?
Great article! I'm currently working on making my vintage fashion shop GDPR compliant. The tips on technical measures are invaluable. I especially underestimated SSL encryption – I thought it would be enough for the checkout page, but you're right, the entire website should be encrypted. The point about third-party tools also gave me food for thought. Google analytics, Facebook Pixel, Hotjar… all great for… Marketing, but it's really sensitive from a data protection perspective. Do you have any experience with privacy-friendly alternatives like Matomo or Plausible?
Interesting article, but I think you're oversimplifying things. GDPR compliance isn't just a matter of checkboxes and cookie banners. It's about a fundamental data protection culture within a company. Privacy by Design and Privacy by Default are the key concepts. As operators of an online furniture shop in Neumünster, we've undergone a complete paradigm shift. We only collect the data we absolutely need, encrypt everything end-to-end, and have implemented strict deletion periods. This was painful and expensive at first, but now it's a competitive advantage. Customers appreciate transparent data protection! What I find lacking in the article: the topics of data protection for minors, international data transfers (Schrems II!), and the problems associated with AI tools in e-commerce. The latter is becoming increasingly relevant – chatbots, recommendation engines, personalization… all potential GDPR traps.
Hello from Flensburg! I've been running a sporting goods shop for 5 years and the GDPR It's just incredibly frustrating. Constant new requirements, updates, court rulings… It's almost impossible to keep up! But you're right, ignoring it isn't an option. The competition is just waiting for you to make a mistake. Legal warnings for GDPR violations are now commonplace. I had one of those last year – luckily it turned out alright, but the legal fees were still hefty. The tip about regular audits is a good one. It's no fun, but better than getting the bill later. What annoys me is that the big players like Amazon don't care about any of this, but we small businesses have to adhere to every single detail.
As a lawyer specializing in data protection law in Kiel, I would like to add: Don't forget the rights of data subjects! Every customer has the right to information, rectification, erasure, restriction of processing, data portability, and objection. You must be able to respond to requests within one month. Data protection impact assessments for high-risk processing activities are also often overlooked. Excellent introductory article!
I run a small electronics shop in Elmshorn and I have to say, the GDPR It's a real challenge for us retailers. It's good that you brought up the double opt-in issue – I actually hadn't implemented that correctly yet. The implementation costs shouldn't be underestimated, though. Lawyer, data protection officer, new tools… it quickly adds up to a few thousand euros.
As an IT service provider from Pinneberg, I see daily how many shops the GDPR Completely ignore it. The article hits the nail on the head! The point about data processing agreements is often overlooked. Last week, I had a client who'd been using their newsletter provider for two years without ever having a data processing agreement. That can get really expensive! The fines are no joke – up to €20 million or 4% of global annual turnover. Many still think this only affects the big players, but the supervisory authorities are becoming increasingly active. In Schleswig-Holstein alone, there were several proceedings against smaller online retailers last year. Another important point: Technical and organizational measures (TOMs) are often neglected. It's not enough to just have a privacy policy. You need a record of processing activities, deletion policies, employee training, and regular data protection audits. For smaller shops, I always recommend hiring an external data protection officer – it costs less than you think and saves a lot of trouble in a worst-case scenario.
Super helpful article! As a small boutique owner from Wedel, I'm often overwhelmed by all the legal requirements. The checklist for designing cookie banners really opened my eyes – I had no idea that even Google Fonts can be a privacy issue. I'll go through my shop tomorrow and check everything. Thanks for the clear explanation!
Excellent article. You clearly guide us through the most important points a shop needs to consider. The checklist is helpful and directly actionable. Keep the privacy policy up-to-date, obtain cookie consent correctly, check SSL, enable data access, and regulate order processing. The information on tracking is precise. You show what's important with analytics and pixels and suggest sensible alternatives. You explain double opt-in and newsletter protocols clearly. This allows every team to quickly identify and close any gaps. The examples of mandatory and optional fields in forms are also practical. My suggestion for an update: a short template for data access requests and a simple annual audit plan with deadlines. Thanks for the clear overview. I'm sharing the article with my network. Question for everyone: Which tools do you use for cookie management and documenting consent?
We use cookies to optimize our website and our service.
Functional
Always active
The technical storage or access is absolutely necessary for the legitimate purpose of enabling the use of a certain service that is expressly requested by the subscriber or user, or for the sole purpose of transmitting a message via an electronic communication network.
preferences
Technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or the access, which takes place exclusively for statistical purposes.Technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider or additional records from third parties, the information stored or retrieved for this purpose cannot usually be used to identify you alone.
Marketing
The technical storage or access is required to create user profiles, to send advertising or to track the user on a website or across several websites for similar marketing purposes.
DE
EN
Thank you so much for this comprehensive guide! GDPR It's a really complex topic, but you manage to explain everything clearly. As the owner of an online shop for sustainable fashion, transparency is particularly important to me – including when it comes to data protection. Your tips help me implement this. One point that seems important to me is raising employee awareness. Even the best data protection is useless if employees aren't trained. We regularly hold internal workshops on this topic.
As the operator of several online shops, I can only say: GDPR implementation is complex, but doable. Your article summarizes the most important points well. What I'm missing: a mention of the different requirements depending on company size. Shops with over 250 employees are subject to stricter rules in some cases. The topic of data protection impact assessments could also be covered in more detail. Nevertheless, it's a solid overview for beginners!
Great article! The practical examples make this otherwise dry topic much easier to understand. I especially appreciate that you also address the most common mistakes. The tip about regular data protection audits is invaluable – I hadn't even considered that. As the owner of a small online jewelry shop, it's difficult to keep track of all the requirements. Your checklist is a godsend!
Perfect timing! We're launching our organic food shop next month, and GDPR compliance was still on our to-do list. The checklist is incredibly useful. The point about data minimization is especially important – we tend to collect too much data "for later." But that's exactly the wrong approach! Only collect what you really need. I do have one more question: What about customer reviews? Are they also considered personal data if they include a name?
Thank you for this comprehensive guide! As the owner of a small pottery workshop with an online shop in Wedel, I was completely overwhelmed by all the GDPR stuff. I found your explanation of the legal bases for data processing particularly helpful. I always thought I needed consent for everything, but the fact that contract fulfillment is often sufficient makes things much simpler. However, I would have liked more specific tool recommendations. Which cookie consent tool is good? Which newsletter provider is GDPR-compliant? Are there any good templates for privacy policies? Perhaps you could write a follow-up article on that? Otherwise, excellent work! I feel much more confident now and will implement the tips step by step. I now also see investing in data protection as a quality indicator – it builds trust with customers.
As the owner of a gaming shop in Elmshorn, all I can say is: GDPR It's a necessary evil. Yes, it's annoying. Yes, it costs time and money. But let's be honest – our customers entrust us with their data. Credit card numbers, addresses, purchasing behavior… That's a responsibility! The article hits the nail on the head: It's better to do it right from the start than to have problems later. What I'm still missing: A mention of the documentation requirement. You have to be able to prove everything you do. Screenshots of cookie banner settings, employee training records, contracts with service providers… Collect everything! If necessary, you have to prove to the supervisory authority that you are compliant.
Finally, some straight talk! I'm an electrician and I also run a small shop for electrical accessories on the side. GDPR It's a real nightmare for non-lawyers. But your article gives me hope that even a layperson can manage it. I'll print out the checklist and work through it point by point. What I'd also like to know is: What about marketplaces like eBay or Amazon? Does the GDPR apply to me as a seller there as well?
Great article! I'm currently working on making my vintage fashion shop GDPR compliant. The tips on technical measures are invaluable. I especially underestimated SSL encryption – I thought it would be enough for the checkout page, but you're right, the entire website should be encrypted. The point about third-party tools also gave me food for thought. Google analytics, Facebook Pixel, Hotjar… all great for… Marketing, but it's really sensitive from a data protection perspective. Do you have any experience with privacy-friendly alternatives like Matomo or Plausible?
Interesting article, but I think you're oversimplifying things. GDPR compliance isn't just a matter of checkboxes and cookie banners. It's about a fundamental data protection culture within a company. Privacy by Design and Privacy by Default are the key concepts. As operators of an online furniture shop in Neumünster, we've undergone a complete paradigm shift. We only collect the data we absolutely need, encrypt everything end-to-end, and have implemented strict deletion periods. This was painful and expensive at first, but now it's a competitive advantage. Customers appreciate transparent data protection! What I find lacking in the article: the topics of data protection for minors, international data transfers (Schrems II!), and the problems associated with AI tools in e-commerce. The latter is becoming increasingly relevant – chatbots, recommendation engines, personalization… all potential GDPR traps.
Hello from Flensburg! I've been running a sporting goods shop for 5 years and the GDPR It's just incredibly frustrating. Constant new requirements, updates, court rulings… It's almost impossible to keep up! But you're right, ignoring it isn't an option. The competition is just waiting for you to make a mistake. Legal warnings for GDPR violations are now commonplace. I had one of those last year – luckily it turned out alright, but the legal fees were still hefty. The tip about regular audits is a good one. It's no fun, but better than getting the bill later. What annoys me is that the big players like Amazon don't care about any of this, but we small businesses have to adhere to every single detail.
As a lawyer specializing in data protection law in Kiel, I would like to add: Don't forget the rights of data subjects! Every customer has the right to information, rectification, erasure, restriction of processing, data portability, and objection. You must be able to respond to requests within one month. Data protection impact assessments for high-risk processing activities are also often overlooked. Excellent introductory article!
I run a small electronics shop in Elmshorn and I have to say, the GDPR It's a real challenge for us retailers. It's good that you brought up the double opt-in issue – I actually hadn't implemented that correctly yet. The implementation costs shouldn't be underestimated, though. Lawyer, data protection officer, new tools… it quickly adds up to a few thousand euros.
As an IT service provider from Pinneberg, I see daily how many shops the GDPR Completely ignore it. The article hits the nail on the head! The point about data processing agreements is often overlooked. Last week, I had a client who'd been using their newsletter provider for two years without ever having a data processing agreement. That can get really expensive! The fines are no joke – up to €20 million or 4% of global annual turnover. Many still think this only affects the big players, but the supervisory authorities are becoming increasingly active. In Schleswig-Holstein alone, there were several proceedings against smaller online retailers last year. Another important point: Technical and organizational measures (TOMs) are often neglected. It's not enough to just have a privacy policy. You need a record of processing activities, deletion policies, employee training, and regular data protection audits. For smaller shops, I always recommend hiring an external data protection officer – it costs less than you think and saves a lot of trouble in a worst-case scenario.
Super helpful article! As a small boutique owner from Wedel, I'm often overwhelmed by all the legal requirements. The checklist for designing cookie banners really opened my eyes – I had no idea that even Google Fonts can be a privacy issue. I'll go through my shop tomorrow and check everything. Thanks for the clear explanation!
Excellent article. You clearly guide us through the most important points a shop needs to consider. The checklist is helpful and directly actionable. Keep the privacy policy up-to-date, obtain cookie consent correctly, check SSL, enable data access, and regulate order processing. The information on tracking is precise. You show what's important with analytics and pixels and suggest sensible alternatives. You explain double opt-in and newsletter protocols clearly. This allows every team to quickly identify and close any gaps. The examples of mandatory and optional fields in forms are also practical. My suggestion for an update: a short template for data access requests and a simple annual audit plan with deadlines. Thanks for the clear overview. I'm sharing the article with my network. Question for everyone: Which tools do you use for cookie management and documenting consent?