ComplyTo - GDPR and Online Shops - What to know

Answer 8 questions and a checklist for GDPR for online shops

Do you need a checklist to get started with GDPR in your online shop? Read more here.

ComplyTo helps those of you that have an online shop with 8 tips and a checklist for GDPR.

An online shop handles multiple types of personal data, and with the new personal data regulation it may be difficult to find out what to do to comply with the new rules.

Therefore, ComplyTo answers 8 questions from webshops, about what you need to be aware of and can do to comply with the new Personal Data Act. You will find a 5-step checklist to get started at the bottom of the article.

So let's get started!

1. What’s the importance of the new rules for online shops – and what are the consequences of not complying with them?

Most of you have probably heard of fines of up to € 20 million. But fines may not be the consequence for an ordinary online shop, at least not in the beginning. The biggest consequence for a online shop is more likely to be that customers expect the shop to manage the personal data regulation and processing of personal data. If an online shop does not have control over it, the customer may find another shop.

2. What measures should be taken to comply with the personal data regulation?

The best thing you can do is to document that you know what data you have, where you have them and with which companies (such as Google, Microsoft, Mailchimp and many others) these data are stored. Smaller companies, in particular, usually use more of these cloud services. Even if you store personal data in, for example, Dropbox, it is still you who are responsible for these data.

3. What types of agreement should you take care of? What is the documentation you must have? And are there certain items that should appear on your online shop?

The most important document you need right now in relation to GDPR is your privacy policy. And you ought to have one for each one of your activities. That is to say, for example, one for the online shop, one for HR activities and one for each activity where your company processes personal data.

In addition, you will need data processing agreements with all your suppliers (e.g., as mentioned earlier, Google, Microsoft, Mailchimp, etc.). If you work with larger cloud solution providers, they have probably already sent you a data processing agreement. However, it is still your responsibility to ensure that these agreements are in line with your needs. When you have signed or accepted such an agreement, the fine for a personal data leak will be sent to you and not to the provider. So you have to look critically at these agreements and prove that you have read and understood them.

4. What is NOT permitted for an online shop owner after the GDPR came into force?

As long as you follow the law that also applied before the new personal data regulation, you can continue with most activities. Most countries have already had a personal data law for many years. The big difference between GDPR and the previous laws is that you now need to be able to document how you process the personal data you store in your business.

You can still send emails to your customers. You can still send newsletters (if the recipient has consented to this – which was also statutory before the GDPR). You may, however, NOT send marketing/newsletters without consent – which was already illegal in most countries.

5. What do you do if a customer wants his or her personal data removed? Does the customer have “the right to erasure”?

Forget about "the right to erasure", but there are other rights that you should be aware of.

The right to be deleted from corporate databases is not an absolute right of the consumer’s. If your online shop has a legitimate/commercial interest in retaining personal data, do not delete these, even if a customer asks you to.

The right to be deleted is most relevant if you have consent to use personal data, such as, for example, for a newsletter. Then the person may ask you to delete this information if he/she no longer wishes to be on the mailing list. Contact information, purchase history, etc., companies may have for as long as one has a valid reason – for example, to comply with accounting rules.

You must be more aware of the right to access. The user/customer has the right to require you to send the personal data you have on the given user/customer. Therefore, you should know where you store this data and how to extract it so that you can send it.

6. How does ComplyTo’s solution work? And is an online shop guaranteed to comply with GDPR through ComplyTo?

ComplyTo provides a tool that ensures that you document your work with the GDPR. The system helps you identify which personal data you have. Based on that, our wizard generates the necessary privacy policies and data processing agreements. In addition, we have a risk and to-do list system that you can use to keep your business in adherence to the personal data regulation. In case of discrepancies between your data mapping and legislation, we will inform you by making a risk and to-do list that guides you through the process.

We do not guarantee compliance with the rules, as that would require us to check your data input and thus we would not be able to offer our product at a fair price. But you should meet at least 80% of the goals.

For most small- and medium-sized businesses, we have everything you need. And you can always get an accountant or lawyer to assess the outcome – just as you can get an accountant to look at your accounts and bookkeeping if you want additional assurance.

Personal data law is constantly changing, and new laws and practices will influence what is considered to be compliance with the GDPR in the future. We are constantly updating our system to follow developments, and you as a customer can be fully updated.

With our GDPR system, you always have easy access to all your personal data documents, tasks and agreements if you decide to add personal data to a new system or to change your privacy policy. Therefore, keeping your policies and data-processing agreements up to date is simple and easy.

7. How does one prove that customers and visitors have accepted the terms of the new personal data regulation on one's website?

You do not have to receive acceptance from users of your online shop/website that they have read and understood the rules. Simply inform them about the applicable rules for your part through your privacy policies, and these should be readily available. Only in cases where you have personal data processed under consent (e.g. newsletters), must you ensure that people actively consent to, for example, signing up for newsletters and the like (no pre-filled checkboxes, etc.).

8. Must one inform all my existing customers about the new GDPR rules?

You must inform your users about what data you have about them, what you use the data for and how long you store these data. You do that in a privacy policy. Your privacy policy ought to be given to those affected – as a web-based business, it's a good idea to put this up on the website and send a link to the customers when they purchase a product.

Start your 14-days trial today

Register now

A quick checklist for the GDPR for online shops:

  1. You must know which personal data you have and where.
  2. Document what you do with this personal data.
  3. Make sure your users, employees, and others know how personal data is processed in the company. You do this through a privacy policy.
  4. Make sure that data processing agreements are in place with the third parties who have access to the personal data for which you are responsible.
  5. Make sure you can document that you are continuously working on personal data processing. Follow the procedures, look at the data and remember to delete data when you no longer need it. The GDPR is not over just because May 25 has passed. It is an ongoing process.

Challenges for online shops’ sale of med products 

Personally sensitive information and online shops in brief.

This blog post was written by our GDPR expert, Sebastian Bayer.

Summary of the Expert’s Article:


In short, this article says that if your online shop sells products targeted at human health, the GDPR is prohibited from marketing to customers based on previous purchases. For example, if a customer has bought a cream for foot fungus, you may not subsequently advertise to the customer that they can buy other products that also help against foot fungus. This is because, according to the GDPR, you may not use information about the person's health for marketing.


Following the adoption of the GDPR, there are new rules that you, as a business, must be aware of. This means that there is a greater focus on the correct processing of personal data, whether these are given to you directly or indirectly. Online shops have been particularly hard hit by this, as they usually collect a large amount of personal information in order to meet their obligations and to have a broad product portfolio. This allows the possibility that a product sold by an online shop will give a deeper insight into customers' privacy.

If you have an online shop selling natural medicine, personal care products, dietary supplements and similar products that relate to people’s health, you are at risk that the personal information you receive will no longer be regarded as general personal information, but rather as personally sensitive information. And if you receive sensitive information, there are higher requirements for your processing of these personal data.

This is because information about the sale of the above products can lead you to draw conclusions about the customer's state of health. Information about a person's health is defined in the personal data regulation as sensitive. This is due to the use of profiling in which the online shop uses previous purchases to "guess" what other products the customer is interested in.

This article helps you understand how such a situation occurs and what you, as a business, should do to avoid fines or bad reviews because your online shop pushed the limits of the personal data regulation.

When does information about a product sold surpass general personal information to become personally sensitive data according to GDPR?

What distinguishes Personally Sensitive Information (GDPR Article 9) from General Personal Information (GDPR Article 6) is that the sensitive information has heightened requirements for the legitimate purposes for which such personal data can be collected and processed. Personally sensitive information is exhaustively defined in the personal data regulation and includes: Health information, sexuality and sexual relations, political, religious or philosophical beliefs, or trade unions. So too does race or ethnic origin, treatment of genetic data, and biometric data for the purpose of identifying a person. 

If you sell a product that can reveal something about a person's state of health, e.g. that the person could have a particular illness or is pregnant, you may, potentially, have sensitive information about the person, even though this was not the purpose of the sale.

One concrete example is if you sell a cream that fights foot fungus from your online shop. When you sell this product, you are basically informed of personally sensitive information about the customer, as the customer is likely to have foot fungus. The same is true if you sell nutritional supplements that are intended to help with a particular health situation – such as constipation.

If you collect purchase data in order to sell other products on the basis of this knowledge about the person’s health, you will have collected personal data based on profiling from your customer’s purchase information.

But it may not be the purchaser who uses the product.

When you sell items from your online shop, your situation is potentially different from selling items on prescription. This is because when a customer buys a prescription item at a pharmacy, the pharmacy is aware that it is the person who needs the product is the one who buys it. When a customer is shopping at an online shop, a purchase does not mean that the customer who purchases the item will be the one to use the item. For example, it may be that a man buys a product for his wife. This lack of correlation between the customer and the user of the product implies that one can argue that the sale of, for example, foot fungus cream is not considered to be personally sensitive information, since it cannot be shown that the product is actually intended for the customer and therefore does not indicate anything about their health situation.

However, this is not completely dismissible. If you use the information that your customer buys anti-fungal foot cream to market other anti-fungal foot products to the customer, it will be regarded as marketing based on personally sensitive information and is not allowed. This also applies even if it is not, in fact, the customer who buys the product who will use it. Since it is never possible to determine who the customer buys for product for, the focus is on what you think it is used for.

This means that if your online shop markets similar products on the basis of a customer's purchase of, for example, anti-fungal foot cream, that potentially reveals something about customer health conditions, it looks like the information is, in fact, related to the customer. Therefore, you will not have a legal basis for that marketing.

Can I actually use the potentially sensitive information?

In a word, the answer is no. This is due to the fact that the personal data regulation has stricter requirements about what purposes the sensitive data may be used for. Thus, the most relevant lawful purpose your online shop could employ is explicit consent of the person to use their health information for marketing. But it is probably doubtful that the person will give such consent.

It should also be noted that consent to use such information cannot be a part of general business terms and conditions. The customer, in this case, must actively choose that the online shop may market to the customer on the basis of their health conditions. In addition, the customer must be able to withdraw this consent as easily as it was given.

What should I do?

Based on the Accounting Act, you are required to keep your bookkeeping information for 5 years – which includes your sales invoices. This means that you cannot stop recording customer purchases. This is an entirely ordinary and undramatic practice and would not be personally sensitive information; the purpose of the information is billing and accounting.

On the other hand, however, when we speak of marketing, it is more important that you consider whether you use the purchase history (which is ordinary personal information) or the secondary health information (personally sensitive data) for your marketing.

Therefore, it is important in the mapping of your company's personal data that you have an overview of the personal data and the purpose of these. Specifically in relation to the marketing of products targeted at specific health problems or illnesses, the recommendation is that online shops should not use such information for marketing toward specific individuals (for example, in direct mail marketing or messages on the online shop in the form of: "because you previously bought... we recommend...").

In this way, you can avoid getting into a situation where your online shop is potentially out of bounds with the rules by using knowledge of a customer's health condition for marketing purposes without obtaining the customer's specific permission.

More articles

GDPR and Consent

When to use consent and when to not. 

Read more

Facebook and GDPR

Your company and Facebook share the responsibility for personal data on the company Facebook page.

Read more

Back to Blog Overview

Take me back