GDPR: what need to know for eCommerce businesses

GDPR: what need to know for eCommerce businesses

Today in the eCommerce business data privacy and security standards are extremely essential. Not only do they ensure customers in business legitimacy, but also save business owners from unwanted legal obligations and charges. With this Maxpay article, we will explain in all details the most powerful law protecting privacy, the GDPR.

What is GDPR?

The GDPR or General Data Protection Regulation is the strongest privacy and security law in the world. The GDPR was created in the European Union, the law affects any company or organization in the world that collects, stores, or transmits both automatically and manually personal data of related people in the EU. Even if there is a company on another continent selling products to clients worldwide including EU customers, this company must be GDPR compliant.

The GDPR was established on 25 May 2018. Before there was a European privacy law created in 1995 that had certain data privacy and security obligations, still lawfully separated between the EU countries. But in the following 10 years, the world has changed too much. Internet community transformed from groups of anonymous users to actual virtual identities with legal names and credit cards. Previous laws had literally expired with the rise of the new technology, and so they were not able to secure personal data at all. Therefore the GDPR was established to protect any EU-related person on any online platform, regardless of the actual European country.

Why is the GDPR Important for eCommerce Stores?

Complying with the GDPR has benefits regarding the law system, from the customer’s point of view, and for the business itself. For the law institutions, if the business is compliant with the GDPR, it is ready to work with the EU citizens’ data as it treats this information respectfully. For a customer, if an eCommerce store is in line with the GDPR it means this store can be trusted because it values privacy and establishes equal relations regarding the marketing usage of the data.

If an eCommerce business is not compliant with the GDPR but still continues to collect, store or operate with the personal data of the EU citizens, there are massive fees on the way. The charges could be as much as €20 million or 4% of global revenue. The €20 million fees seem like a great amount for a small business, but if we consider huge companies like Amazon or Facebook, 4% of global revenue is way more threatening.

The Seven Principles of the GDPR

The 7 principles of data protection according to the GDPR are the set of obligatory rules that aim to regulate how private data is collected, stored, shared, and used. In other words, the GDPR protects customer data from being abused or mistreated by any data processor.  

For the GDPR the personal data is any piece of information that can identify an individual. This includes but is not limited to: name, email address, physical address, phone number, IP address, payment data, photo, biometric data, ethnicity, gender, religious beliefs, sexual orientation, political orientation.

  1. Lawfulness, fairness, and transparency. The data processing must be lawful, fair, and transparent to the customer or user.
  2. Purpose limitation. The eCommerce business must process data for legitimate purposes only, notifying the customer or user when the data is being collected.
  3. Data minimization. The eCommerce business must collect and process just as much data as strictly necessary and for the specified purposes exclusively.
  4. Accuracy. The eCommerce business must store personal data accurately and up to date according to the GDPR.
  5. Storage limitation. The eCommerce business must store data for as long as necessary and for the defined purposes.
  6. Integrity and confidentiality. Security and confidentiality are essential in the processing.
  7. Accountability. The eCommerce business is responsible for being ready to display GDPR compliance with all the following principles.

Individual Data Rights

The EU citizens have a set of rights over their private data established by the GDPR. Each is an essential requirement to follow for every company, organization, the business that processes data of the EU-related people.

  1. The right to be informed.
  2. The right of access.
  3. The right to rectification.
  4. The right to erasure.
  5. The right to restrict processing.
  6. The right to data portability.
  7. The right to object.
  8. Rights in relation to automated decision making and profiling.

Producing a Compliant Privacy Policy

The privacy notice is an essential step for GDPR compliance. Basically, a privacy notice is a public document where clients or users can read about the collection and processing of their data. In a case when data is collected directly from a person, the GDPR is still valid and the privacy notice must be given physically right at that moment. 

There are certain requirements regarding what the GDPR privacy notice must include and how it should be written. As the GDPR is here to protect users’ data processing, by insisting on privacy policy to be accessible and understandable, there is a must to write a privacy notice in plain language, with no legal jargon. The document must be easy to find on each page of the website or rapidly delivered in person. 

About the GDPR privacy notice content, there are the following points that should be mentioned in the document.

Categories of personal data

This mention is about what data is collected. For example, name, email address, phone number, IP address. Only the necessary data should be collected by the business or organization. Collecting non-necessary information just in case it will become useful later, is not valid for the GDPR.

Collection of the personal data

This is about how exactly the personal data is collected. It can be gathered and processed during the online registration while leaving feedback or review when subscribing to the mailing list and so on. All these cases must be pointed out clearly for GDPR compliance. 

Usage of the personal data

The company that collects private data must point out for the GDPR how this information is used. The personal data of the customer for example can be utilized to deliver various products, subscribing him or her to the email offers, managing the personal account. 

Recipients of the personal data

If any of the private data is about to be shared with the partner company or any other third-party organization, a customer protected by the GDPR must be able to see those recipients. The actual names of those companies are not required, but the types of companies are.

Storage of the personal data

According to the GDPR, a company or organization can not just hold on to personal data with no reason for it and no time limit. The user must be able to know for which period his or her data will be stored. And when this storage period will expire, data must be deleted.


The GDPR requires for it to be visible not only how the business processes personal data, but also how this data is utilized for advertising purposes. The business must acknowledge a customer whose personal information is collected for marketing purposes, and then a customer must actively opt on, agreeing to this. It also must be easy for the customer to opt-out of any subscription, mailing list, and all the other promotions.


Regarding the cookies policy, the situation is quite similar. To be GDPR compliant, a business must mention in the privacy policy how exactly cookies are used and for which purposes. If those cookies are essential, for what they are on the website; if cookies collect information to share with other companies, what companies are on the list. And again a customer should be able to easily opt-in and opt-out, taking active action.

Contact details

The GDPR insists that every privacy notice must contain actual contact details of the business or organization. Email address, physical address, phone number, or other ways of communication for the user to request a list of data, change it, delete it, or simply ask an information-related question. 

Third Country Transfers

The GDPR does allow the transmission of personal data outside of the EU countries, but there are conditions. The transfer is valid only for businesses that are non-EU companies with EU clients; or that are EU companies dealing with non-EU third-parties companies.

Also if the business that works with EU citizens wants to buy personal data in general, no matter the location, it must be sure that the seller was the GDPR compliant. And that every person on the list actively opted on for this data to be used and stored by another company.

How Do You Get GDPR Compliance?

Even though it might seem to be quite complicated to comply with all the standards of the GDPR checklist, it’s still absolutely necessary to do so for processing data securely and avoiding severe charges. Besides that, the GDPR website compliance checklist does bring the order, logic, and set of useful privacy rules into the business. Which is always a good thing. Let’s go through measures which businesses must apply to become GDPR compliant.

  • Determine which data is processed and who has access to it.
  • Have a legitimate justification for each processed data piece.
  • Obtain a privacy note with clear information.
  • Protect the stored data both in digital and physical formats.
  • Encrypt and anonymize as much information as possible.
  • Implement the inside data security policy for team members.
  • Assign a team member to be responsible for the GDPR compliance.
  • Take care of risky situations, data bridges and if necessary be in contact with authorities.
  • Have a signed agreement with third-parties that process data on your behalf.
  • If your business is situated out of the EU, appoint a representative in one of the European Union countries.
  • Make it easy for the customer to request the data you have about him or her.
  • Make it easy for the customer to correct any personal information.
  • Make it easy for the customer to ask for deleting all the personal data.
  • Make it easy for the customer to ask about stopping processing personal data.
  • Make it easy for the customer to receive a copy of personal data.
  • Make it easy for the customer to object to any personal data.
  • Protect rights of automated options.

If you are looking for a payment gateway service provider that is GDPR compliant, we advise you to try Maxpay. Maxpay offers various services for merchants, such as opening a merchant account, chargeback protection, fraud prevention, and more. To find out about our services more and benefits for your business, please contact the sales department.