Shopify DSGVO - Das sollten Sie beim Erstellen der Datenschutzerklärung für Ihren Shopify Shop beachten
Friday, 3 February 2023
Latori GmbH

Shopify DSGVO - This is what you should keep in mind when creating the privacy policy for your Shopify store.

The GDPR entered into force on May 25, 2016. However, the EU member states have to apply the General Data Protection Regulation (GDPR) only since May 25, 2018. Many sellers and website operators are therefore asking themselves the big question of what exactly they have to do to be protected from the high penalties of the GDPR and not lose the trust of their customers and users.

Even among our Shopify customers, everyone is now asking the questions:

  • what else do I need to consider?

  • Does Shopify comply with the GDPR?

  • can I stay with Shopify or do I have to switch to a German system?

Our answer: You don't have to switch! Shopify continues to adapt to EU laws and offers you the options to use Shopify legally compliant in the EU.

You don't want to be left alone with Cookie Consent, T&Cs, Imprint and Co. As a Shopify agency, we are happy to support you with your online store. Contact us.

The aim of the General Data Protection Regulation

The aim of the GDPR is to standardize data protection law within the EU.

Data protection law is to become more data protection-friendly for the users concerned. Citizens are to get their data back as far as possible. Together with significantly higher fines, this is intended to ensure that cloud services or social networks from the USA, for example, must also comply with the rules.

What should be protected with the new EU-DSGVO?

The most important connecting factor in the scope of application of the General Data Protection Regulation (GDPR) is personal data, e.g.:

  • Name

  • Address

  • E-mail address

  • Phone number

  • Birthday

  • Account data

  • License plate number

  • Location data

  • IP addresses

  • Cookies

Jede Person soll die Kontrolle über ihre Daten haben und jederzeit informiert darüber sein, welche Daten sie preisgeben und wozu diese gespeichert werden.

Die Datenspeicherung unter der DSGVO wird also künftig transparenter. Die EU bezieht damit nicht nur die EU-Mitgliedsstaaten ein, sondern auch Drittländer. Jedes Drittland, also jedes Land außerhalb der EU, muss sich an die Transparenz der Daten ebenso halten, wie Sie als Händler innerhalb der EU.

Reading tip: All important information on the Price Indication Ordinance can be found here.

Current principles

Prohibition with reservation of permission

The collection, processing and use of personal data is generally prohibited without the consent of the data subject.

This consent or consent to data storage can arise, for example, from the following:

  • Law, e.g. from the BDSG, TMG, EU-DSGVO

  • Consent of the data subject

  • Data economy; only data that is needed and processed may be collected.

  • Purpose limitation; data may only be processed for the purpose for which it was collected.

  • Data accuracy

The new principles of the General Data Protection Regulation

Data security - Article 32 GDPR

Data security; a level of protection for the data that is commensurate with the risk.

This means that the level of protection you must ensure is based on the need for protection of the personal data. What measures are then "appropriate" is based on the state of the art, the necessary implementation costs, the circumstances, etc.

Thus, a doctor or hospital has different obligations and rights with regard to data protection than, for example, a website operator.

Right to be forgotten (right to erasure) - Article 17 GDPR

Personal data must be deleted or blocked if there is no longer any authorization to use the data.

Users can assert this right not only against search engine operators, such as Google, but also against any entity that processes personal data - including you as a store owner or website operator.

Among other reasons, you are obliged to delete the data for the following reasons:

  • The personal data are no longer necessary for the purpose for which they were collected (Art. 17 a)

  • The data subject has withdrawn his/her consent (Art. 17 b, c)

  • The data processing was/is unlawful (Art. 17 d)

  • The data processing was/is unlawful (Art. 17 d)

  • The solution is legally required

Right to data portability - Article 20 GDPR

So the possibility and the right to "take" their data to another provider.

Every person has the right to receive all personal data that you store in a readily processable, commonly used format.

Accountability - Article 5 GDPR

Lawfulness, fair processing, transparency.

This article describes how to demonstrate compliance with the data protection principles.

Personal data must be

  • are processed in good faith, comprehensibly and transparently

  • are collected for specified and unambiguous purposes

  • be limited to the data necessary for the purpose

  • be up-to-date and correct. data that is no longer up to date and incorrect for the purpose must be deleted

  • be stored in such a way that the data subject can only be identified for as long as it serves the purpose

  • be processed in an appropriately secure manner

Obtain consents - Article 7 GDPR

In the future, you must strictly document the consents. If a user signs up for your newsletter, for example, you must be able to prove this. A distinction is made here between voluntary and contractual consent.

For example, the General Data Protection Regulation stipulates with regard to consent:

  • Consent must be documented.

  • If the data subject consents to several points (e.g., as part of a contract), the purpose must be formulated clearly and in understandable language.

  • Consent can be revoked at any time.

Commissioned data processing (ADV), now "commissioned processing"(AV) - Article 28 GDPR

In ADV, the client is the primary contact for data subjects and is responsible for compliance with data protection requirements. However, the contractor (i.e., the processor) is also jointly responsible.

Contract data processors or order processors are among others

  • external customer center (e.g. call center)

  • external newsletter provider

  • cloud computing provider

  • external marketing company

  • external data center

  • external ERP / CRM

  • store system / hoster (e.g. Shopify)

  • Social networks (Facebook, Instagram, etc.)

Processors must e.g.

  • draw up an inventory of all categories of processing activities carried out under contract (Article 30)

  • Cooperate with a supervisory authority upon request (Article 31)

  • take technical and organizational data security measures (Article 32(1))

  • the contract for ADV no longer has to be in writing but can also be concluded in electronic form

The data protection officer - Article 37 GDPR

According to the new General Data Protection Regulation, a data protection officer must be appointed if one or more reasons exist. This data protection officer must be named and given contact details in the privacy policy of your website.

If these points apply to you (or even just one of them), you must appoint a data protection officer.

  • Your company consists of at least 10 employees

    Your core activity involves "extensive regular and systematic monitoring of data subjects"

    You process special categories of data in accordance with Articles 9 and 10 of the GDPR

New data protection obligations for employers

Data processing in the context of employment - Article 88 GDPR

As an employer, you are also subject to the new obligations under the GDPR. However, the new data protection regulations do not only affect the employer itself.

Rather, all entities that process personal data in connection with an employment relationship are affected. This may also include recruiters, works councils, public authorities, tax consultants and many others.

Shopify Cookie-Banner & DSGVO

At the latest since the DSGVO came into force, every online store should have a so-called cookie banner. This informs users about the collection of personal data, usually in the form of a pop-up. The user must agree to this collection of data, also called tracking, or be able to reject it.

With Shopify, such a cookie banner can be added via apps such as usercentrics.

Reading tip: You can read more about legally compliant Shopify cookie banners here.


In the future, the data protection provisions with all necessary information must be precise, transparent, understandable, easily accessible, written in clear and simple language and designate the legal basis for data processing.

Do you need help implementing your General Data Protection Regulation? Then contact us now without obligation and we will support you with our know-how.

Frequently asked questions about the new EU-DSGVO

What does the GDPR regulate?

The General Data Protection Regulation contains provisions that apply to the protection of individuals with regard to the processing and publication of personal data.

To whom does the GDPR apply?

The GDPR helps all persons or organizations that collect personal data from customers or employees.

When do I have to delete data according to the GDPR?

Personal data must be deleted when data subjects revoke their declaration of consent or the purpose of the data processing has been fulfilled.

Shop Usability AwardShop Usability Award
Wir schätzen alle unsere Kunden, Nutzer und Leser, egal ob weiblich, männlich, divers oder nicht-binär. Der Lesbarkeit halber verzichten wir auf Gendersternchen und nutzen weiterhin das generische Maskulinum. Wir sprechen damit ausdrücklich alle an. Bitte beachten Sie außerdem, dass wir Zitate zum besseren, sprachlichen Verständnis leicht angepasst haben.