The GDPR came into force on May 25, 2016. However, member states of the European Union have only had to apply the General Data Protection Regulation (GDPR) since May 25, 2018. Many sellers and website operators are therefore asking themselves the big question of what exactly they need to do to be protected from the high penalties of the GDPR and not lose the trust of their customers and users. Even among our Shopify customers, everyone is now asking themselves these questions:
What else do I need to consider?
Does Shopify comply with the GDPR?
Can I stay with Shopify or do I have to switch to a German system?
Our answer: You don't have to switch! Shopify continues to adapt to EU laws and offers you the options to use Shopify legally compliant in the EU.
Reading tip: How to use Shopify in Germany in a legally compliant manner.
Table of contents
You don't want to be left alone with Cookie Consent, T&Cs, Imprint and Co. As a Shopify agency, we are happy to support you with your online store. Contact us.
The aim of the General Data Protection Regulation
The aim of the GDPR is to standardize data protection law within the EU.
Data protection law is to become more data protection-friendly for the users concerned. Citizens are to get their data back as far as possible. Together with significantly higher fines, this is intended to ensure that cloud services or social networks from the USA, for example, must also comply with the rules.
What should be protected with the new EU-DSGVO?
The most important connecting factor in the scope of application of the General Data Protection Regulation (GDPR) is personal data, e.g.:
License plate number
Jede Person soll die Kontrolle über ihre Daten haben und jederzeit informiert darüber sein, welche Daten sie preisgeben und wozu diese gespeichert werden.
The collection and storage of data under the GDPR will therefore become more transparent in future. The EU therefore not only includes EU member states, but also third countries. Every third country, i.e. every country outside the EU, must adhere to data transparency in the same way as you as a retailer within the EU.
Reading tip: All important information on the Price Indication Ordinance can be found here.
Prohibition with reservation of permission
The collection, processing and use of personal data is generally prohibited without the consent of the data subject.
This consent or consent to data storage can arise, for example, from the following:
Law, e.g. from the BDSG, TMG, EU-DSGVO
Consent of the data subject
Data economy; only data that is needed and processed may be collected.
Purpose limitation; data may only be processed for the purpose for which it was collected.
The new principles of the General Data Protection Regulation
Data security - Article 32 GDPR
Data security; a level of protection for the data that is commensurate with the risk.
This means that the level of protection you must ensure is based on the need for protection of the personal data. What measures are then "appropriate" is based on the state of the art, the necessary implementation costs, the circumstances, etc.
Thus, a doctor or hospital has different obligations and rights with regard to data protection than, for example, a website operator.
Right to be forgotten (right to erasure) - Article 17 GDPR
Personal data must be deleted or blocked if there is no longer any authorization to use the data.
Users can assert this right not only against search engine operators, such as Google, but also against any entity that processes personal data - including you as a store owner or website operator.
Among other reasons, you are obliged to delete the data for the following reasons:
The personal data are no longer necessary for the purpose for which they were collected (Art. 17 a)
The consent of the data subject has been withdrawn (Art. 17 b, c)
The data processing was/is unlawful (Art. 17 d)
The data processing was/is unlawful (Art. 17 d)
The solution is legally required
Right to data portability - Article 20 GDPR
So the possibility and the right to "take" their data to another provider.
Every person has the right to receive all personal data that you store in a readily processable, commonly used format.
Accountability - Article 5 GDPR
Lawfulness, fair processing, transparency.
This article describes how to demonstrate compliance with the data protection principles.
Personal data must be
are processed in good faith, comprehensibly and transparently
are collected for specified and unambiguous purposes
be limited to the data necessary for the purpose
be up-to-date and correct. data that is no longer up to date and incorrect for the purpose must be deleted
be stored in such a way that the data subject can only be identified for as long as it serves the purpose
be processed in an appropriately secure manner
Obtain consents - Article 7 GDPR
In the future, you must strictly document the consents. If a user signs up for your newsletter, for example, you must be able to prove this. A distinction is made here between voluntary and contractual consent.
For example, the General Data Protection Regulation stipulates with regard to consent:
Consent must be documented.
If the data subject consents to several points (e.g., as part of a contract), the purpose must be formulated clearly and in understandable language.
Consent can be revoked at any time.
Commissioned data processing (ADV), now "commissioned processing"(AV) - Article 28 GDPR
In ADV, the client is the primary contact for data subjects and is responsible for compliance with data protection requirements. However, the contractor (i.e., the processor) is also jointly responsible.
Contract data processors or order processors are among others
external customer center (e.g. call center)
external newsletter provider
cloud computing provider
external marketing company
external data center
external ERP / CRM
store system / hoster (e.g. Shopify)
Social networks (Facebook, Instagram, etc.)
Processors must e.g.
draw up an inventory of all categories of processing activities carried out under contract (Article 30)
Cooperate with a supervisory authority upon request (Article 31)
take technical and organizational data security measures (Article 32(1))
the contract for ADV no longer has to be in writing but can also be concluded in electronic form
The data protection officer - Article 37 GDPR
If these points apply to you (or even just one of them), you must appoint a data protection officer.
Your company consists of at least 10 employees
Your core activity involves "extensive regular and systematic monitoring of data subjects"
You process special categories of data in accordance with Articles 9 and 10 of the GDPR
New data protection obligations for employers
Data processing in the context of employment - Article 88 GDPR
As an employer, you are also subject to the new obligations under the GDPR. However, the new data protection regulations do not only affect the employer itself.
Rather, all entities that process personal data in connection with an employment relationship are affected. This may also include recruiters, works councils, public authorities, tax consultants and many others.
Shopify Cookie-Banner & DSGVO
At the latest since the DSGVO came into force, every online store should have a so-called cookie banner. This informs users about the collection of personal data, usually in the form of a pop-up. The user must agree to this collection of data, also called tracking, or be able to reject it.
With Shopify, such a cookie banner can be added via apps such as usercentrics.
Reading tip: You can read more about legally compliant Shopify cookie banners here.
Shopify apps & EU GDPR
Shopify apps can provide a variety of features and services for Shopify merchants, but it's important to ensure that these apps are compliant with data protection regulations, including the General Data Protection Regulation (GDPR). Here are some important aspects Shopify merchants should consider regarding apps and GDPR:
Data Processing Agreement (DPA): Before using an app, Shopify merchants should ensure that the app provider offers a Data Processing Agreement (DPA). A DPA is required to ensure that the app provider processes customers' personal data in accordance with GDPR requirements.
Consent and transparency: Apps that collect or process personal data should implement transparent mechanisms for obtaining user consent. A cookie banner, for example, can and should be used for this purpose. Store owners should ensure that customers are informed about data processing and actively and clearly give their consent.
Data security of the app: The app provider should implement appropriate security measures to ensure that the collected data is protected against unauthorized access and loss. Retailers should ensure that the app complies with industry security standards.
Right to erasure and data access: The app should provide mechanisms to allow customers to access their personal data and give them the option to delete their data. This is particularly important to meet the requirements of the right to erasure and access.
Regularly review app permissions: Shopify merchants should regularly review the permissions of installed apps and ensure that only those apps have access to the required data.
Customer data encryption: The app provider should provide clear information on whether and how customer data is encrypted. This is important to ensure that data is adequately protected during transmission and storage.
Responding to data breaches: Retailers should have clear agreements with app providers on how data breaches will be reported and handled. A quick response to data breaches is crucial to meet the requirements of the GDPR.
App updates and compliance: Shopify merchants should ensure that the apps they use are regularly updated to comply with the latest data protection requirements and legislative changes.
In the future, the data protection provisions with all necessary information must be precise, transparent, understandable, easily accessible, written in clear and simple language and designate the legal basis for data processing.
Do you need help implementing your General Data Protection Regulation? Then contact us now without obligation and we will support you with our know-how.
Frequently asked questions about the new EU-DSGVO
What does the GDPR regulate?
The General Data Protection Regulation contains provisions that apply to the protection of individuals with regard to the processing and publication of personal data.
To whom does the GDPR apply?
The GDPR helps all persons or organizations that collect personal data from customers or employees.
When do I have to delete data according to the General Data Protection Regulation?
According to the General Data Protection Regulation, personal data must be deleted if the data subject's declaration of consent is revoked or the purpose of the data processing has been fulfilled.
How do I make Shopify GDPR compliant?
Is Shopify GDPR compliant?
Yes, Shopify is designed to meet the requirements of the General Data Protection Regulation (GDPR). Shopify offers features and tools to help merchants make their stores GDPR compliant.
Where can I find more GDPR compliance resources on Shopify?
Shopify offers informative articles in the help section, training materials and a community to help merchants implement the GDPR guidelines. Visit the official Shopify website and help section for more details.
Do I need to check my apps for GDPR compliance?
Yes, merchants should ensure that the apps they use are also GDPR compliant. Check the privacy practices of the app providers and make sure you have a DPA with them.