Shopify GDPR-compliance - so you're on the safe side

Why you should comply with the GDPR regulations

The General Data Protection Regulation (GDPR) is binding law throughout Europe. E-commerce operators who do not comply with the rules to protect personal data face heavy fines. If you do not comply, fines of up to €10 million or €20 million or up to 4 per cent of annual turnover can be imposed in future.

If you want to avoid a fine and have not yet dealt with the issue, or have done so only to a limited extent, it's time to do so.

To summarise, I will show you 7 areas that you need to pay particular attention to:

1. Creating a processing directory
2. Obtain GDPR-compliant consent
3. Adapt your privacy policy
4. The rights of data subjects
5. Obligation to report data breaches
6. The cookie notice
7. Using Google Analytics in compliance with the GDPR

1. Create a processing directory

Since all procedures in which personal data is processed must be documented in a processing directory, it is advisable to get an overview of what data you process in your Shopify store.

This is nothing new. As an online retailer, you already had to keep a processing directory before the GDPR. In contrast to the past, however, the controls and fines for non-compliance with the regulation have increased dramatically. If the register of procedures is missing, the supervisory authorities can impose severe penalties.

You can find detailed information on creating a processing directory on the WKO website.

2. Obtain GDPR-compliant consent for data processing

If you want to collect, process and use personal data, you need the consent of the data owner. You must obtain this from the data subject before processing the data. With the GDPR coming into force, there are some strict requirements that you should comply with.

As there is an obligation to provide proof upon request, it makes sense to document the consents.

Consent to the processing of personal data must be voluntary and unambiguous. The data subject must actively give their consent (e.g. by ticking a box or similar) and must be informed exactly what they are consenting to. Also point out that consent can be withdrawn at any time.

If you already have consent from the past, check whether it complies with the regulations. If this is not the case, obtain it again.

Dein Ansprechpartner:
Florian Prohaska - Co-Founder

Möchtest du mehr Kunden über das Internet gewinnen? Wir können helfen!

• SEO: Sichtbarkeit und qualifizierten Traffic durch gezielte SEO-Strategien
• Google Ads: Effektive Werbekampagnen für maximalen ROI.
• Webdesign: Professionelles Design, das deine Besucher beeindruckt.
• Webshops: Individuelle Lösungen für erfolgreiche Online-Shops.
• Content-Erstellung: Wertvolle Inhalte, die Interessenten überzeugen.

3. Adapt privacy policy

As a Shopify shop operator, you must provide a privacy policy. This has been the case since 25 May 2018. However, the stricter requirements for this privacy policy are new.

For example, you must explain who the recipient of the data is if you pass it on to third parties - this is the case, for example, if you use a third-party provider for your email marketing campaigns (e.g. Mailchimp) or if you pass the data on to the wholesaler when dropshipping.

You must also state how long you plan to store the data for.

You can find further information on the duty to provide information in accordance with Article 13 GDPR here.

4. The rights of data subjects

Data subjects (website visitors, customers, etc.) have the right to contact you as the online shop operator and request information about the data collected. Upon request, you must provide information about the purpose of the data collection, the data category and the storage period.

Furthermore, the user has the right to data erasure and data portability. Explain these rights in your privacy policy.

All rights for data subjects according to the WKO?

• Obligation to provide information when personal data is collected from the data subject
• Obligation to provide information if the personal data was not collected from the data subject
• Right to information
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object

5. Obligation to report data breaches

Breaches of data protection law, whether accidental, due to negligence or, for example, due to a hacker attack, must be reported by you or the data protection officer to the responsible data protection supervisory authority within 72 hours.

The GDPR provides for the following reporting and notification obligations in the event of a personal data breach

1. Notification to the competent supervisory authority if the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.
2. Notification of the data subject if the personal data breach is likely to result in a high risk to the personal rights and freedoms of natural persons. (Source: WKO)

Your notification must include the following:

• Exact description of the data breach
• Assessment of possible consequences
• Contact details of the data protection officer
• Information on what measures have already been taken

6. The cookie notice

As an online retailer, you use one or two cookies in your store.

Even if it is only to log the user's activities with Google Analytics. According to EU regulations, you must point this out.

You can do this with a paid or free extension offered in the Shopify App Store or with the open source solution Cookie Consent. Since you have to intervene in the code of your template with the open source solution, I recommend that you have a Shopify expert do this or follow these instructions exactly.

7. Shopify - Use Google Analytics in compliance with GDPR

Do you want to familiarise yourself with the GDPR in order to operate your Shopify store in compliance with data protection regulations?

Then I recommend the WKO website.

I also recommend our articles:

Contact forms GDPR 2018: What needs to be done on your website?

Integrate YouTube videos into websites in compliance with the GDPR

If you want to save yourself this work, you should contact a specialist. Preferably with a specialist in both areas: Shopify and GDPR.

How ithelps can help you as a Shopify agency and GDPR expert for websites and online shops

For Shopify merchants, dealing with the data protection regulation and implementing the guidelines means a considerable amount of extra work.

We have specialists in our agency who have made numerous websites and shops GDPR-compliant since the beginning of 2018 and are happy to take this work off your hands.

It goes without saying that the Shopify shops we create are GDPR-compliant.

You might also be interested in this:

Shopify - everything you need to know about the popular shop system

Shopify Payments: everything you need to know about the payment gateway of the Shopify e-commerce platform

Shopify Plus: everything you need to know about the enterprise solution for a successful e-commerce business

Why these 50 Shopify shops are so successful

Shopify costs | Shop plans & tariffs explained clearly

WordPress WooCommerce vs Shopify - which makes sense for you?

Shopify SEO

Shopify cost calculator

Shopify Agency