GDPR implementation stages in the online store


Thousands of entrepreneurs running online stores, even via such shopping platforms as Allegro or OLX, face the problem of implementing the requirements of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals in connection with the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation) (hereinafter: GDPR) and the Act of May 10, 2018 on the Protection of Personal Data (hereinafter: UODO), which entered effective May 25, 2018. What are the stages of GDPR implementation in the online store? Read on!

GDPR implementation stages

First, before the entrepreneur takes any actions related to the preparation of documentation regarding the processing of personal data, he should assess what processes used in running an online store are related to the processing of personal data. To do this, it is necessary to conduct an audit, i.e. an inventory, which does not have to take any formalized form, but involves the need to consider how personal data have been processed so far.

According to the definition used by the GDPR in art. 4 point 2: processing means an operation or a set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, distributing or otherwise providing, adjusting or combining, limiting, deleting or destroying. With the above It is clear from the definition that the processing of personal data is a very broad concept, for example it also covers the storage of the data itself.

Certainly, in the case of an online store, the processing of personal data takes place in relation to such processes as: accounting and bookkeeping (e.g. issuing VAT invoices to customers), shipping the goods (e.g. providing the recipient's data to couriers) or sending information to existing customers about current discounts. . At the same time, it should be remembered that personal data includes not only the name and surname, identification number (i.e. NIP, PESEL or ID card number), but also an online identifier, i.e. IP and e-mail address. Any processing of only the customer's e-mail address should therefore already be considered as processing of personal data.

Risk assessment in the field of GDPR and UODO

The next step that an entrepreneur running an online store should take is the need to assess the risk associated with the requirements of the GDPR. Therefore, the first question that should be answered is whether the processing of personal data has so far been lawful and took into account the necessary security measures, the requirement to obtain consent for the processing of personal data or the fulfillment of information obligations towards customers provided for in the existing provisions of the Personal Data Protection Office. In cases of many entrepreneurs, the answer to such a question will probably be negative, which will result in the necessity to implement the recommendations formulated during the audit.

Preparation "implementation checklist

If information has already been collected on the purposes of personal data processing and the risks associated with this processing, then a list of tasks to be performed in order to implement the GDPR should be prepared. It should certainly include such elements as: consent clauses for data processing, preparation of information brochures, among others about the purposes of data processing and the conclusion of personal data entrustment agreements.

Preparation of consent clauses

The obligation to obtain consent to the processing of personal data of the customer will not be updated in relation to each owner of the online store. It should be noted that pursuant to Art. 6 sec. 1 GDPR: Processing is only lawful if and to the extent that at least one of the following conditions is met:

  1. the data subject has consented to the processing of his personal data for one or more specific purposes;

  2. processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract.

In the light of the above regulation referred to in point (a) b the processing of personal data is lawful and does not require the consent of the data subject, if the data is needed to perform the concluded contract. It should therefore be considered that the data necessary to issue an invoice, receipt or complaint, as well as shipment of goods, can be processed without the prior consent of the customer.

To those specified in Art. 6 sec. 1 lit. b GDPR conditions, however, will not include the situation in which the entrepreneur sends the existing customer offers of his other auctions or information about discounts. Such activities will require explicit, informed consent in accordance with Art. 6 sec. 1 lit. a GDPR. It seems, however, that the client's consent in the form of an e-mail should be considered sufficient.

Compliance with the information obligation

Pursuant to Art. 13 GDPR, the personal data controller, when collecting personal data, provides the data subject with the necessary information, in particular regarding the data of the controller, the purposes of personal data processing, information about their recipients or categories of recipients, if any, and - if we do not have dealing with micro, small or medium entrepreneurs - about the possibility of raising objections, the period for which personal data will be stored or the right to lodge a complaint with the supervisory authority, i.e. about the issues referred to in art. 13 sec. 2 and art. 14 of the GDPR, which is only required to be taken into account by a larger than medium-sized enterprise.

A practical way for the online store operator to fulfill the information obligation may be to send each customer a document with information about the processing of personal data attached to the e-mail after making the purchase. The information brochure certainly does not have to be extensive, but it must contain the elements required by the GDPR.

Preparation of personal data entrustment agreements

Art.28 GDPR provides that if the processing is to be performed on behalf of the controller, he uses only the services of such processors that provide sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing meets the requirements of this Regulation and protects the rights of data subjects.

Such contracts will therefore have to be concluded with the entrepreneur's subcontractors, i.e. accountants, lawyers, IT specialists or courier companies, i.e. all those entities that will process personal data obtained as a result of concluding a contract with the client, but only for the purpose of its implementation.

Expressing consent to "hint"Personal data

It may also turn out that the contractor with whom the entrepreneur cooperates uses the services of other entities to perform the contract concluded with the entrepreneur. An example of such a situation may be a platform that brings together couriers operating on the market. In such a situation, it would be insufficient to limit ourselves to concluding a contract with the entity running such a platform (an intermediary) who directly receives the personal data of the person to whom the goods are to be shipped.

The GDPR states that the data processor does not use the services of another processor without the prior specific or general written consent of the controller. With general written consent, the processor informs the controller of any intended changes to the addition or replacement of other processors, thus giving the controller the opportunity to object to such changes.

Privacy policy and security policy

The entrepreneur may also publish the Privacy Policy or the Security Policy on his website. However, these are optional documents, and their implementation is associated with a guarantee of good practice, reliability and commercial honesty by the entrepreneur.

Monitoring the compliance of data processing with the requirements of the GDPR

What is important, "GDPR implementation”Is not a one-time process. An entrepreneur who has completed all the above-mentioned stages of GDPR implementation is obliged to ensure that all the principles of personal data protection formulated by him are actually implemented. In the case of micro, small and medium-sized enterprises, i.e. employing up to 250 employees, monitoring the compliance of personal data processing with the law will not, however, be associated with the obligation to keep a register of personal data processing activities. However, each breach of personal data protection will require notification to the supervisory authority.


The basic dilemma faced by an entrepreneur who runs an online store is related to the need to define their status under the GDPR. Mostly, he will have the status of a controller, as he or she alone or jointly with others determines the purposes and means of processing personal data (Article 4 (7) of the GDPR).

Realizing the status in the processing of personal data should be preceded by the definition of the necessary actions that must be taken by the entrepreneur in connection with the entry into force of the GDPR and the Personal Data Protection Office and the sequence of their performance.

Of course, the implementation of the GDPR in the case of companies employing hundreds of employees with a turnover of several million will turn out to be much more difficult than in the case of a sole proprietorship related to the sale of goods, but in this article we will focus on small activities, in addition to those in which there are not many processes. processing of personal data. Online stores most often operate in this formula.