Rodo in the online store step by step


From May 2018, the Regulation of the European Parliament and of the Council (EU) GDPR applies. The provisions of the regulation introduced many new solutions in the field of personal data protection, the implementation of which was and continues to be a real challenge for all entrepreneurs processing personal data. Entrepreneurs running online stores should exercise particular caution, as the scope of data processed and stored by them is very wide.Read how to implement the GDPR in the online store!

What documents are needed?

The GDPR regulation applies to all entrepreneurs operating in the European Union. In the case of online shops, the company's location outside the EU does not matter if the trader offers his goods to European residents.

The provisions of the GDPR do not impose on entities processing personal data a specific catalog or set of documents that must be prepared in order to adapt the conducted activity to the content of the regulation. Each entrepreneur must decide on his own what is necessary due to the nature of the business. Undoubtedly, the type of actions taken is significantly dependent on its type - in the case of an online store, factors such as the specificity of the store's customers or the scope of data obtained by the entrepreneur necessary to provide the service will be important.

The content of documents prepared with the users of the online store in mind must be drawn up in a simple language that is understandable to everyone, without the use of complicated phrases and references to regulations.

Before preparing the documents (or before updating them), the entrepreneur should conduct a detailed audit, the purpose of which is to examine which personal data security measures are already implemented and which ones require preparation.

An exemplary catalog of documents related to GDPR provisions in the online store should contain:

  1. Online Store Regulations;
  2. Privacy policy;
  3. Security policy;
  4. IT system management manual;
  5. Cookies policy;
  6. Forms of forms intended for the customers of the store, including the model of withdrawal from the contract and the pattern of the complaint;
  7. Register of personal data processing activities;
  8. Register of incidents related to personal data breaches;
  9. Authorization to process personal data;
  10. Register of persons authorized to process personal data;
  11. Template of the declaration of consent to the processing of personal data.

Start a free 30-day trial period with no strings attached!

Does the GDPR in the online store require changes to the regulations?

The main purpose of the online store regulations prepared in accordance with the provisions of the GDPR is to inform the store's customers and all visitors to its website about their rights and the seller's obligations.

An entrepreneur running an online store must inform users about:

  • the exact scope of the obtained personal data;

  • the method of storing personal data after their collection;

  • the right to request the deletion of downloaded data from databases maintained by the entrepreneur;

  • other user rights: right to be forgotten, to edit downloaded personal data, to report violations;

  • the method of operation in the event of an IT system failure, hacking into the system and theft of user data;

  • entrepreneur's data, including precise data of the personal data administrator;

  • segmentation of the maintained database.

From the point of view of entrepreneurs running online stores, the most important step is to obtain the consent of the website user for the processing of his personal data.

The entrepreneur should obtain and store only the data that is necessary for the performance of the service.

Example 1.

The entrepreneur runs an online store selling clothing. He can obtain telephone numbers from customers in order to fulfill the order and its correct delivery. However, he should not obtain unnecessary (e.g. PESEL number) or use the obtained data in a manner inconsistent with their intended use (e.g. send text messages to the telephone number provided, if such a purpose is not specified in the regulations).

Obtaining the consent of the website users (not only the store's customers, but also all visitors to the website) is a key obligation of the entrepreneur. Importantly, consent cannot be automatic (the website user must express it on their own by selecting the appropriate option on the screen) and must be voluntary. The content of the statement must precisely specify what the user agrees to. The entrepreneur may use one formula containing all the required consents, but if he obtains them to a different extent and for different purposes, each of them should be expressed separately.

Register of data processing activities

Until the entry into force of the GDPR Regulation, entrepreneurs running online stores were required to register their data sets with GIODO. Currently, this obligation has been replaced by the need to keep a data processing register. It is a document containing information about:

  • the administrator of personal data (entrepreneurs processing and storing data);

  • personal data inspector (it should be noted that most online stores are not required to appoint an inspector);

  • categories of people whose data is downloaded and stored by the administrator (e.g. about customers of the online store);

  • entities to which the data of store users may potentially be made available (e.g. data of contractors of the entrepreneur running the store);

  • security measures used.

The register of personal data processing activities in the case of online stores does not apply only to store customers. If the entrepreneur running the store employs employees, he also processes their personal data. In such a case, the register must therefore reflect all data that is processed and stored by the trader.

The regulation assumes that some categories of entrepreneurs are exempt from the obligation to run it (e.g. entities employing less than 250 employees or processing personal data sporadically). However, online store owners must keep a register, because they process personal data in a substantially continuous and not occasional manner.

The shop system must meet the technical requirements

An entrepreneur running an online store must ensure that the systems and tools used by him meet all security requirements. Although most sellers use hosting services, entrusting the organization of the system to another entity does not release the entrepreneur from the obligation to ensure the security of the system and, consequently, the security of the stored data. Again, each data controller needs to consider what data they store and what security measures will be most effective in terms of protecting them.

The entrepreneur should apply both physical protection measures (e.g. storing documents in paper form in a manner that protects against theft or destruction) and IT protection measures (e.g. firewall security, personal data encryption, anonymization or pseudonymisation). The implementation and application of the GDPR requires the storage of data backups that will enable the recovery of users' data (and informing them about a data breach) after their loss.