Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
E-commerce

GDPR E-commerce

Contents

GDPR in e-commerce - information for webshop owners

The EU's General Data Protection Regulation (GDPR) imposes strict requirements on how companies and other organisations handle personal data and other sensitive information about both customers and their own employees.

Do you run an e-commerce business and feel unsure about how to relate to the GDPR and what you should consider? Below you will find an informative guide to what the General Data Protection Regulation is and what requirements it imposes on you if you sell products or services via a webshop.

What is GDPR?

GDPR is short for General Data Protection Regulation, which is the English name of the law known in Swedish as Dataskyddsförordningen. The law entered into force in May 2018 and applies throughout the EU.

For companies involved in e-commerce, the GDPR is a particularly important law to keep track of as online sales automatically involve frequent handling of sensitive customer data.

The aim of the GDPR is to protect individuals' fundamental rights to privacy, integrity and freedom - of which personal data is an important part. As our society becomes increasingly digitalised and more information is transmitted and stored digitally, the risks of sensitive data being improperly exposed increase.

The GDPR sets a strict framework for how personal data may be processed and stored. This is partly to minimise the risk of them falling into the wrong hands - in the event of a data breach, for example - but also to protect everyone's right to privacy.

What counts as personal data?

Personal data includes any information that can be used to identify a person - for example:

  • Name
  • Personal number
  • Address
  • Telephone number
  • E-mail address
  • Fingerprints
  • Photo or video
  • Audio recording
  • IP address

GDPR inom e-handel: GDPR in e-commerce: what are your obligations as a business owner?

Selling products and/or services online inevitably involves the processing of customers' personal data. For example, in order to send packages of goods ordered by a customer, you need to have their name and address.

As an e-merchant with a webshop, you become a data controller towards those who buy from you, which includes some obligations. First and foremost, under the GDPR, you only have the right to process personal data if there are objective and legitimate grounds for doing so. Furthermore, you must also be able to guarantee that it is done in a safe manner.

In more detail, your obligations mainly concern information and documentation. That is, how you inform your customers about the handling of personal data, and how you document the personal data you receive.

Detailed information on this can of course be found in the legal text of the GDPR. To give you a good overview, we have summarised the most important things you need to know about your information and documentation obligations below.

Information on the processing of customers' personal data

As an e-merchant and therefore a data controller vis-à-vis customers, you are obliged to provide clear information about:

  • The purpose for which you process personal data
  • Who the legal entity processing the data is - i.e. the name of your company
  • Who will access the data - for example, an external party
  • Customer's rights regarding collection of personal data
  • How long you will keep the data and why
  • What legal support you have for processing personal data

Under the GDPR, you are obliged to provide the above information in a clear and comprehensible manner. In short, it means that the information should be easy to find on the website, as well as easy to understand.

In e-commerce, it is important to remember that the information must be shared with the customer before a purchase is made. Thus, it may be appropriate to place it at the cashier step. If you have a complete policy on the processing of personal data, you do not need to disclose the entire policy at checkout, but can link to it instead.

Documentation of personal data collected

Documentation is about how you internally manage the data you collect about individuals. Individuals include customers who shop in your webshop, as well as any employees of your company.

As far as documentation is concerned, you, as the representative of the company and therefore the data controller, are obliged to keep a list of all the systems in which personal data is processed - a system register. You must also document the risk and impact assessments carried out regarding the processing of personal data. For e-commerce, for example, the following systems may be relevant:

Documentation is a key part of the GDPR because as a business owner you are not only obliged to comply with all the requirements of the law, but you must also be able to show how they are met.

What to consider as an entrepreneur with a webshop

Selling via a webshop means that personal data may be processed in several different stages. Partly for the purchase itself, but also for any returns and complaints. It is important to keep in mind that each step should be documented separately. As an e-retailer, you must therefore have processing records for purchases, as well as complaints, returns and exchanges. That is to say, all steps in the processing of personal data. This includes, of course, the voluntary storage of personal data in your payment solutions.

Checklist for GDPR in e-commerce

We hope that the above information will be helpful to you as an e-commerce business owner. However, it is worth adding that the GDPR of course does not only affect e-retailers, but all companies and organisations that handle personal data - either digitally or on paper.

To sum it all up and make it even clearer what the GDPR means for you with a webshop, we have compiled a checklist of things you can (and should) do to ensure that the requirements of the GDPR are complied with:

  • Inventory in which of your systems personal data is processed
  • Review information on personal data processing to customers - it must be clear and easy to understand
  • Establish an internal personal data policy (use a GDPR policy template)
  • Train any staff on GDPR
  • Sign assistance agreements that guarantee the protection of personal data even when shared with partners
  • Password protect all systems
  • Delete all stored data for which there is no longer any reason to keep it
  • Establish strict procedures for documentation - what, how, who, why and when?

Finally, we also recommend that you visit the Integretsskyddsmyndighet website, where more detailed information on the GDPR can be found.

For further reading on e-commerce, return to the e-commerce topic page.

Contents

Frequently asked questions about GDPR for webshops

Who is obliged to comply with the GDPR?

All companies and organisations that process personal data about individuals - both customers and employees.

When may personal data be processed?

When there is a factual basis for it. For example, e-commerce companies may process personal data in connection with purchases, returns and complaints.

How long can personal data be stored?

Personal data may only be kept for as long as it can be proven necessary. The duration may vary depending on the activity.

Does the GDPR impose the same requirements on physical stores as on e-retailers?

Yes, physical shops are subject to the same obligations and responsibilities as e-retailers.