GDPR in e-commerce - What you need to know

Legislators are using the EU-wide General Data Protection Regulation (GDPR) to expand the protection of personal information. The law will come into force on 25 May 2018 and is binding for all companies using the information of European citizens.

The GDPR comprises 99 paragraphs and some 173 recitals. The law strengthens the information rights of the parties concerned and increases company accountability. The GDPR also regulates legal issues in online marketing more clearly, including the use of user-specific advertising.

Companies in violation of the new General Data Protection Regulation can be fined up to 4 percent of their global sales or up to 20 million euros. However, the GDPR also provides opportunities for retailers and the European competitive location as a whole.

In this article we explore the changes that come along with the GDPR, how you should deal with those changes and how you should handle personalized advertising to remain in compliance with the new GDPR. It is not our intent to offer legal advice and we urge you to always consult a legal professional for data protection and online rights should you have specific legal questions.

What changes does the GDPR have in store for companies?

  • Companies are obliged to preset electronic devices and applications in a way that protects data.
  • They are required to conduct a data protection impact assessment [DPIA]. Companies must now design the data protection impact assessment from the perspective of the parties concerned. That means that the employees responsible must think about the consequences for those affected. The data protection impact assessment is required when a data processing method is suspected of posing a considerable risk to the rights of the user.
  • Agreements for contract data processing (CDP) are expanded with the GDPR and thus made into contracts for contract processing (CP). They contain additional rights and duties for the contracting parties. Now, for example, the processer must keep a “directory of processing activities”. This document lists all of the methods used to process personal information.
  • The duty to notify and inform in the event of data breaches is expanded, in particular regarding all breaches concerning the protection of personal information. The company is obliged to report the incident to the responsible supervisory authority and, if necessary, to those affected within 72 hours.
  • The reasons for appointing a data protection officer are expanded.

In addition to the GDPR, the ePrivacy Regulation is currently on trial. The aim of this regulation is to further clarify the GDPR. As it currently stands, the ePrivacy Regulation will not take effect at the same time as the GDPR. Trialogue negotiations between the EU Commission, EU Parliament and EU Council are anticipated for the second half of 2018. According to a draft of the ePrivacy Regulation, any processing of information should only be possible after express consent is given by the user, unless processing is absolutely necessary to provide the service. The regulation is the subject of intense debate, numerous amendments have been tabled. Thus far, companies can only make assumptions as to what guidelines the law will contain. We will find out more during the course of the year.

The GDPR is coming – where do you start?

Companies are faced with the challenge of making all departments and processes that have to do with data collection and processing GDPR-compliant. Keep the following in mind:

  • Include the status quo of all data processing processes in all departments.
  • Verify your processes and plan them in accordance with the new requirements. Include all of the departments in the process planning.
  • Establish operational, technical, legal and organizational steps to act in compliance with the GDPR.
  • Set up a data protection management system. Base this system on VdS standard 3473, for example.
  • Check your service providers that process data. Rework all ADV agreements and convert them into AV agreements (according to GDPR). In contracts concluded with prudsys AG, we guarantee the permitted data transmission to the prudsys Realtime Decisioning Engine (prudsys RDE for short). We would be happy to advise you on the formulation of such a contract.
  • Check over your data processing methods in regards to the risks (keyworddata protection impact assessment).
  • Check over your procedure directory or set up a directory of processing activities.
  • Revise your internal regulations and update them as regards the new laws.
  • Hold information and training sessions about the GDPR for all employees.
  • Consider obtaining data protection certificates that you can use as proof for your customers. As yet, however, there is no certificate legitimized by the EU. In this case you have to decide whether to rely on existing certificates or wait for the legislator.

GDPR as a competitive advantage

The new regulations in the realm of data protection law come with many changes. At first glance, the laws seem mainly to result in potential extra work due to the required comprehensive reworking and redesigning of processes.

However, the changes also offer the opportunity to use the European data protection as a competitive advantage. By implementing these changes, providers are in a position to efficiently protect the personal information of their customers. In addition to the monetary cost, any loss of image in the event of a data breach is enormous and difficult to recover from.

When is the processing of personal data permitted?

Check the reliability of your data processing. It is based on the type of data and the purpose of the processing. Data processing is permitted when one of the following four points applies:

  • The processing of the data fulfils a contract or is necessary for pre-contract to dos.
  • Data processing is required in order to fulfill legal obligations.
  • Data processing takes place after consideration of legitimate interest (which includes online marketing, Art 6 Para. 1 lit. f GDPR). When justifying on the basis of legitimate interest, you undertake a balancing of interests between your company (advertiser / online shop) and the user.
  • The data processing takes place by obtaining consent via opt-in (Art 6 Para. 1 lit. a, 7 GDPR). If the use of user-specific advertizing methods based on a consideration of interest is not taken into account, you still have the option of using opt-in on the basis of user consent.

How to use personalized advertizing in accordance with the new General Data Protection Regulation

If you are using personal data in online marketing, you must justify the processing of this data based on legitimate interest or on the basis of user consent. If you rely on marketing measures without using personal data, shop visitors are considered in their entirety. The processing of data does not fall under the regulations of the GDPR in this case.

With the prudsys RDE we offer numerous marketing initiatives that also function without the use of personal information. The prudsys RDE enables, among other things, the use of product-specific, category-specific, search term-specific, global and user-specific recommendation logics. You select the appropriate recommendation logics for your online marketing.

We are in constant communication with shop service providers and legal counsel regarding the points we have mentioned about the GDPR. We’d be happy to work on a customized solution with you to use your user-specific advertising methods in compliance with data protection laws. Please direct any specific questions about the project to your contact person or to

As at: 08.02.2018.