This website uses cookies to better the user experience of its visitors. Where applicable, this website uses a cookie control system, allowing users to allow or disallow the use of cookies on their computer/device on their first visit to the website. This complies with recent legislative requirements for websites to obtain explicit consent from users before leaving behind or reading files such as cookies on a user’s computer/device. To learn more click Cookie Policy.

Privacy preference center

Cookies are small files saved to a user’s computer/device hard drive that track, save, and store information about the user’s interactions and website use. They allow a website, through its server, to provide users with a tailored experience within the site. Users are advised to take necessary steps within their web browser security settings to block all cookies from this website and its external serving vendors if they wish to deny the use and saving of cookies from this website to their computer’s/device’s hard drive. To learn more click Cookie Policy.

Manage consent preferences

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.
Cookies list
Name _rg_session
Provider rubygarage.org
Retention period 2 days
Type First party
Category Necessary
Description The website session cookie is set by the server to maintain the user's session state across different pages of the website. This cookie is essential for functionalities such as login persistence, ensuring a seamless and consistent user experience. The session cookie does not store personal data and is typically deleted when the browser is closed, enhancing privacy and security.
Name m
Provider m.stripe.com
Retention period 1 year 1 month
Type Third party
Category Necessary
Description The m cookie is set by Stripe and is used to help assess the risk associated with attempted transactions on the website. This cookie plays a critical role in fraud detection by identifying and analyzing patterns of behavior to distinguish between legitimate users and potentially fraudulent activity. It enhances the security of online transactions, ensuring that only authorized payments are processed while minimizing the risk of fraud.
Name __cf_bm
Provider .pipedrive.com
Retention period 1 hour
Type Third party
Category Necessary
Description The __cf_bm cookie is set by Cloudflare to support Cloudflare Bot Management. This cookie helps to identify and filter requests from bots, enhancing the security and performance of the website. By distinguishing between legitimate users and automated traffic, it ensures that the site remains protected from malicious bots and potential attacks. This functionality is crucial for maintaining the integrity and reliability of the site's operations.
Name _GRECAPTCHA
Provider .recaptcha.net
Retention period 6 months
Type Third party
Category Necessary
Description The _GRECAPTCHA cookie is set by Google reCAPTCHA to ensure that interactions with the website are from legitimate human users and not automated bots. This cookie helps protect forms, login pages, and other interactive elements from spam and abuse by analyzing user behavior. It is essential for the proper functioning of reCAPTCHA, providing a critical layer of security to maintain the integrity and reliability of the site's interactive features.
Name __cf_bm
Provider .calendly.com
Retention period 30 minutes
Type Third party
Category Necessary
Description The __cf_bm cookie is set by Cloudflare to distinguish between humans and bots. This cookie is beneficial for the website as it helps in making valid reports on the use of the website. By identifying and managing automated traffic, it ensures that analytics and performance metrics accurately reflect human user interactions, thereby enhancing site security and performance.
Name __cfruid
Provider .calendly.com
Retention period During session
Type Third party
Category Necessary
Description The __cfruid cookie is associated with websites using Cloudflare services. This cookie is used to identify trusted web traffic and enhance security. It helps Cloudflare manage and filter legitimate traffic from potentially harmful requests, thereby protecting the website from malicious activities such as DDoS attacks and ensuring reliable performance for genuine users.
Name OptanonConsent
Provider .calendly.com
Retention period 1 year
Type Third party
Category Necessary
Description The OptanonConsent cookie determines whether the visitor has accepted the cookie consent box, ensuring that the consent box will not be presented again upon re-entry to the site. This cookie helps maintain the user's consent preferences and compliance with privacy regulations by storing information about the categories of cookies the user has consented to and preventing unnecessary repetition of consent requests.
Name OptanonAlertBoxClosed
Provider .calendly.com
Retention period 1 year
Type Third party
Category Necessary
Description The OptanonAlertBoxClosed cookie is set after visitors have seen a cookie information notice and, in some cases, only when they actively close the notice. It ensures that the cookie consent message is not shown again to the user, enhancing the user experience by preventing repetitive notifications. This cookie helps manage user preferences and ensures compliance with privacy regulations by recording when the notice has been acknowledged.
Name referrer_user_id
Provider .calendly.com
Retention period 14 days
Type Third party
Category Necessary
Description The referrer_user_id cookie is set by Calendly to support the booking functionality on the website. This cookie helps track the source of referrals to the booking page, enabling Calendly to attribute bookings accurately and enhance the user experience by streamlining the scheduling process. It assists in managing user sessions and preferences during the booking workflow, ensuring efficient and reliable operation.
Name _calendly_session
Provider .calendly.com
Retention period 21 days
Type Third party
Category Necessary
Description The _calendly_session cookie is set by Calendly, a meeting scheduling tool, to enable the meeting scheduler to function within the website. This cookie facilitates the scheduling process by maintaining session information, allowing visitors to book meetings and add events to their calendars seamlessly. It ensures that the scheduling workflow operates smoothly, providing a consistent and reliable user experience.
Name _gat_UA-*
Provider rubygarage.org
Retention period 1 minute
Type First party
Category Analytics
Description The _gat_UA-* cookie is a pattern type cookie set by Google Analytics, where the pattern element in the name contains the unique identity number of the Google Analytics account or website it relates to. This cookie is a variation of the _gat cookie and is used to throttle the request rate, limiting the amount of data collected by Google Analytics on high traffic websites. It helps manage the volume of data recorded, ensuring efficient performance and accurate analytics reporting.
Name _ga
Provider rubygarage.org
Retention period 1 year 1 month 4 days
Type First party
Category Analytics
Description The _ga cookie is set by Google Analytics to calculate visitor, session, and campaign data for the site's analytics reports. It helps track how users interact with the website, providing insights into site usage and performance.
Name _ga_*
Provider rubygarage.org
Retention period 1 year 1 month 4 days
Type First party
Category Analytics
Description The _ga_* cookie is set by Google Analytics to store and count page views on the website. This cookie helps track the number of visits and interactions with the website, providing valuable data for performance and user behavior analysis. It belongs to the analytics category and plays a crucial role in generating detailed usage reports for site optimization.
Name _gid
Provider rubygarage.org
Retention period 1 day
Type First party
Category Analytics
Description The _gid cookie is set by Google Analytics to store information about how visitors use a website and to create an analytics report on the website's performance. This cookie collects data on visitor behavior, including pages visited, duration of the visit, and interactions with the website, helping site owners understand and improve user experience. It is part of the analytics category and typically expires after 24 hours.
Name _dc_gtm_UA-*
Provider rubygarage.org
Retention period 1 minute
Type First party
Category Analytics
Description The _dc_gtm_UA-* cookie is set by Google Analytics to help load the Google Analytics script tag via Google Tag Manager. This cookie facilitates the efficient loading of analytics tools, ensuring that data on user behavior and website performance is accurately collected and reported. It is categorized under analytics and assists in the seamless integration and functioning of Google Analytics on the website.

How to Make Your Ecommerce Website GDPR Compliant: A Complete Checklist

  • 12472 views
  • 16 min
  • Oct 08, 2020
Yana S.

Yana S.

Copywriter

Elena K.

Elena K.

Head of Quality Assurance office

Share

Since May 25th, 2018, the General Data Protection Regulation (GDPR) has imposed requirements on ecommerce companies that work in the EU or provide their products or services to EU residents. If you’re subject to GDPR requirements, don’t miss our complete GDPR ecommerce checklist for your website. 

What is the GDPR? 

The GDPR combines rules and requirements for collecting, storing, and processing EU residents’ personal data. These requirements were introduced to prevent invasive data tracking and data manipulations. The GDPR aims to provide EU residents full control over their personal data and ensure its security. 

Within the context of the GDPR, there are several roles companies and their customers/clients may have. Let’s take a look at them.

  • Data controller – A company or organization that identifies reasons for collecting personal information and determines how that information should be processed. 
  • Data processor – A third party that processes data provided by a data controller. Data processors don’t own the data provided to them and process it under the data controller’s rules. 
  • Data subject – Any individual who provides information such as a name, ID number, or address to a data controller. 

Now, let’s take a look at the GDPR checklist we’ve prepared for ecommerce website owners.

GDPR compliance checklist for an ecommerce company

We’ve divided the GDPR requirements for ecommerce websites into several categories for your convenience. Each category covers a particular aspect of the regulations and reveals the requirements you need to satisfy.

gdpr ecommerce checklist

Each point on our ecommerce GDPR compliance checklist refers to one or more roles a person or entity plays within the context of the GDPR: data controller, data processor, or both.

Let’s review each category and each point of the GDPR compliance checklist and see what entities are subject to each checklist item.

1. Data security

Here, we’ll review requirements the GDPR imposes on companies to ensure the safety of users’ personal data.

1.1 Your company must maintain a list of all types of information you store, the sources of that information, whom you disclose it to, and terms and duration of its use.

To be fully GDPR compliant, you should thoroughly document all data you collect. Each piece of your users’ personal information should be accompanied by details about it, including its type, the source from which you received it, the third parties with whom you’ve shared it, your reason for collecting this particular piece of information, and the date when you will no longer need it. 

Affected entities: data processor, data controller

1.2 Your company must keep records of locations where you store data subjects’ personal information and the ways data flows between those locations.

You should document any locations where your users’ personal data is located, such as MySQL or PostgreSQL databases. Moreover, if you store data in physical storage, you need to document the address of the storage location. You should also describe in detail the process of moving information from one place to another.

Affected entities: data processor, data controller

1.3 Your company must have a publicly accessible privacy policy that outlines all processes connected with personal data.

Your organization’s website should let users access your privacy policy, which should describe how you handle users’ data. This policy should explain your reasons for collecting data, the way you process data, who you share data with, and what measures you take to keep data safe. 

Affected entities: data processor, data controller

1.4 Your company’s terms and conditions must mention a lawful basis for data processing.

To process users’ personal data, you must have a lawful reason. There are several legitimate grounds for processing users’ data. The most obvious is when a data subject agrees to data processing in exchange for a service or for some other reason. Data processing is also permitted if it’s mandatory to execute a contract between the data subject and data controller or to comply with laws and regulations.

Companies can process data if needed to protect the interests of the data subject, the data controller, or society, except when doing so contradicts the data subject’s rights.

Affected entity: data controller

2. Accountability and management

This category of GDPR requirements reveals what you need to consider to ensure your organization management process is GDPR compliant. 

2.1 Your company may need to have an assigned Data Protection Officer.

A Data Protection Officer (DPO) is an expert who makes sure that an organization follows laws and regulations related to data protection. 

Hiring a DPO is a must if your company is a public authority, performs regular monitoring on a large scale, or processes an extensive quantity of data in sensitive categories.

Even though your company might not be obliged to hire a DPO, it’s a good practice to have someone who will monitor the data protection flows in your company. 

Affected entities: data processor, data controller

2.2 Decision-makers in your company must be aware of GDPR obligations.

Your task is to verify that key people in your company are aware of the main principles of data protection. If key people don’t have enough knowledge of these principles, it’s your responsibility to compensate for that. For instance, you can hire a specialist to run a series of training sessions on data protection.

Affected entities: data processor, data controller

2.3 Your company must use the latest security technologies.

Make sure that all security systems you’re using to protect your users’ and your company’s data are up to date. For example, check that you’re using the latest versions of antivirus software and reliable encryption to protect your users’ data. Moreover, to protect your company’s private network from unauthorized access, you should use firewall software.

Affected entities: data processor, data controller

2.4 Your staff should be aware of data protection measures.

Your company needs to develop guidelines for team members on email security, setting strong passwords, two-factor authentication, device encryption, and the use of virtual private networks (VPNs). Conduct training on GDPR principles each time newcomers join your team and after regulations are updated. Pay special attention to those who have direct access to users’ personal data. 

Affected entity: data processor

2.5 You must keep a record of all sub-processors involved in processing your users’ data and mention these sub-processors in your terms and conditions.

In case any sub-processors are involved in your users’ data processing, you should inform your users about that and enumerate all sub-processors in your company’s terms and conditions. 

Affected entity: data processor

2.6 If your company is based outside the EU, you must assign a representative within the EU.

If your company works outside the EU but still collects and processes the personal information of EU residents, you need to appoint someone to represent your company’s interests in the EU and interact with local authorities on your behalf. 

Affected entities: data processor, data controller

2.7 You must report data breaches involving personal data to the relevant authorities within 72 hours.

Your organization should have guidelines on appropriate actions to take in case of any security breaches. If you become aware of a data breach, you need to report it to data protection authorities within 72 hours. Your report should contain details on the type and amount of data lost, a description of likely consequences, and countermeasures you have taken. Additionally, you need to inform users whose personal data has been lost about the breach. 

Affected entities: data processor, data controller

2.8 You must sign contracts with any third parties involved in data processing.

Your company needs to sign a contract with any data processor that has access to your users’ information. This contract should outline all aspects of your cooperation with the data processor, including reasons for processing data, the duration of processing, data types, and a data subject category. The contract should also point out your rights and obligations as well as the rights and obligations of the data processor. 

Affected entity: data controller

3. Customers’ consent

Customers’ consent to data processing is one of the basic requirements of the GDPR. Let’s see what you should do to acquire legitimate consent to data processing from customers.

3.1 Customers’ consent must be freely given, specific, and informed.

While gathering customers’ information on your website, make sure you provide customers with an easily accessible link to your privacy policy and an option to agree to the terms and conditions. Note that customers should confirm their agreement on their own, and pre-ticked boxes are forbidden. 

Affected entity: data controller

3.2 Your privacy policy must be clear and understandable.

Use simple and understandable language in your privacy policy to deliver an unambiguous message on the terms of processing personal data. This is especially vital if your target audience comprises children. 

Affected entity: data controller

3.3 Your customers must be able to easily withdraw their consent to information processing.

Similarly to the way users can agree to their personal data being processed by your company, they should have an option to revoke their consent.

Affected entity: Data Controller

3.4 If you process personal data of children, you must verify their age and obtain consent for processing from a legal guardian.

You need to get a legal guardian’s permission to process data of a child under 16 years of age. If you’re requesting this permission via your website, you need to have a process in place to make sure permission is actually given by a legal guardian and not by the child.

Affected entity: data controller

3.5 When you update your privacy policy, you must inform existing customers.

If you implement any changes to your terms and conditions, you need to notify your users about those changes. For example, you can send your users emails with detailed information on what has been changed. 

Affected entity: data controller

4. Regular updates

Policies are often changed and updated to provide the most relevant guidelines on how to keep users’ information safe. That’s why to be GDPR compliant, you need to make sure:

4.1 Your company must regularly reviews data security policies for updates.

Your company should follow the best and most up-to-date practices and keep track of changes made to EU laws and regulations. Moreover, if you transfer data to countries outside the EU, you need to keep track of changes made when handling data in those countries. Remember that ignorance of laws and regulations is no excuse. 

Affected entity: data controller

5. Non-standard situation policy

Let’s also review unusual cases you might face and see what GDPR requirements you’ll need to satisfy if you do. 

5.1 You need to run a data protection impact assessment for high-risk processing of sensitive data.

A data protection impact assessment (DPIA) aims to determine and minimize risks related to personal data privacy. Organizations that perform large-scale data processing, profiling, and other activities associated with high risks to the rights and freedoms of data subjects are obliged to perform this type of assessment according to the GDPR. 

Affected entity: data controller

5.2 You may transfer data outside of the EU only to countries with a proper level of data protection.

If you transfer your users’ personal data to countries outside the EU, you must make sure that those countries provide a sufficient level of data security. 

Affected entities: data processor, data controller

6. User rights

The GDPR also outlines users’ rights that companies need to respect and grant. Let’s review all of them to be aware of the requirements they impose on ecommerce websites. 

6.1 You must provide users with information and communications in a clear and straightforward manner.

Articulate your privacy policy and communicate with customers in a concise and easily accessible way to ensure everyone understands each aspect of your privacy policy and communications. This is especially vital when you explain your company’s privacy policy to a child. 

Information can be provided in writing, in an electronic format, or even orally to a client whose identity is proven. 

Affected entity: data controller

6.2 You must allow users to obtain specific information. 

Your users are empowered to request specific details about your organization and your data processing cycle when you’re collecting their data. 

Information users may request includes your company’s identity and contact details, the identity and contact information of your DPO, and the address of the location where you perform data processing. Also, users might want to know legal reasons for processing their data and what’s in it for you. Moreover, users that care for the safety of their private data may request a list of data recipients and countries or international organizations to which you transfer data. Note that if you transfer data outside your country, you need to give users access to documentation that proves the legality and adequacy of this decision.

Affected entity: data controller

6.3 You must allow users to access information on how you process their data.

In addition to specific details, users should be able to get basic information about data processing within your company at any time. 

General details on your data processing cycle include the aims, conditions, and duration of data processing, categories of data you process, and a list of data recipients. You also need to let users know if they have a right to complain about the processing of their data. One more critical aspect pertains to the use of automated decision-making: users need to know the logic behind and understand the possible outcomes of automated decision-making. 

Affected entity: data controller

6.4 You must correct users’ data upon request.

Users can request to correct their personal data. Thus, if a user’s personal information is inaccurate or incomplete, you must correct it. In some cases, a supplementary statement can be required to update information. 

Affected entity: data controller

6.5 You must delete users’ data upon request.

You should delete a user’s personal data if you no longer require it. However, there are a few other cases when data should also be deleted. For instance, you should delete data when a data subject withdraws permission to process data or when it appears that you have no lawful basis to process data. There may also be a case when a data subject is a citizen of a country that has a law that demands personal data disposal.

Affected entity: data controller

6.6 You must respect users’ rights to restrict data processing.

Users can request that a data controller restrict the processing of their data in several cases. Data processing restrictions should be applied when a user claims that personal data is inaccurate or that you have no lawful basis to process it but the user doesn’t want you to delete the data. In such cases, processing of the user’s data should be paused until the data is corrected or until you provide the user with legitimate grounds for data processing. 

When a data controller no longer needs user data, it should be deleted. However, in case a data subject asks to keep data for the defense of the subject’s rights, data controllers can restrict data processing instead. 

Affected entity: data controller

6.7 You must notify users regarding the correction and disposal of data or the restriction of data processing.

Your company should communicate any correction or disposal of your users’ personal data or restriction of processing directly to users and any third-party recipients. 

Affected entity: data controller

6.8 You must allow users to obtain and forward their data.

Those who have agreed to personal data processing can request that you provide them their personal data in an electronic format. Moreover, users have the right to request that you forward their data to another entity. 

Affected entity: data controller

6.9 You must provide users with the right to object.

Users can object to the legitimacy of personal data processing if they didn’t give their consent. For instance, users may object if you process their data in the public interest.

In such a case, as a data controller, you should stop processing the personal data of objecting users unless you provide those users with a valid basis for processing that will allow you to process the information further.

Affected entity: data controller

6.10 You must respect users’ rights not to be affected by a decision made by automated processing.

Users shouldn’t be subject to decisions based entirely on automated data processing and profiling. Automated decision-making is the process by which a computer makes decisions automatically without human intervention. If your company’s decisions may heavily influence your users, such decisions should be made with human participation. 

Affected entity: data controller

Now that you have a full GDPR ecommerce checklist with requirements your organization should satisfy to achieve compliance, let’s look at what may happen if you fail to meet them.

Consequences of non-compliance

If a company fails to comply with GDPR requirements, supervisory authorities may impose administrative fines they consider effective, proportionate, and dissuasive. Depending on the harshness of the GDPR violation, authorities can choose between two types of fines:

Less severe 

If a company violates basic obligations of the data controller or data processor, it will be obliged to pay a fine of up to 10 million euros or 2% of the company’s annual global turnover, whichever is higher.

More severe 

Violations of the following regulations may result in even bigger fines:

  • Basic principles of data processing and users’ consent 
  • Users’ rights
  • Regulations on the transfer of personal data to a recipient in a third country or an international organization 
  • Principles of specific processing situations 
  • An order or limitation on processing established by the supervisory authority

These violations may lead to administrative fines of up to 20 million euros or 4% of the firm’s annual global turnover, whichever is higher. 

Recap

Achieving and maintaining GDPR compliance certainly isn’t the easiest task for ecommerce companies. But if you share this burden with a skilled team of GDPR compliance auditors, compliance becomes much easier to attain. 

CONTENTS

FAQ

  1. The GDPR requires companies to meet requirements pertaining to:

    • Data security
    • Accountability and management
    • User consent
    • Regular updates
    • Non-standard situations policy
    • User rights
  2. A data controller is a company or organization that identifies reasons for collecting personal information and determines how that information should be processed. A data processor is a third party that processes data provided by a data controller. Data processors don’t own the data provided to them and process it under the data controller’s rules.

  3. In case of minor violations, penalties may amount to 10 million euros or 2% of your company’s annual global turnover, whichever is higher. Major violations may lead to administrative penalties of up to 20 million euros or 4% of your firm’s annual global turnover, whichever is higher. 

    If you wish to ensure your ecommerce company’s GDPR compliance and avoid tremendous penalties, contact RubyGarage to undertake a compliance audit.

Authors:

Yana S.

Yana S.

Copywriter

Elena K.

Elena K.

Head of Quality Assurance office

Rate this article!

Nay
So-so
Not bad
Good
Wow
10 rating, average 4.9 out of 5

Share article with

Comments (0)

There are no comments yet

Leave a comment

Subscribe via email and know it all first!