What kind of personal data is normally being processed in the e-commerce sector and how critical are the processings?

Modern online-shops are comprised of many different data processings that either enable shopping activities and / or provide for an attractive shopping experience. Personal data is required to take orders from customers and, subsequently, deliver ordered products to the designated recipient(s).

The anonymity of the internet increases mistrust between potential customers and shopowners. As a consequence, the latter has a deep interest in delivering products only to reliable and solvent customers. The risk of fraud may, in case of purchase on account, be minimized by solvency checks that preceed the order confirmation and require the processing of sensitive financial information about the customer.

The shopping experience may be enhanced by integrated social plugins that enable the customer to use the payment functionality of social networks or other tech companies instead of the payment features provided directly in the webshop.

Last but not least, the webshop's performance may be measured by a huge variety of analytics tools allowing for detailed insights into the customer's shopping habits.

Which privacy laws and provisions have to be respected in the e-commerce sector?

The GDPR provides for different legal bases enabling the processing of webshop customer data. Dealers should assess carefully whether, from a data protection perspective, a processing triggered by the webshop may still be considered necessary for the fulfilment of a service requested by the customer or whether the customer's consent must instead be obtained.

As the GDPR expects the responsible party – here: the shop-owner – to be able to prove that the data subject (customer) has consented, respective consent forms should be part of an overarching consent management system that allows for the automated receipt, verification and withdrawal of consent. Even for cases in which consent, from the GDPR perspective, is not considered to be necessary as overwhelming legitimate interests of the shopowner would legitimize the data processing as well, other laws – such as the German TTDSG – might require consent.

Independently of the legal bases, privacy notices must be implemented into the website covering all of the shop-specific features including tracking and targeting technologies that are invisible to the customer.

Which compliance risks must be considered and what has been the focus of supervisory authorities and courts?

If data in e-commerce is not processed in accordance with the law, this can have a strong personal impact on the lives of the data subjects (e.g. website visitors). This would be the case, for example, if extensive visit and interest profiles were created for potential customers.

Against this backdrop, the processing of data in e-commerce has already been the subject of various statements by authorities and court judgements.