GDPR in E-Commerce: When One Consent to Personal Data Processing Is Enough
It’s been over half a year since the GDPR went into effect. By now, all European online business owners should be calm and assured about their shops operating according to the new legislation. Nevertheless, customers who are already pelleted by a multitude of pop-up windows, now have yet another one to deal with: consent to personal data processing.
Is it, therefore, necessary to obtain additional explicit customer consent to use personal data to process a commercial transaction?
Lawfulness of Processing
Article 6, paragraph 1, of the regulation linked above, says:
For online business owners, 4 of them are of particular importance:
- Granted consent of the data subject to process personal data.
Asking for consent is the most obvious case. In order to fulfill this, clients are asked for permission, often via another annoying pop-up.
- Performance of a contract in which the data subject is party.
Business owners can’t send ordered products without having the customer’s name, surname, shipping address, and telephone number. That’s why the contact details form is completely valid.
When the customer orders products and expects a courier delivery, shop owners have the right to use the contact data to perform a sales agreement. Therefore, it’s not necessary to add to the contact details form a question about consent to use personal data to send the package.
- Compliance with a legal obligation to which the controller is subject.
The best example of this is the age range of the customer ordering adult products. The seller not only has to obtain such information but also keep it for future compliance audits. Therefore, it’s not necessary to obtain customer consent to process this type of data. On the same basis, business owners don’t need consent to personal data processing to issue an invoice.
- Protecting the vital interests of the data subject.
The seller needs to be able to check if they are obliged to execute warranty or guarantee claims. To do this, the seller has to keep a list of buyers, especially those who purchase services, not only during the finalization of a transaction but also for a specific period of time following purchase. How long exactly depends on the country where the seller’s business is registered.
Processing a Commercial Transaction vs. Consent to Data Processing
When asking via a form for data necessary solely to process a commercial transaction, you can finalize it without asking for additional consent to personal data processing. However, keep in mind that it only works in the four cases listed above. If you want to use the data for marketing purposes, the consent to personal data processing needs to be explicit.
Polcode is an international full-cycle software house with over 1,300 completed projects. If you want your online store to be both GDPR-compliant and convenient for your customers, contact us. We’ll make sure your website meets all requirements, offering flawless user experience.