GDPR in eCommerce

GDPR in eCommerce: When One Consent to Personal Data Processing Is Enough

Małgorzata Pająk, Aleksandra Trachim
2 minutes read

It’s been over half a year since the GDPR went into effect. By now, all European online business owners should be calm and assured about their shops operating according to the new legislation. Nevertheless, customers who are already pelleted by a multitude of pop-up windows, now have yet another one to deal with: consent to personal data processing.

Is it, therefore, necessary to obtain additional explicit customer consent to use personal data to process a commercial transaction?

Lawfulness of Processing

Article 6, paragraph 1, of the regulation linked above, says:

There are as many as 6 distinct instances that authorize business owners to process personal data without obtaining additional consent. Click To Tweet.

For online business owners, 4 of them are of particular importance:

  • Granted consent of the data subject to process personal data.

Asking for consent is the most obvious case. In order to fulfill this, clients are asked for permission, often via another annoying pop-up.

  • Performance of a contract in which the data subject is party.

Business owners can’t send ordered products without having the customer’s name, surname, shipping address, and telephone number. That’s why the contact details form is completely valid.

When the customer orders products and expects a courier delivery, shop owners have the right to use the contact data to perform a sales agreement. Therefore, it’s not necessary to add to the contact details form a question about consent to use personal data to send the package.

  • Compliance with a legal obligation to which the controller is subject.

The best example of this is the age range of the customer ordering adult products. The seller not only has to obtain such information but also keep it for future compliance audits. Therefore, it’s not necessary to obtain customer consent to process this type of data. On the same basis, business owners don’t need consent to personal data processing to issue an invoice.

  • Protecting the vital interests of the data subject.

The seller needs to be able to check if they are obliged to execute warranty or guarantee claims. To do this, the seller has to keep a list of buyers, especially those who purchase services, not only during the finalization of a transaction but also for a specific period of time following purchase. How long exactly depends on the country where the seller’s business is registered.

Processing a Commercial Transaction vs. Consent to Data Processing

When asking via a form for data necessary solely to process a commercial transaction, you can finalize it without asking for additional consent to personal data processing. However, keep in mind that it only works in the four cases listed above. If you want to use the data for marketing purposes, the consent to personal data processing needs to be explicit.

Polcode is an international full-cycle software house with over 1,300 completed projects. If you want your online store to be both GDPR-compliant and convenient for your customers, contact us. We’ll make sure your website meets all requirements, offering flawless user experience.

On-demand webinar: Moving Forward From Legacy Systems

We’ll walk you through how to think about an upgrade, refactor, or migration project to your codebase. By the end of this webinar, you’ll have a step-by-step plan to move away from the legacy system.

Watch recording
moving forward from legacy systems - webinar

Latest blog posts

See more

Ready to talk about your project?


Tell us more

Fill out a quick form describing your needs. You can always add details later on and we’ll reply within a day!


Strategic Planning

We go through recommended tools, technologies and frameworks that best fit the challenges you face.


Workshop Kickoff

Once we arrange the formalities, you can meet your Polcode team members and we’ll begin developing your next project.