Online Trading and EU GDPR2019-01-08T13:14:03+02:00

EU GDPR and online
trading

What do online retailers need to observe when the new EU GDPR comes into force?

The new standard data protection regulation has been applicable as law throughout Europe since 25 May 2018. This day also marks the end of the two-year implementation period, whereupon violations may lead to severe fines. This affects all businesses working with personal data.

As an online retailer, you undoubtedly use personal data. So you have a number of obligations which you need to observe in relation to your online shop.

Text modules for your GTC and receivables

To support you, Boniversum is offering you legally checked text modules four your GTC, enabling you to inform your customers or clients about credit checks. They can easily be integrated into your GTC.

Text modules for GTC of online retailers

Abbreviated version
Abbreviated version of text module on duty of information under EU GDPR article 14 (PDF, 34 KB)

Detailed version with all the relevant information
Text module on duty of information under EU GDPR article 14 (PDF, 46 KB)

Text module “Note on registering/using unpaid receivables for scoring purposes”

Text module for receivables (PDF, 37 KB)

Credit check in the purchasing process

Credit information gained in the purchasing process can of course continue to be used! As in the past, a credit check according to the EU GDPR can be based either on the data subject’s consent or on the retailer’s legitimate interest. Irrespective of the relevant payment method, Boniversum always works on the assumption that there is such a legitimate interest. If, therefore, credibility checks are regularly based on the online retailer’s legitimate interest, no express consent is required. However, the retailer must provide information about this in the data privacy policy, in a form that is accurate, transparent, comprehensible and easily accessible, using clear and simple language.

Info from our webinar “EU GDPR for Online Retailers”

Boniversum Webinar on EU GDPR for Online Retailers

What should online retailers expect? What do they need to bear in mind for their online shops? And how should they inform their customers? In our successful webinar which attracted considerable interest from online retailers, Marc Leske, Head of E-Commerce Sales at Boniversum, and Benjamin Spallek, Compliance and Data Protection Consultant at Creditreform Compliance Services GmbH, answered questions about the most pressing issues on the EU GDPR.

Did you miss the webinar? This is where you can download an FAQ document and a checklist of the most important details.*

Boniversum – EU GDPR – text modules for e-commerce

7 Questions & Answers on the EU GDPR
7 Questions & Answers on the EU GDPR (PDF, 221 KB)

EU GDPR Checklist for Online Retailers
EU GDPR Checklist for Online Retailers (PDF, 154 KB)

Seven Questions and Answers on the EU GDPR in Online Trading:*

What is the EU General Data
Protection Regulation?

The EU General Data Protection Regulation (EU GDPR) is a regulation of the European Union that seeks to standardise data protection laws throughout Europe. However, it also contains numerous extension clauses, enabling member states to have different regulations in certain areas after all. The EU GDPR has been in force for some time now, since 24 May 2016, and will be mandatory EU-wide from 25 May 2018 onwards, after an implementation period of two years.

The EU GDPR requires companies to implement a range of new data protection specifications by the end of the period, on 25 May 2018.

How does this affect me as an online retailer? What does it mean for my online shop?

Here are the most important duties for online retailers, resulting from the EU GDPR:

  • Complete provider identification with clear links shown on each page of the web shop
  • Complete data privacy policy (with references to creditworthiness checks, the use of cookies, tracking, etc.)
  • Clear links to data privacy policies of third parties, in cases where third parties collect such data
  • Transparent ordering process (step by step, enabling users to make corrections)
  • Data security through encryption of the website

Please remember that this list is not exhaustive, but that it only covers the most important points!

How does this affect me specifically in the handling of purchase transactions?

From a data privacy perspective, we recommend that purchase transactions are designed with the greatest amount of transparency. Specifically, this means disclosing to customers what procedures you use in running the purchasing process and providing information about its impact and intended purpose.

Also, each customer must be able to cancel the order transaction at any time if they do not agree with one of the procedures. If the purchasing process involves obtaining privacy consent, then this must not be hidden within the GTC, but must be done expressly and separately. Credit checks are not included here, as they can be conducted on the basis of a so-called legitimate interest.

Can I, as an online retailer, continue to use credit information in a purchase transaction?

The answer to that is a clear YES. According to the EU GDPR, a credit check can be based either on the data subject’s consent or on the retailer’s legitimate interest. Irrespective of the relevant payment method, Boniversum always works on the assumption that there is such a legitimate interest. If, therefore, credibility checks are regularly based on the online retailer’s legitimate interest, no express consent is required. However, the retailer must provide information about this in the data privacy policy, in a form that is accurate, transparent, comprehensible and easily accessible, using clear and simple language.

What do I need to observe when storing information about consumers?

The storage of consumer data is generally subject to the principles detailed in the EU GDPR article 5 (1). In particular, we must emphasise the principle of purpose limitation. DUnder this principle, data can only be processed for the purpose for which they were originally collected.

Another important principle is data minimisation (formerly known as data economy). It specifies that the processing of personal data must be appropriate for the achievement of the relevant purpose and must be restricted to what is necessary. In addition, compliance is required with the relevant retention periods under tax law and commercial law – usually either 6 or 10 years, as specified in the German Fiscal Code (AO), section 147, and the German Commercial Code (HGB), section 257.

What are the risks in violating these new regulations?

Whereas, under the old German Federal Data Protection Act (BDSG), fines could not exceed EUR 300,000, the EU GDPR specifies fines of EUR 20 million or four per cent of the relevant company’s annual turnover. Businesses should therefore put the issue of data protection compliance firmly on their agenda.

How do I need to inform my customers?

As a credit check does not involve obtaining the relevant data from the actual data subject, the information duties follow the specifications of the EU GDPR article 14, whereby data subjects must be given transparent and detailed information about the procedure of a credit check. For this purpose Boniversum strongly recommends using its pre-written text modules, which vary in scope. The information can be given to data subjects in electronic form, e.g. through the data privacy policy on the website, or as part of the GTC.

We also recommend that your data privacy policy covers not only the EU GDPR, but also the provisions of the future ePrivacy Regulation (currently still only in draft form) on the use of data for marketing purposes and the use of cookies.

*This website has the purpose of providing some initial orientation and of giving a rough overview of the subject. The contents have been carefully checked and compiled to the best of our knowledge and belief. However, the information provided here includes no claim for completeness, quality or correctness, or for being up-to-date. We do not accept liability for damage caused by reliance on the contents of this website/these documents or their use.

Your contact

Marc Leske

Marc Leske
Head of Sales E-Commerce

Phone +49 2131 109-528

Write an email

Entdecken Sie Wissen
rund um Bonität,
Scoring und Datenschutz