The GDPR: what ePages merchants need to know

by Kristof Maletzke, 23.05.18

This article is also available in German, French, Spanish and Italian (as a PDF).


On 25 May 2018, the European Union’s new General Data Protection Regulation (GDPR) will come into effect. It specifies topics and actions that organisations need to consider regarding data protection. Online retailers are also affected by the changes and need to take active steps to comply with the new provisions.

At the moment, the public is becoming increasingly aware of the issue of data protection. Many consumers are asking themselves who actually is collecting their data; why is their data being stored; and what exactly happens to it?

With the GDPR, the European Union intends to harmonise Europe-wide laws. Among other things, it specifies the requirements governing the inquiry and protection of personal data within the EU. By 25 May 2018, organisations will need to ensure that they are working in compliance with the GDPR.

How do I update my privacy policy?

Every online shop must include a privacy policy. This policy should indicate what visitor and customer personal data is being processed by the online shop. In your privacy policy, you can also specify how third-party providers deal with the data from your shop.

By default, all ePages shops include a page for the privacy policy, to which you only need to add the text of your policy. Instructions on changing the text can be found below in the section “Where can I find instructions on GDPR-related issues?”.

We offer you a free template for a privacy policy that you can use for your shop.

Please note that this policy only covers the basic shop functionality. However, if you are for instance using Google Analytics, you will need to adapt the policy. Help on this is available from Trusted Shops (see “Where can I find more information on the GDPR?” below).

If you are selling internationally and present your shop in different languages, you should consider offering the policy in those languages. To assist you in this context, we offer the template as well in German, French, Spanish and Italian.

What else do I have to consider as an online retailer?

As a merchant, under the terms of the GDPR you are responsible for ensuring that you comply with the new provisions. As the provider of your shop software, ePages is able and allowed only to provide technical assistance on these matters but is not permitted to offer any legal advice.

When may I process customer data?

For you as a merchant it is important to know that there are certain circumstances that do not require the explicit approval of your customers for processing their personal data. This is generally allowed when the data concerned is relevant for the proper fulfilment of a contract. You as a merchant may therefore process the necessary customer data that is required for doing business in your online shop. This includes, for example, passing on the customer’s address to logistic providers. However, in order to use this data for different purposes (e.g. a newsletter subscription), you need the customer’s explicit approval.

The approval for the further use of customer data must not be a requirement for entering into a contractual agreement in the first place. For example, it is not allowed to oblige a customer to subscribe to a newsletter by making it a requirement in the ordering process.

Which rights of my customers do I have to consider?

If a customer asks you if and which personal data you have stored, you must provide a response in writing within one month.

When requested by a customer, you are obliged to immediately correct any incorrect customer data. The customer has a right to ask for deletion of customer data, especially if the data is not needed or no longer needed for the actual purpose, or in cases where the customer withdraws their approval. This possibility exists for your customers at any time and you must explicitly point this out to customers.

What do I have to consider with respect to data security?

The ePages online shops in the cloud are regularly and automatically supplied with necessary updates. The data centres in which ePages shops are hosted are ISO-certified and meet the highest requirements of IT and data security.

What do I need to know to cooperate with other service providers?

Merchants often use services of other providers in their shops. If such providers process personal data on your behalf, you will need to sign a data processing agreement (DPA) with the companies concerned and ensure they are working in a GDPR-compliant way.

What preparations has ePages made for the changes involved in the GDPR?

ePages already observes the highest security standards in all areas and fulfils all requirements of the GDPR. You can rely on the fact that your shop system will not place any obstacles in the way of fulfilling the GDPR provisions.

Where can I find more information on the GDPR?

Competent support and legally secure statements can be obtained from our approved partner Trusted Shops. Trusted Shops is a specialist in legal advice for shop owners and knows exactly what is involved. To sign up for Trusted Shops, within your shop administration area you should select in the main menu Marketing and then Trusted Shops. If you then use the registration link shown there, you will receive discounted rates.

In the coming weeks, we will also post updated information concerning the GDPR here on the blog.

Where can I find instructions on GDPR-related issues?

We have compiled a list of help articles to assist you regarding the GDPR. The guidance differs depending on whether you are using the ePages Now or ePages Base shop versions. To find out your shop version, select Help from the main menu in your shop’s administration area. Your shop version will be displayed at the bottom of the page.

Editing the privacy policy

To be GDPR-compliant, you will most likely need to modify your privacy policy. You can find more information on this topic in the section “How do I update my privacy policy?” above.

Deleting customers

You can delete customers and their data from the shop system. Instructions on how to do this can be found for ePages Now here.

Downloading invoices as PDF files

When you delete customers, all orders that have been placed by those customers will also be deleted. Therefore, before taking this action, if you wish to retain documentation on those customers’ orders you can download the customer invoices in the form of PDF files. Instructions on how to do this can be found for ePages Now here. Please note: Any personal data must be completely deleted after expiry of any relevant legal retention periods. This also applies to data in the context of customer invoices.

This article contains initial legal pointers but makes no claims in respect to completeness and accuracy. It can under no circumstances serve to replace legal advice on an individual case.

About the author

was Communications Manager at ePages.

Similar posts


No comments available

Share your opinion


Leave a Reply

Your email address will not be published. Required fields are marked *