GDPR: New questions and answers for ePages merchants

by Kristof Maletzke, 16.10.18

The General Data Protection Regulation (GDPR) has been an important topic in recent months and will continue to be an issue in the future. After providing basic information on the new regulation in our first blog article on the GDPR, we now address more specific questions.

A customer asks the shop owner to delete all data stored by him about the customer. However, the merchant still needs some of them, for example for tax purposes or for warranty reasons. Does he still have to delete the data?

There are no changes in this respect with the GDPR. As long as you as a merchant need to store the data for legal reasons, you do not have to delete it.

When do shop owners need their own data protection officer?

Whether a merchant has to appoint a data protection officer depends on several factors. Companies with 10 or more employees always need a representative like that. This is also the case for companies with less than 10 employees when sensitive personal data is processed. These can be, for example, payrolls for employees. Merchants who are not individual entrepreneurs should delve more into this topic. Please note that the data protection officer must be reported to the local supervisory authority.

Do customers have to be automatically deleted from the shop system after a certain time?

There are no precise guidelines for this. Trusted Shops generally recommends deleting all unneeded data after a certain period of time. 3 years are given as a guideline.

Do I need a data processing agreement contract with ePages?

Whether you have to conclude an data processing agreement contract with ePages depends on whether you have booked your shop directly with us or with one of our providers. In the latter case, always make your contract directly with the provider, because the provider is your contractual partner. The provider, in turn, has a data processing agreement contract with ePages because we work on his behalf.

If you have booked your shop with us, you can contact our data protection officer at to complete the contract.

How is the automatic deletion of customer, user and order data solved with ePages?

Automatic deletion of data is generally not intended because we cannot automatically decide which customer data must be deleted and when. An exception is data on incomplete orders in which, for example, a customer has already entered his address data in the order process but has not then sent the order. These data are automatically deleted after 30 days.

What has to be considered when passing on customer data to shipping service providers?

ePages offers shipping methods that transfer data to shipping service providers (e.g. DHL). In addition to the postal address, the shop sometimes also sends the e-mail address of the customer, so that the service provider can inform the customer by e-mail about the status of the delivery. As a merchant you should inform in the privacy policy about the purpose for which the data will be passed on.

A checkbox with which the customer must agree to the transfer of the data during the ordering process is not required. The current implementation in the ePages software is therefore legally compliant.

If you work with a provider like SendCloud, you can determine that the customer’s email address is not shared with the logistics company that carries out the shipment.

As a merchant, you can display a note on the use of cookies in your shop. Is it sufficient that the hint can be closed with a simple “X”, or must there be a button with a label such as “Ok” or “I agree”?

How the banner is closed is irrelevant. The solution with the “X” is legally compliant. However, it is important that the privacy policy refers to the use of cookies and that the legitimate interest in the use of cookies by the merchant is made transparent.

Is it questionable under data protection law to use Google Web Fonts in the shop?

Google web fonts are used in the ePages shop software. Since these are not loaded from Google servers, but are stored on the shop’s server, there are no data protection problems. If you include your own web fonts (e.g. via CSS adjustments), you should check whether you need to become active in this respect. According to Trusted Shops, however, the use of web fonts is generally harmless. You can make the use of web fonts transparent in your privacy policy.

What do I need to know to use reCaptchas?

So-called reCaptchas may be used in shops in the ePages Base version. This technology from Google has the task of preventing forms on the web from being used by spam robots. Trusted Shops sees no problem in the use of reCaptchas. However, ePages Base merchants should point out in their privacy policy that they use reCaptchas. Here it is possible to argue that there is a legitimate interest for using reCaptchas, because they are relevant for a website’s security.

To display your shop version, choose Help in the administration area of your shop in the main menu. The version is displayed at the bottom of the page (ePages Base or ePages Now).

This article contains initial legal pointers but makes no claims in respect to completeness and accuracy. It can under no circumstances serve to replace legal advice on an individual case.

About the author

was Communications Manager at ePages.

Similar posts


No comments available

Share your opinion


Leave a Reply

Your email address will not be published. Required fields are marked *