top of page

Making a webshop/website GDPR compliant

Since the newprivacy lawthere are quite a few legal details that a company must take into account when operating a website or a webshop for that purposeGDPRto conform. TheGDPR experts from Mr. Franklinexplain whatGDPR for websitesmeans and how to develop a GDPR compliant website or webshop, taking into accountthe law.


General data protection regulation (GDPR)


TheGeneral Data Protection Regulation(General Data Protection Regulation) is upMay 25, 2018entered into force. This legislative initiative was intended toinformation securityandtransparencyon the processing of personal data in the European Member States. The new rules therefore mainly bringprivacyrelated obligations.

Any company thatcollects or processes personal datamust now do this in compliance with GDPR. 'Personal data' refers to all personal data with which natural persons can be identified. For example, think of a name, e-mail address, IP address or telephone number.

More about what falls under the term 'processing' according to the GDPR legislation can be found in this blog post by Mr. Franklin.

How do I get my website GDPR compliant?


GDPR also applies to the websites thatpersonal informationprocessing (or even merely collecting). Nowadays, almost every website collects (sometimes unknowingly) personal data. A loyalty card where the customers have to enter data, a contact form where customers can leave the email addresses or other ways in which contact information is collected from the user - all of these ensure that the GDPR standards apply.

As a result, webshops and websites must also operate in accordance with GDPR. 

Consent of the user


According to the GDPR standards, the processing of personal data must be based on one of the6 legally determined legal bases.

The easiest way to fulfill this requirement is to your website's usersexpress permissionquestions for data processing. Usually this is done by every user of a web shopcheckboxcheckbox, whereby the user expressly declares his agreement with the privacy policy.

Note: it must be oneexpressand not an implied consent. The checkbox may therefore not already be checked automatically.

Privacy declaration


When a website collects personal data, thetransparency obligationnot be lost sight of. A privacy statement should explain to the visitors of your websitehow, why and which personal datayou collect.

EachOnline storeanyway, anywayobligedto aprivacy statementto use.

What should a privacy statement state?

Contact details


TheGDPR regulationsdetermines which information must be available in your privacy statement. For example, it must contain the contact details of the entity collecting the personal data, as well as the contact details of theData Protection Officerof the enterprise.

If the data processing company has several departments, you should also state which office is responsible for the processing of personal data.

Legal basis, purpose of the processing and retention period of the data


The company must alsolegal basisstate on which the data processing is based, together with thereason why the personal data is collectedand processed. In addition, the privacy statement must be theretention periodafter which the personal data will be deleted (or the criteria used to determine this period).

Protection of collected data

The company must also demonstrate how the website or webshop collected thedata protection. As an entity that processes personal data, you must ensure that the integrity of this personal data is protected. This means that the collected data may not be changed just like that.

The personal data may not be disclosed publicly or simply transferred to other entities. It is your duty as a data collecting entity to prevent a data breach. It may be useful to have themeasures that your company takes to avoid a data breachbriefly explained in the privacy statement.

The territorial scope of the processing


As mentioned earlier, the General Data Protection Regulation (GDPR) is a European law initiative. This means that other privacy rules apply outside the EU. That is why the privacy statement of your webshop or website should inform users about whether you use thewill also process personal data outside the European Union(e.g. through cooperation with entities from third countries).

If this is the case, then the privacy statement must explain what protection the personal data enjoys in these non-EU countries.

Any automated processing

Does your website or webshop useautomated decision-making, then it is best to state this in the privacy statement.

Rights of the persons whose data is processed


The GDPR Regulation also provides for a numberrights for the persons whose data is processed: including the right to inspect the collected personal data or the right to be completely erased from all databases of your company.

It is up to the entity that processes or collects personal data to inform the user of a website or webshop about the existence of these rights. The easiest way to do this is to mention it in the privacy statement.

And more…


As you have already noticed, the arrangement is completeprivacy statementverydetailedworked out. These oftenlegal technical detailsensure that drawing up a correct privacy statement is a difficult and above all onetime consumingbecomes a matter.

The preparation of a GDPR-compliant privacy statement for your website or webshop also remains extremely important. Thefineyou risk if your online platform does not function in accordance with the new privacy rules, can be up to4% of salesincrease.

Many companies therefore choose to have a privacy statement for a webshop or a website by thelegal advisorto be made up. This way you can be sure that your company is legally compliant with regard to GDPR - and will remain so.

DPIA audit


AData Protection Impact Assessment(DPIA) is a tool to situate the privacy risks of data processing. A DPIA must be performed when processing personal data is a highriskentails for the privacy of the data subjects.

If Mr. Franklin, we specialize in DPIA audits, both in the field of privacy and cybersecurity. We take care of thatspecific recommendationsand a commercial document is drawn up that can be presented to your customers.

You will find more information about our services related to DPIAin this blog post by Mr. Franklin.



AData Protection Officer(DPO) is an independent person who monitors compliance with GDPR standards within the company.

In some cases, appointing aData Protection Officerobliged. Discoverthis blog post from Mr. Franklinor suchcommitmentapplies to your company. If this is the case, the contact details of the responsible DPO must also be stated in the privacy statement of your website or webshop.

As certified DPOs, Mr. Franklin dozens of companies at ifDPO at fixed prices. You can contact us for assistance in procedures before the Data Protection Authority (GBA), such as areporting a data breachor a procedure before the Disputes Chamber, as well as atprocedures before the court(for example, if you want to challenge the imposed sanctions).



Acookiesis a certain amount of data that the server sends to the browser of the user of a website. This is necessary to recognize the browser (and therefore also the user) the next time the same browser visits the website. In addition, such a cookie also helps to keep track of what the user of a particular browser has done on the same website in the past.

Cookies are often used for, among other things, remembering the login data or collecting surfing information (profiling of the user). Keeping a shopping cart so that the customer has time to think is also part of this.

Tracking cookies


Tracking cookiesare a certain type of cookies that aim to collect information about web surfers. These cookies ensure that the websites generallyto track the internet behavior of the visitors, and not just what a visitor does on a particular website.

Around thetracking cookiesyou must be able to use it under the current GDPR regulationexplicit permissionask the visitor.

Anker 1
Anker 2
Anker 3

Why choose GDPR experts from Mr. Franklin?

mr. Franklin is a law firm with special expertise in IP, cybersecurity and making companies GDPR-proof. Already more than 250 companies aresatisfied with our service.

mr. Franklin offersall-in-one packages at fixed pricesto draw up a GDPR and security policy within your company, including your website or webshopGDPR proofis made. Feel free to contact us: we'd love to see what Mr. Franklin can do for your company.

Anker 4





mr. Franklin provides us with excellent support in the field of legal IT assistance, GDPR, property law and financial disputes. Drive, speed, passion for the profession, correctness are just a few keywords that Mr. Franklin & their team type. 

Xavier Goegebeur / Link Optimizer


mr. Franklin always provides quality work for a clear price.

Alain Carels / Carbofisc

bottom of page