EuroComply
Zarejestruj się

GDPR

GDPR requirements for an ecommerce site

Find out which GDPR obligations apply to your ecommerce site in 7 questions covering cookies, payments, marketing, and cross-border data transfers.

Last updated: 1 May 2025

Do Ecommerce site need to comply with GDPR?

Find out which GDPR obligations apply to your ecommerce site in 7 questions covering cookies, payments, marketing, and cross-border data transfers. If yes: GDPR applies — delegate payment processing immediately. If not: Cookie consent in place — confirm other GDPR obligations. Us…

  • Yes path: GDPR applies — delegate payment processing immediately
  • No path: Cookie consent in place — confirm other GDPR obligations
  • Use the step-by-step decision tree below for your exact situation
Source: EUR-Lex — GDPR (Regulation 2016/679)Reviewed:
Step 1

GDPR · Question 1

Do you sell to customers located in the EU?

Selling to EU residents — even from a non-EU country — triggers GDPR for those transactions.

For informational purposes only. Consult qualified legal counsel before making compliance decisions.

Decision tree questions

  1. Do you sell to customers located in the EU?

    Selling to EU residents — even from a non-EU country — triggers GDPR for those transactions.

    • Yes: Continue to: Does your site use cookies or tracking pixels?
    • No: GDPR does not apply — no EU customers

  2. Does your site use cookies or tracking pixels?

    Google Analytics, Meta Pixel, TikTok Pixel, Hotjar, Clarity — any script that reads or writes data in the browser.

    • Yes: Continue to: Do you show a cookie consent banner before setting non-essential cookies?
    • No: GDPR applies — limited tracking, but checkout data is still in scope

  3. Do you show a cookie consent banner before setting non-essential cookies?

    Non-essential cookies (analytics, advertising) require prior consent under GDPR and the ePrivacy Directive. Pre-ticked boxes don't count.

    • Yes: Continue to: Do you send marketing emails to customers?
    • No: GDPR applies — cookie consent banner required immediately

  4. Do you send marketing emails to customers?

    Post-purchase newsletters, promotional offers, abandoned cart emails — all require a valid legal basis.

    • Yes: Continue to: Did customers explicitly opt in to receive marketing, or are you relying on the 'soft opt-in' exemption for existing customers?
    • No: Cookie consent in place — confirm other GDPR obligations

  5. Did customers explicitly opt in to receive marketing, or are you relying on the 'soft opt-in' exemption for existing customers?

    Soft opt-in: you can email existing customers about similar products without fresh consent, if you gave them an easy way to opt out at the time of purchase.

    • Yes: Continue to: Do you store payment card data or use a PCI-DSS compliant processor like Stripe or Adyen?
    • No: GDPR applies — fix your email marketing consent model

  6. Do you store payment card data or use a PCI-DSS compliant processor like Stripe or Adyen?

    Storing raw card numbers yourself triggers PCI-DSS and significant GDPR risk. Most shops delegate this to a processor.

    • Yes: Your GDPR baseline looks solid — review data transfers next
    • No: GDPR applies — delegate payment processing immediately

Related decision trees

SaaS startup with EU usersNon-EU companyDPO requirementDPIA requirementView all trees →