GDPR Compliance for E-Commerce 2026: Complete Guide for EU Online Sellers

The 2026 EU Data Protection Landscape at a Glance

GDPR is enforced by a network of national Data Protection Authorities (DPAs), coordinated at EU level by the European Data Protection Board (EDPB). The card stack below summarises the eight authorities most likely to land in your inbox as an EU e-commerce seller — keep it nearby as you read each deep-dive section.

1. GDPR Overview — Regulation (EU) 2016/679, Effective May 2018

What GDPR Actually Is

The General Data Protection Regulation — Regulation (EU) 2016/679 — was adopted on 27 April 2016 and became directly applicable in all 27 EU Member States plus the three EEA countries (Norway, Iceland, Liechtenstein) on 25 May 2018. As a Regulation, not a Directive, GDPR did not require national transposition — it took effect the same day in Madrid, Paris, Berlin, Rome, Warsaw and every other EU capital. It replaced the 1995 Data Protection Directive (95/46/EC), which had produced 28 fragmented national implementations.

For e-commerce sellers, three structural choices in the text matter more than anything else:

• Material scope (Art. 2) — applies to any "processing of personal data" by automated means, which captures essentially every database operation in a modern web stack.
• Territorial scope (Art. 3) — applies to controllers established in the EU regardless of where processing takes place, and to controllers established outside the EU that offer goods or services to data subjects in the EU or monitor their behaviour. This is the "extraterritorial reach" that pulled US, UK, Turkish, Swiss and Asian sellers into scope.
• Definition of personal data (Art. 4) — extremely broad: anything that "relates to an identified or identifiable natural person". IP addresses, cookie IDs, device fingerprints, and even unique URL parameters can qualify.

The Six Lawful Bases (Article 6)

Every processing activity needs at least one of six lawful bases:

1. Consent — freely given, specific, informed, unambiguous (Art. 4(11) + Art. 7).
2. Contract — processing necessary to perform a contract with the data subject (the standard basis for fulfilling an order).
3. Legal obligation — e.g., VAT invoicing, KYC, tax records.
4. Vital interests — rare in commercial e-commerce.
5. Public task — generally not relevant to private retail.
6. Legitimate interests — balancing test required; used for fraud prevention, security, basic analytics.

The single most common 2026 compliance mistake is conflating bases — e.g., relying on "contract" for marketing emails (which need consent under the ePrivacy Directive) or on "legitimate interests" for tracking cookies (which need consent under Art. 5(3) of the ePrivacy Directive).

Special-Category Data (Article 9)

Health data, biometrics, ethnicity, religious beliefs, trade-union membership, sexual orientation and political opinions are special-category data. Processing is prohibited unless one of the ten Article 9(2) conditions applies — explicit consent being the most common in e-commerce (e.g., supplement subscriptions revealing health information, fashion sites inferring ethnicity from preferred sizes).

2. Cookie Consent — TCF v2.2 and the IAB Europe Framework

Why Cookies Are a GDPR Topic At All

Cookies and similar tracking technologies are governed not by GDPR alone but by Article 5(3) of the ePrivacy Directive 2002/58/EC (the "Cookie Directive", amended in 2009). The Directive requires prior, informed consent for storing or accessing information on a user's device, except where strictly necessary to deliver a service the user requested. GDPR then defines the standard for what counts as valid consent (Arts. 4(11) and 7).

The combined practical rule for e-commerce sellers in 2026 is:

• Strictly necessary cookies (cart, login, CSRF token, language selector, basic load balancing) — no consent required, but must be documented in your privacy policy.
• All other cookies — analytics (GA4, Plausible, Matomo with default config), advertising (Meta Pixel, Google Ads, TikTok), personalisation, A/B testing, fingerprinting — require opt-in consent before the cookie is set.

IAB Europe Transparency & Consent Framework v2.2

The IAB Europe Transparency & Consent Framework (TCF) v2.2 — released on 16 May 2023 and mandatory from 20 November 2023 — is the de-facto industry standard for capturing, signalling and persisting cookie consent across the EU. Key features:

• 11 purposes + 3 "special purposes" + 2 "features" + 2 "special features" — granular control rather than blanket "Accept all"
• ~700 registered vendors — every ad-tech, analytics and CDP partner declares purposes and legal bases in the TCF Global Vendor List (GVL)
• TC String — a base64-encoded signal embedded in __tcfapi / __tcfapi v2 that travels with every adtech request
• v2.2 enhancements — clearer purposes 1, 3, 4, removal of "legitimate interest" as a fallback for advertising / measurement, mandatory withdrawal flow

What the Consent UI Must and Must Not Do

Both EDPB Guidelines 05/2020 on consent and CNIL Guidelines 2020-091 are crystal clear:

• Pre-ticked boxes are invalid (Planet49, CJEU C-673/17, 1 October 2019)
• "Continued browsing" does not constitute consent — clicking, scrolling or staying on the page is not opt-in
• Refusing must be as easy as accepting — "Accept all" and "Reject all" must be visually and procedurally equivalent (CNIL imposed €60M on Google and €60M on Facebook in January 2022 explicitly for this)
• Cookie walls — conditioning access on consent — are largely prohibited (Dutch AP guidance 2019, EDPB Guidelines 05/2020)
• Granularity — purpose-by-purpose toggles, not a single global switch
• Withdrawal must be as easy as giving consent (Art. 7(3) GDPR)

3. Privacy Policy — Articles 13 and 14 in Practice

Why a Privacy Policy Is Non-Negotiable

Articles 13 and 14 of GDPR require every controller to provide a privacy notice at the time personal data is collected (Art. 13) or, where data is collected from a third party, within one month (Art. 14). For e-commerce, this is the page typically linked from the footer as "Privacy Policy", "Privacy Notice" or "Information on the processing of personal data".

The Mandatory Content List

Article 13 requires, at minimum, the following — usually structured as a layered notice with a short summary and a full version:

• Identity and contact details of the controller (and the EU representative if Art. 27 applies)
• Contact details of the DPO, where one is appointed
• Purposes of processing and the lawful basis for each (Art. 6, and Art. 9 for special-category data)
• Recipients or categories of recipients — payment gateways, fulfillment partners, marketing tools, hosting providers
• International transfers — third countries involved, adequacy decisions or appropriate safeguards (SCCs)
• Retention periods — or the criteria used to determine them
• Data subject rights — access, rectification, erasure, restriction, portability, objection, automated decisions
• Right to withdraw consent at any time (where consent is the lawful basis)
• Right to lodge a complaint with a supervisory authority
• Whether provision of data is mandatory, and the consequences of not providing it
• Existence of automated decision-making, including profiling, and meaningful information about the logic

Common Mistakes the CNIL and AEPD Fine For

• Boilerplate notice that does not match actual processing activities — supervisory authorities cross-reference with the Article 30 register
• Listing "legitimate interests" without explaining the balancing test
• Vague retention periods such as "as long as necessary" without timeframes
• Missing or outdated international-transfer disclosures (especially US-bound transfers after Schrems II)
• No mention of the right to lodge a complaint with a DPA — a frequent AEPD audit finding

4. Data Protection Officer — When Article 37 Applies

The Three Mandatory Cases

Article 37(1) imposes mandatory DPO designation in three cases:

1. Public authority or body (other than courts)
2. Core activities require regular and systematic monitoring of data subjects on a large scale
3. Core activities consist of large-scale processing of special-category data (Art. 9) or criminal-conviction data (Art. 10)

"Large scale" is defined by EDPB Guidelines WP243 against four criteria: number of data subjects, volume of data, duration of processing and geographic extent. For e-commerce, behavioural-advertising-heavy operations, marketplaces and large retail platforms almost always meet the "regular and systematic monitoring at large scale" threshold.

The 250-Employee Myth

The widely-cited "250 employees" threshold relates to Article 30 (records of processing activities) and not to DPO appointment. Article 30(5) exempts organisations with fewer than 250 employees from maintaining records — but only if the processing is occasional, does not include special-category data, and is unlikely to result in a risk to data subjects. For any active e-commerce seller, the exemption almost never applies in practice: shipping orders to thousands of customers is by definition non-occasional.

National Top-Ups

Member States can impose additional DPO requirements. Germany's BDSG, for example, requires a DPO whenever 20 or more persons are continuously involved in automated processing — much lower than the GDPR baseline. This is one of the largest practical compliance gaps for German vs. French vs. Spanish e-commerce operations of similar size.

DPO Independence and Tasks

• Article 38 — must be involved in all data-protection issues, receive resources, report to top management, cannot be dismissed for performing tasks
• Article 39 — informs and advises, monitors compliance, advises on DPIAs, cooperates with the DPA, acts as contact point for data subjects
• Conflicts of interest — the CJO of marketing or the head of IT typically cannot be DPO (EDPB Guidelines WP243; Belgian DPA fine of €50,000 in 2020 on a controller who appointed the head of compliance, internal audit and risk as DPO)

5. Data Subject Rights — Articles 15–22

The Eight Rights, in Order

The Chapter III rights are the operational backbone of GDPR for any customer-facing business:

• Right to be informed (Arts. 13–14) — discharged via the privacy notice above
• Right of access (Art. 15) — confirmation of processing + a copy of the personal data + the Article 13 metadata
• Right to rectification (Art. 16) — correct inaccurate data, complete incomplete data
• Right to erasure / "right to be forgotten" (Art. 17) — six specific grounds (no longer necessary, consent withdrawn, unlawful processing, etc.); not absolute
• Right to restriction (Art. 18) — flag data as "frozen" while a dispute is resolved
• Right to data portability (Art. 20) — receive personal data in a structured, commonly used, machine-readable format, transfer to another controller
• Right to object (Art. 21) — to processing based on legitimate interests or public task; absolute for direct marketing
• Right not to be subject to solely automated decision-making, including profiling (Art. 22) — narrow exceptions for contract, law, explicit consent

Response Times and Format

Article 12 imposes the operational rules:

• One month default — extendable by two further months for complex or numerous requests, with reasoned notification to the data subject
• Free of charge — except for "manifestly unfounded or excessive" requests, where a reasonable fee or refusal is allowed (controller bears the burden of proof)
• Same format as the request — email request, email response; structured machine-readable for portability
• Identity verification required, but proportionate — overly burdensome ID checks are themselves a violation (CNIL guidance)

How E-Commerce Sellers Operationalise This

1. Dedicated DSR mailbox (e.g., [email protected]) routed to the DPO or privacy team
2. Ticketing workflow with 1-month SLA timer and automatic escalation at 25 days
3. Source-of-truth data map (the Article 30 register) telling you which systems hold what — Zunapro centralises this for marketplaces, storefronts, CRM and payment data
4. Templated responses with the legally required metadata pre-populated
5. Audit trail of every request and response — supervisory authorities routinely ask for the last 12 months of DSR logs in investigations

6. Breach Notification — The 72-Hour Clock (Articles 33–34)

What Counts as a "Personal Data Breach"

Article 4(12) defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed". Three categories follow EDPB Guidelines 9/2022:

• Confidentiality breach — unauthorised disclosure or access (typical hack / leaked database)
• Integrity breach — unauthorised alteration of data
• Availability breach — accidental or unlawful loss of access or destruction (typical ransomware)

The 72-Hour DPA Notification

Article 33 requires notification to the competent supervisory authority "without undue delay and, where feasible, not later than 72 hours after having become aware", unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Late notifications must be accompanied by reasons for the delay. The clock starts when the controller has a reasonable degree of certainty that a breach has occurred — not at the moment of the first vague alert.

The "High Risk" Customer Notification

Article 34 imposes a parallel duty to notify affected individuals "without undue delay" where the breach is likely to result in a high risk to their rights and freedoms. Exemptions: encrypted data, mitigation measures applied after the fact, or disproportionate effort (then a public communication suffices).

What Goes In a Breach Notification

• Nature of the breach, including categories and approximate number of data subjects and records concerned
• DPO contact details or other contact point
• Likely consequences
• Measures taken or proposed to address the breach and mitigate adverse effects

Common Enforcement Patterns

Late or missing notifications are routinely fined independently of the underlying breach. Examples: Twitter International (now X) fined €450,000 by the Irish DPC in 2020 for late breach notification; Uber fined €600,000 by the Dutch AP for failure to notify a 2016 breach within 72 hours after entry of GDPR. In both cases, the technical breach itself was relatively minor; the procedural failure dominated the fine.

7. Cross-Border Transfers — SCCs, Adequacy and Schrems II

The Default Rule — Chapter V

Chapter V of GDPR (Arts. 44–50) prohibits transfers of personal data to a "third country" (non-EU/EEA) or international organisation unless one of three safeguards applies:

1. Adequacy decision (Art. 45) — the Commission has formally decided the third country offers an "essentially equivalent" level of protection.
2. Appropriate safeguards (Art. 46) — Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), approved codes of conduct or certifications.
3. Specific derogations (Art. 49) — narrow exceptions: explicit consent, contract performance, important public interest, vital interests.

Adequacy Decisions in Force (2026)

As of 2026, full or partial adequacy decisions cover: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea (South Korea), Switzerland, United Kingdom (renewed 2025, in force until 2031), Uruguay, and — under the EU–US Data Privacy Framework (DPF) adopted on 10 July 2023 — certified US organisations.

Schrems II and the SCCs

On 16 July 2020 the CJEU in Schrems II (C-311/18) invalidated the EU–US Privacy Shield and clarified that SCCs alone are not sufficient where local third-country law (e.g., US FISA 702 surveillance) creates conflicting obligations. Controllers must:

• Use the new SCCs adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, organised as four modules (C2C, C2P, P2P, P2C)
• Perform a Transfer Impact Assessment (TIA) on the importing country's legal framework
• Apply supplementary measures where the TIA reveals risk — typically end-to-end encryption, pseudonymisation, or contractual / organisational controls (EDPB Recommendations 01/2020)

The EU–US Data Privacy Framework

The 2023 DPF re-established a Privacy-Shield-style adequacy mechanism for certified US recipients. Sellers transferring to a DPF-certified US processor (most major hyperscalers — AWS, Google Cloud, Microsoft Azure — are certified) do not need SCCs for that specific recipient, but should still document the basis and monitor for re-litigation: a "Schrems III" challenge is already pending and could re-open the question.

What This Means Operationally

• Map every sub-processor and the country where data is actually processed (not just billing address)
• Sign 2021 SCCs with non-adequate recipients, with the correct module for the relationship
• Maintain TIAs for each — most CMPs and DPA-management tools ship templates
• Update annually or when law / sub-processor changes

8. The Upcoming ePrivacy Regulation — What Changes for Cookies and Marketing

The Legislative Background

The ePrivacy Regulation (ePR) was proposed by the Commission in January 2017 to replace the 2002/58/EC ePrivacy Directive (the "Cookie Directive"). Unlike a directive, it would apply directly with no national transposition — solving the current patchwork in which France (CNIL Délibération 2020-091), Germany (TTDSG/TDDDG), Spain (LSSI-CE), Italy (Garante 2021 cookies guidelines) and others each interpret the same EU baseline differently.

What's Likely In Scope (2026 Status)

• Cookies and similar technologies — including fingerprinting and SDK-level identifiers
• Electronic communications metadata — extending privacy of communications beyond traditional telcos to OTT messaging
• Direct marketing — opt-in for electronic marketing (email, SMS) with the existing "soft opt-in" for similar products in the customer relationship
• Browser-level consent signals — explicit recognition of "Do Not Track" / Global Privacy Control style signals
• Unsolicited communications — strict opt-in for B2C, less strict for B2B

What Doesn't Change

GDPR remains the lex generalis on consent quality (Arts. 4(11), 7). The ePR is lex specialis on when consent is required for electronic communications and tracking. A TCF v2.2 CMP designed today should be future-proof for ePR transition.

Expected Impact on E-Commerce

• National differences (e.g., German telecommunications law's nuances) compress towards a single EU rule
• Browser-level "Reject all" signals become harder to ignore — analytics and adtech stacks need to honour them automatically
• B2B marketing rules may diverge more sharply from B2C, with some Member States retaining stricter B2C regimes
• Cross-border marketing campaigns become easier to compliance-check from a single source of truth

9. Fines — €20 Million or 4% of Global Turnover (Article 83)

The Two Tiers

Article 83 sets two maximum fine tiers:

• Tier 1 — up to €10 million or 2% of global annual turnover, whichever is higher: breaches of controller/processor obligations (Arts. 8, 11, 25–39, 42, 43)
• Tier 2 — up to €20 million or 4% of global annual turnover, whichever is higher: breaches of the basic principles (Art. 5), lawful basis (Art. 6), conditions for consent (Art. 7), special-category data (Art. 9), data subject rights (Arts. 12–22) and international transfers (Arts. 44–49)

How DPAs Calculate the Number

The EDPB issued Guidelines 04/2022 on the calculation of administrative fines (adopted 24 May 2023) which set a five-step methodology:

1. Identify the processing operations and apply Art. 83(3) to determine whether one or multiple fines apply
2. Identify the starting amount based on the seriousness of the infringement (Art. 83(2)(a) (b) (g))
3. Apply aggravating or mitigating circumstances (Art. 83(2)(c)–(k))
4. Ensure the dynamic ceiling (Art. 83(4)–(6)) is not exceeded
5. Assess effectiveness, proportionality and dissuasiveness

The 2026 Fine Landscape

Cumulative GDPR fines exceed €5.5 billion by 2026. Headline penalties include:

• €1.2 billion — Meta Platforms Ireland (Irish DPC, 22 May 2023) — unlawful US transfers
• €746 million — Amazon Europe Core (Luxembourg CNPD, 16 July 2021) — adtech consent
• €405 million — Meta / Instagram (Irish DPC, 5 September 2022) — children's data
• €390 million — Meta / Facebook + Instagram (Irish DPC, January 2023) — lawful basis for ads
• €345 million — TikTok (Irish DPC, September 2023) — children's privacy
• €290 million — Uber B.V. (Dutch AP, August 2024) — driver data to US
• €225 million — WhatsApp (Irish DPC, September 2021) — transparency failures

SME Reality

The headline fines target the largest controllers, but supervisory authorities such as the AEPD routinely issue hundreds of €1,000–€50,000 fines per year against SMEs — typical infringements being missing privacy notices, undeclared CCTV, illegal cookies and late DSR responses. For an EU online seller turning over €1–10M, the realistic exposure is in the €5,000–€100,000 range per finding — material but survivable, provided basic compliance is in place.

10. E-Commerce GDPR Checklist + National DPAs

The 12-Point Operational Checklist

1. Appoint a controller and (if required) a DPO — document the appointment and contact details publicly
2. Maintain an Article 30 register of processing activities, indexed by purpose, lawful basis, recipients, retention, transfers
3. Publish a GDPR-compliant privacy notice per Arts. 13–14 — layered, clearly written, in the language of the market
4. Deploy a TCF v2.2-compatible CMP with equal "Accept all" / "Reject all" buttons and granular toggles
5. Document the lawful basis for every processing activity — particularly distinguishing contract, legitimate interests and consent
6. Sign DPAs (Art. 28) with every processor — payment gateways, hosting providers, fulfilment partners, marketing tools
7. Configure DSR workflows — Arts. 15–22, one-month SLA, identity verification, audit trail
8. Set retention and deletion schedules — order data, marketing data, log data, payment data each with its own clock
9. Implement a 72-hour breach response plan — playbook, named DPO, DPA templates, monitoring
10. Sign 2021 SCCs + run TIAs for every non-adequate transfer; rely on the EU–US DPF where the processor is certified
11. Run DPIAs (Art. 35) for high-risk processing — profiling, large-scale special-category data, systematic monitoring
12. Train staff, log decisions, document the lot — accountability (Art. 5(2)) is itself a substantive obligation

National Supervisory Authorities — Who To Contact When

Member State	Authority	City	Notable enforcement focus 2026
France	CNIL	Paris	Cookies, adtech, TCF, large fines
Spain	AEPD	Madrid	SME enforcement, CCTV, DSR delays
Italy	Garante	Rome	AI/ChatGPT, telemarketing, cookies
Germany — federal	BfDI	Bonn	Federal bodies, telcos, postal
Germany — states	16 Landes-DPAs	Per Bundesland	Private sector enforcement (LfDI BW, BlnBDI, HmbBfDI most active)
Netherlands	Autoriteit Persoonsgegevens (AP)	The Hague	Cookie walls, AI register, government leaks
Ireland	Data Protection Commission (DPC)	Dublin	Big-tech lead authority, largest fines
Hungary	NAIH	Budapest	CCTV, facial recognition, HR data
Belgium	Gegevensbeschermingsautoriteit (APD/GBA)	Brussels	Adtech, IAB Europe TCF rulings
United Kingdom	ICO (UK GDPR)	Wilmslow	Adtech, children's code, AI guidance

Reading the table: for cross-border cases the "one-stop shop" mechanism applies and the lead authority is the DPA of the controller's main establishment. For purely domestic complaints, the local DPA handles the case. Zunapro stores a per-tenant lead authority configuration so customer complaints are routed automatically.

How to Make a Zunapro Storefront GDPR-Ready — Step-by-Step

1. Configure the Controller and DPO

In Zunapro panel → Settings → Privacy, declare the legal-entity controller, registered address, EU representative (if you are outside the EU) and DPO contact. These values populate the Article 13 privacy notice, the cookie banner first layer and the DSR mailbox configuration.

2. Activate the TCF v2.2 CMP

• Enable the Consent Management Platform under Settings → Cookies
• Choose the layout (banner, modal, bar) and confirm equal "Accept all" / "Reject all" treatment
• Select purposes 1–11 from the TCF GVL — Zunapro pre-selects the e-commerce defaults
• Confirm the persistent "Cookie settings" link in the footer

3. Generate the Article 13 Privacy Notice

Zunapro renders a multilingual notice from the data you entered in step 1 plus the integrations you have connected (payment gateways, marketing tools, hosting region). Review, edit the localized version per market, publish.

4. Set Up the DSR Workflow

• Configure the privacy mailbox (or webform endpoint)
• Map the right (access, erasure, etc.) to its SLA and to the systems that need to act
• Activate the audit log

5. Enable Breach Monitoring + SCC Library

Toggle the 72-hour incident-response playbook and import pre-signed 2021 SCCs for every sub-processor that operates outside the EU/EEA. Zunapro ships annual TIA refresh reminders.

6. Go Live

1. Sign in to Zunapro and open the EU module
2. Activate Privacy Hub in Settings
3. Walk the wizard — controller, DPO, CMP, privacy notice, DSR, breach plan, SCCs
4. Translate to every market you sell in (Zunapro ships templates in EN, DE, FR, ES, IT, NL, PL, HU, PT, RO, CS, SK)
5. Go live — first end-to-end pass typically completes in 10–15 minutes for a single storefront

EU GDPR FAQ 2026