Data protection in the online shop: How to properly protect your customers!

Data protection in the online shop: How to properly protect your customers!

On September 25, 2025, attention will be drawn to the legal framework in the area of ​​data protection. At a time when web shops and online platforms are increasingly processing personal data, compliance with the General Data Protection Regulation (GDPR) and the Telecommunications Act (TKG) is becoming increasingly important. These provisions regulate the use of cookies and web analysis tools and are of central importance for operators of online shops.

The checklist from the Austrian Economic Chamber provides a current update on the topic, which shows important guidelines for the processing of personal data. In particular, the checklist emphasizes that the provisions of the GDPR must be strictly observed when processing data such as IP addresses. In general, operators are obliged to provide information about cookies even if no personal data is being processed, which represents a significant innovation.

Legal basis and requirements

Compliance with the legal framework requires clear disclosure of the legal basis for data processing. These include, among others:

• Berechtigtes Interesse, beispielsweise die Speicherung von IP-Adressen für den Warenkorb.
• Vertragserfüllung, wo die Datenverarbeitung für Verträge notwendig ist.
• Gesetzliche Verpflichtungen, wie etwa steuerrechtliche Aufbewahrungsfristen.
• Die Einwilligung des Nutzers, die als „opt in“ zu erheben ist und eine Alterskontrolle bei Kindern unter 14 Jahren erforderlich macht.

In addition, a sharp focus is placed on the data protection principles of the GDPR. These include:

• Zweckbindung: Datenverarbeitung muss legitimen Zwecken dienen.
• Datenminimierung: Nur notwendige Daten dürfen erhoben werden.
• Speicherbegrenzung: Einhaltung von Löschkonzepten und Aufbewahrungsfristen.
• Datensicherheitsmaßnahmen, wie Verschlüsselung und Pseudonymisierung sind unerlässlich.

Organization and compliance

The information obligations arising from the GDPR and the TKG must be fully fulfilled. This also includes compliance with the rights of those affected and active participation in international data traffic. The transfer of data to third countries is only permitted if an equivalent level of protection exists there.

Those affected have rights that must be processed in a timely manner. In addition, operators of online shops are obliged to take measures to report data breaches to the responsible data protection authority and to inform those affected. This significantly increases accountability.

In order to meet the challenges of digital data use, a data protection impact assessment is also necessary, especially for certain data processing such as profiling or web analysis. The Chamber of Commerce emphasizes that the status of this important checklist has been valid since January 1, 2025 and therefore represents a basis for operators of web shops who have to operate within the legal framework.

Further comprehensive information and details can be found on the website Friedrich Alexander University Erlangen-Nuremberg and the Austrian Chamber of Commerce. These resources provide valuable insight for companies seeking to comply with data protection regulations.