Skip to Content
← The Compliance ShieldEU General Data Protection Regulation

GDPR Compliance

Europe's landmark privacy law applies to any business that processes EU resident data — regardless of where your company is based.

Overview

The General Data Protection Regulation (GDPR) came into force in May 2018 and governs how organizations collect, store, and process personal data from individuals in the European Economic Area. For e-commerce businesses, GDPR affects cookie consent banners, checkout data collection, email marketing, retargeting pixels, and CRM systems. Non-compliance carries fines of up to €20 million or 4% of global annual turnover — whichever is higher.

Who This Applies To

  • Any website visited by EU residents, regardless of where your business is incorporated
  • E-commerce checkouts collecting names, addresses, and payment data
  • Email marketing lists containing EU subscriber data
  • Retargeting pixels (Meta, Google) placed on your store
  • Third-party analytics tools (GA4, Hotjar, FullStory) tracking EU users

Your Obligations

Lawful Basis for Processing

You must identify a lawful basis (consent, contract, legitimate interest, etc.) for every category of personal data you collect before collection begins.

Cookie Consent Management

Tracking and analytics cookies require explicit, informed consent before being set. Pre-ticked boxes and 'consent by scrolling' are both non-compliant.

Data Subject Rights

Customers can request access to their data, correction, erasure ('right to be forgotten'), and portability. You must respond within 30 days.

Data Breach Notification

Reportable breaches must be disclosed to the relevant supervisory authority within 72 hours of discovery.

Data Processing Agreements

Any third-party vendor handling EU personal data on your behalf (Shopify, Klaviyo, Segment) must have a signed DPA in place.

Real Enforcement Cases

These are not hypothetical risks. The following cases represent actual regulatory enforcement actions and civil litigation — each with documented penalties.

2023€1.2 Billion

Meta (Facebook / Instagram)

Ireland's Data Protection Commission fined Meta a record €1.2 billion for transferring EU user data to US servers without adequate safeguards following the Schrems II ruling that invalidated Privacy Shield.

2022€2.4 Million

Sephora France

France's CNIL fined Sephora for selling customer data to third-party advertisers without valid consent and failing to honour opt-out requests. A direct reminder that beauty and retail brands are high-priority enforcement targets.

2020€35.2 Million

H&M Germany

Hamburg's data protection authority issued a €35 million penalty after H&M was found secretly recording employees' personal circumstances, including health status and family issues, and using that data in management decisions.

2019€50 Million

Google LLC

France's CNIL fined Google for lack of transparency and failing to obtain valid consent for personalised ads — a landmark case that established how notice-and-consent flows must work for ad-tech stacks.

Free Consultation

Is your e-commerce store exposed?

Deskulpt engineers audit your current technology stack against GDPR Compliance requirements, identify gaps, and produce a prioritised remediation roadmap. No retainer required to start.

Book Your Free GDPR Compliance Audit