If you are running a cross-border web shop in Europe, it is important that you be aware of the regulations that apply in the EU. Below is an overview of the points of which you need to be aware.
When running a webshop, there are a lot of rules to follow. It’s important that you familiarize yourself with them thoroughly to make sure you are not breaking any laws in terms of data processing agreements, GDPR, trade terms and conditions, etc.
Below, you will gain insight into the primary points you should know about. Make sure you always observe these rules, so you avoid getting fined or running afoul of the law.
It is important to emphasize that the following list is not exhaustive, but rather an overview of particular points with which you MUST comply.
GDPR and data processing agreements
GDPR legislation went into force on May 25, 2018. At this time, it became a requirement that all companies must comply with applicable law in this area. GDPR is short for General Data Protection Regulation, and the legislation was enacted by the EU.
With this GDPR legislation, many new regulations were instituted. They can be difficult to navigate for a small company, but even so, it’s important that you become familiar with them, so you know for a fact that everything you are doing complies with the legislation.
The intent of GDPR is to improve companies’ protection of personal data. The main requirement of business owners is to be able to document at any time that personal information is being processed properly and according to applicable law.
5 important points in GDPR legislation
GDPR legislation is comprehensive, and it is necessary for you to educate yourself proactively about all aspects of this legislation if you want to make sure you are staying inside the four corners of the law. Below, we have collected 5 rules of which you need to be particularly mindful if you are operating a web shop in an EU country.
- Your company must keep records of its various processing activities.
- Your company must be able to document compliance with principles of good data processing contained in the legislation.
- Your company must inform customers as well as employees about the way their data are processed.
- Your company must be able to document that the proper technical and organizational measures have been taken in terms of secure data processing.
- Your company must be able to prove compliance with the legislation via consent declaration, data processors, etc.
Other important points of GDPR legislation
There are many aspects to this legislation, and you will want to study up on all of them yourself. The above 5 points are the most important, but there are certain other regulations that must be observed as well.
- Your company must develop a risk assessment for the way personal information is processed in your business.
- Your company must enter into specific data protection agreements with the data processors you employ.
- Your company must oversee the data processors.
- Your company must respect the rights of employees and customers.
Data processing agreement
In addition to the above, it is important that you establish a data processing agreement if you have access to data, but another company processes this data. This could apply when you host your website and database with an external hosting provider.
I principle, you will be required to establish a data processing agreement regardless of the hosting provider you choose. Therefore, you must ensure that you have the option of establishing a data processing agreement when choosing a hosting provider for your web shop.
Cookies and privacy policy
When using cookies on your website, you are legally obligated to inform visitors of this. The user must actively consent to your use of cookies before you are allowed to store data about the user’s behavior in your web shop. You are not allowed to collect cookies, until consent has been given to do so.
If you use specific cookies for specific areas of your web shop, you are legally required to have a dedicated page for cookies, where all first- and third-party cookies you use are listed. At the same time, you have to provide information about the purpose of each individual cookie, the data it collects, stores, or sends, and for how long the data is stored. Also, the page must provide options for selecting and deselecting cookies.
If you have a homepage that is not really a web shop, but rather refers to a third party, you are legally obligated to inform about this as well. This could be something like an Amazon affiliate page, or just a drop shipping page. See an example where the ad notice is indicated in the footer, here.
Trade terms and conditions and customer rights
Similar to the above examples, there are several points you must comply with when informing about the trade terms and conditions of your web shop. The trade terms and conditions must include the following information:
- Right of return
- Payment for return shipping
- Payment methods you accept
- Deadlines and procedures
- Rules of the Purchasing Act regarding defects
- Prices and payment terms
- Physical address of your company
- Company information
- Delivery information
- Contact information
- Jurisdiction and venue
- Changes to trade terms and conditions
- Complaints
- Liability
In addition, all web shops must offer a 14-day right of return and must have an option for the customer to use a form for informing the company of his or her intent to return merchandise.
A great tool for downloading card logos to indicate the payment methods you accept is kortlogo.dk (or card-logo.com for international site).
Images and copyright
When you use images for your web shop, it is important that you hold the required rights to use them. If you use an image with permission from a business partner, and it turns out that this partner does not hold copyright to the picture, you will be the one with the problem because you published it.
This is a fact, regardless if you have permission to use it – even if you have it in writing. This means that you are responsible for checking whether you do, in fact, have permission you use the image, since you may otherwise wind up getting sued.
Marketing and data collection
As a web shop owner, you are responsible for the personal data you obtain about your customers. This is not only true when selling a product via your web shop, but also for things like sending newsletters to existing and prospective customers.
A name and e-mail address could be considered personal data, and you have the responsibility of processing these data properly according to applicable GDPR regulations. Furthermore, it is required that the user consent to your obtaining data when he or she subscribes to your newsletter.
If you use cookies in your marketing, users must also consent before you are allowed to store data for the purpose of targeted campaigns on Facebook, Instagram, LinkedIn, and other platforms.
Where can I read more?
The above examples are measures intended to protect citizens of EU countries. There is an increasing focus on privacy policy, data processing, and marketing, and this is just the beginning. The expectation is that the European Commission will only tighten the rules further.
If you want to ensure your compliance with all applicable legislation, you will want to visit the European Commission website, which lists all the legal requirements you must be aware of when operating a web shop.
