Data Protection in E-commerce: Guide for Online Stores

Introduction

Online stores process large volumes of customer personal data. This guide addresses specific data protection obligations for e-commerce in Portugal.

Data Processed in E-commerce

Identification Data

• First and last name
• Email
• Phone
• Delivery and billing address

Payment Data

• Card data (processed by gateway)
• Purchase history
• Payment preferences

Browsing Data

• Cookies
• Browsing history
• Viewed products
• Abandoned cart

Legal Obligations

1. Privacy Policy

Must include:

• Controller identity
• Processing purposes
• Legal basis for each processing
• Data recipients
• Retention periods
• Data subject rights

2. Cookie Consent

• Mandatory cookie banner
• Option to refuse non-essential cookies
• Consent documentation

3. Direct Marketing

• Prior consent mandatory (opt-in)
• Unsubscribe option in each communication
• Consent records

Compliance Checklist

Website

• Accessible privacy policy
• Functional cookie banner
• Forms with consent checkbox
• Unsubscribe link in emails

Internal Processes

• Record of processing activities
• Contracts with processors (gateway, logistics)
• Procedure for exercising rights
• Data retention policy

Security

• SSL/TLS certificate
• Encryption of sensitive data
• Regular backups
• Access controls

Retention Periods

Customer Rights

Customers can exercise:

• Access: obtain a copy of their data
• Rectification: correct incorrect data
• Erasure: request deletion (with limits)
• Portability: receive data in structured format
• Objection: object to direct marketing

Conclusion

GDPR compliance in e-commerce requires attention to multiple aspects. A structured approach protects the company and builds customer trust.