GDPR starter kit for webshops

Webshops have higher GDPR exposure than offline because they systematically process customer data + often deploy tracking cookies + email marketing. 8 mandatory elements: (1) Privacy statement + cookie statement separately (ePrivacy + GDPR). (2) Cookie banner ePrivacy-compliant — equivalent Accept + Reject, no pre-checked, granular per cookie type. Our dark patterns guide. (3) Customer account — minimum data (name, address, email), retention after last order. (4) Payment providers (Mollie, Adyen, Stripe) = processors — DPA + Schrems II TIA for US (see Schrems II). (5) Returns data — 7 years fiscal, then erase. (6) Reviews: anonymise or consent for name publication. (7) Email marketing — opt-in via double confirm. (8) Security (Art. 32) — HTTPS, strong passwords, 2FA on admin, regular backups. Tracking pixels: Meta Pixel + Google Analytics only after consent (see Meta Pixel fines). Consent Mode v2 mandatory for Google. AP enforcement 2023-2025: multiple webshop fines for cookie walls + missing DPA + non-notification of breach.