The starting date of GDPR is dangerously approaching, the date that many companies are afraid of because it sets compliance with data protection to a whole new level. A large group of companies affected by GDPR are the webshop owners since they process customer data on a large scale.
It is a standard practice of webshops that they ask for consent to manage personal data of customers for marketing purposes. The rule of informed consent as a prerequisite for any processing of data has not changed; however, GDPR introduces a more sophisticated approach and in case of processing of data for different purposes, it stipulates that individuals shall be granted the possibility to decide on each data processing separately. In practice, it means that if a webshop intends to ask for consent of data processing for marketing purposes, it shall do so by offering a separate document for approval than the document in which the customer approves of data being processed in order to complete his order.
This latter request for approval may be embedded in the general terms and conditions of sale but the marketing consent may not. It is namely unlawful if the submission of a purchase order is subject to a consent to processing of personal data which is not directly related to the purchase (such as data processing for marketing purposes), because the consent has to be voluntary and unsolicited.
The latest trends in data processing in e-commerce include the application of profiling algorithms. GDPR will require the disclosure of detailed information to the concerned users: not only shall they be informed of the profiling itself but also on its methodology.