Codewerk.
Get a quote
Home/Blog/A GDPR checklist for a shop that actually sells things

A GDPR checklist for a shop that actually sells things

Not legal advice — an engineering checklist. The technical facts you must be able to state about your shop when someone finally asks.

Photo: free stock photography (Unsplash licence) — see imprint

Know where personal data actually lives

Not just the customer table. The order export on someone's laptop, the backup from 2021, the support inbox, the analytics tool, the newsletter provider. You cannot protect or delete data you have not located.

Deletion must be a function, not a favour

When a customer asks to be deleted, that must be a button someone can press — including in the systems the shop syncs into. If deletion means 'a developer writes a SQL statement', it will not happen reliably.

Consent before the script runs

A cookie banner that loads the tracking script before the click is decoration. Load nothing until consent exists — this is a technical implementation detail that decides whether the banner means anything at all.

Keep the boring paperwork with the boring systems

Every external service that touches customer data needs a processor agreement, and you should be able to list them in one minute. If nobody can name all of them, that is the finding — not the paperwork.

Key takeaways
  • Locate every copy of personal data, including exports.
  • Deletion has to be a button, not a favour.
  • No script loads before consent exists.

We do this for a living — Shopware, Node.js, React, ERP integration and automation for B2B.

Talk to an engineer

// Keep reading

Related articles

Security & Compliance 8 min

E-invoicing: your PDF is no longer an invoice

Structured invoicing (ZUGFeRD, XRechnung) is becoming mandatory in B2B. A PDF attached to an email will not satisfy it — and your shop has to change.

28 Mar 2026 Codewerk Team