GDPR for Marketplace Sellers: What You Actually Need to Do
You're handling customer data with every order. Here's a practical guide to GDPR compliance for online sellers — without the legal jargon.
Every order you process contains personal data: names, addresses, email addresses, phone numbers. Under the GDPR (General Data Protection Regulation), you're responsible for handling this data properly. Here's what that means in practice.
What counts as personal data?
Everything that can identify a person: name, address, email, phone number, IP address, and even order history. If you process orders, you process personal data.
Your obligations as a seller
- Privacy policy — You need one. It should explain what data you collect, why, how long you keep it, and who you share it with.
- Data minimization — Only collect data you actually need. Don't ask for a date of birth if you don't need it.
- Data retention — Don't keep customer data forever. Dutch tax law requires you to keep invoices for 7 years, but you should delete other data when it's no longer needed.
- Data security — Protect the data you have. Use encrypted connections, secure passwords, and don't store customer info in unprotected spreadsheets.
- Right to access and deletion — If a customer asks what data you have about them, you must provide it. If they ask you to delete it (and there's no legal reason to keep it), you must comply.
Invoicing and GDPR
Invoices contain personal data, so they fall under GDPR. However, you're legally required to keep invoices for 7 years (tax obligation), which overrides the right to deletion for that specific data. Just make sure your invoicing tool stores this data securely and doesn't share it with unauthorized parties.
Practical steps
- Add a privacy policy to your website or seller profile
- Use tools that are GDPR-compliant (check for a DPA — Data Processing Agreement)
- Don't email customer data in unencrypted formats
- Delete old customer data you no longer need
