GDPR Legal Training for E-Shops: A Practical Risk Management Tool

JUDr. Jakub Dohnal, Ph.D., LL.M.
JUDr. Jakub Dohnal, Ph.D., LL.M.
28.5.2026 | ARROWS law firm

GDPR legal training for e-shops today is not a “nice to have”, but a practical risk management tool – a well-designed training programme will help you align marketing, IT and customer service with personal data protection rules, set up consents, cookies, e‑mailing and supplier contracts to minimise the risk of high fines, customer disputes and disruptions to your business, while maintaining the flexibility needed for the growth and development of your online business.

The photo shows a specialist discussing the topic of GDPR legal training.

Why e-shops approach GDPR differently than “ordinary” companies

The GDPR (General Data Protection Regulation, i.e., Regulation (EU) 2016/679) applies to any entity that processes personal data of individuals in the EU, regardless of where it is established. This means that even an e-shop registered outside the European Union must comply with the GDPR rules if it offers its goods or services to customers in the EU, typically including Czech consumers.

In most cases, the e-shop operator is the controller of personal data because it determines the purposes and means of processing. For example, it decides which data will be mandatory in the order form, which cookies will be used, and how analytics or content personalisation will be set up.

E-shops also typically work with a high number of data subjects and a diverse range of data types. This includes contact details, payment identifiers, IP addresses, cookie identifiers, and data on purchasing behaviour. Under the GDPR, online identifiers, IP addresses, or cookie IDs may constitute personal data if they make it possible to identify a specific person, especially in combination with other information. In an e-shop environment, the line between “anonymous statistics” and personal data is therefore often much thinner than it may seem at first glance.

Another specific feature of e-shops is the intensive use of cookies and other tracking technologies for analytics, UX optimisation, and marketing remarketing. This is precisely where the GDPR intersects with the so-called ePrivacy rules, which in the EU are governed by the Directive on privacy and electronic communications (the “ePrivacy Directive”). 

In individual Member States (including in the Czech Republic through the Electronic Communications Act), these rules complement the protection of electronic communications and primarily regulate the storing and reading of cookies on a user’s device. In practice, this means that most analytics and marketing cookies require the user’s prior informed consent, and the e-shop must be able to demonstrate who consented, when, and to what exactly.

The regulatory risk is not theoretical. For serious infringements (for example, failure to comply with the basic principles of processing, infringement of data subjects’ rights, or the absence of a legal basis), the GDPR allows for a fine of up to EUR 20 million or 4% of the undertaking’s total worldwide annual turnover for the preceding financial year, whichever is higher.

For less serious infringements (for example, in the area of security or documentation), penalties can reach up to EUR 10 million or 2% of turnover. In practice, fines are scaled according to severity and circumstances, but even a “mid-sized” fine can be very painful for an e-shop, not to mention the costs of litigation, reputational remediation, or compensation to customers.

It is also important to consider the time dimension. Recent years show that supervisory authorities across the EU are increasingly focusing on the online environment, cookies, personalised advertising, and insufficient data security.

At the same time, the EU has also seen other regulations for online services become fully effective, such as the Digital Services Act (Regulation (EU) 2022/2065). This introduces new rules for online platforms, advertising transparency, and content moderation. Since February 2024, this regulation has been fully applicable to most online platforms.

By 2026, it also affects the broader e-commerce ecosystem and requires compliance with specific obligations, although some are scaled according to the size of the platform. Although this article focuses on the GDPR, for many e-shops it is already no longer possible to separate these regulatory frameworks.

Legal training for an e-shop therefore cannot be a generic GDPR seminar that could be used in the same way for a manufacturing company, a hospital, or an employer. It must respond to the specifics of e-commerce, the typical technology stack, and marketing practices. At the same time, it must reflect current interpretative trends and the practice of supervisory authorities, including the Czech Data Protection Authority (Úřad pro ochranu osobních údajů).

The attorneys of ARROWS, a Prague-based law firm, combine a purely legal perspective with practical knowledge of e-commerce tools and processes in such training. Their goal is to ensure the training is not “detached from reality” for people in marketing, IT, and customer service.

What obligations an e-shop has when processing personal data

The GDPR is based on several fundamental principles (Article 5(1)(a) GDPR) that must be complied with by every personal data controller, including an e-shop operator. The principle of lawfulness, fairness, and transparency (Article 5(1)(a) GDPR) means that processing must have a legal basis, must be fair to the customer, and the e-shop must clearly and comprehensibly explain what it does with the data. 

In practice, this primarily means well-written and easily accessible information about the processing of personal data—typically in the form of a privacy policy and information in the cookie banner. The principle of purpose limitation (Article 5(1)(b) GDPR) requires that an e-shop collects and uses data only for clearly defined, specific, and legitimate purposes. It must not process the data further in a manner that is incompatible with those purposes.

If, for example, an e-shop obtains a customer’s email address solely for the purpose of fulfilling an order, it cannot then use it, without more, for a regular marketing newsletter. It must have another appropriate legal basis for that, typically consent or the so-called soft opt-in under the ePrivacy rules. The principle of data minimisation (Article 5(1)(c) GDPR) imposes on the e-shop the obligation to collect only such data as is truly necessary for the specified purpose, and only to an extent that is adequate.

For example, requiring a customer’s date of birth as mandatory when purchasing ordinary goods, if there is no specific legal reason, may be contrary to this principle. In the online environment, this often means reviewing what is a mandatory field in the order form, what data we pass to marketing tools, what profiling we carry out, and whether everything is truly necessary.

The principle of accuracy (Article 5(1)(d) GDPR) requires that personal data be accurate and, where necessary, kept up to date. For an e-shop, this means having processes for correcting delivery addresses, contact details, or payment information, while also not retaining clearly outdated data for the long term.

The principle of storage limitation (Article 5(1)(e) GDPR) provides that personal data must not be kept for longer than is necessary for the purposes for which it was collected. In practice, an e-shop must set retention periods for different types of data (orders, marketing databases, logs, analytics data) and, after they expire, securely delete or anonymise the data.

Finally, the principle of integrity and confidentiality (Article 5(1)(f) GDPR) imposes an obligation to secure personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, through appropriate technical and organisational measures.

This includes, for example, database and communication encryption, access rights management, multi-factor authentication, and regular backups. It also includes organising work so that sensitive data is not sent in unsecured emails or made accessible to unauthorised persons.

Absolutely essential is the principle of accountability (Article 5(2) GDPR). Under this principle, the controller must not only comply with all the principles set out above, but also be able to demonstrate such compliance.

This means having documented processes, records of processing activities (under Article 30 GDPR), records of employee training, contracts with processors, completed audits, and other documents that can be presented to the supervisory authority in the event of an inspection. Legal training for an e-shop therefore always has a documentation dimension as well – it is not only about providing information, but also about ensuring evidence that, as management, you have taken reasonable steps to comply with the GDPR.

Legal bases for processing: orders, marketing and analytics

The GDPR sets out six legal bases (so-called lawful grounds) for the processing of personal data (Article 6 GDPR). In an e-shop, three are used most often: performance of a contract, legal obligation and consent, or, as the case may be, legitimate interest. Processing is lawful, among other things, where it is necessary for the performance of a contract with the data subject or in order to take steps at the request of the data subject prior to entering into a contract, for example processing data to fulfil an order (Article 6(1)(b) GDPR). An e-shop may therefore, without further steps, process the customer’s identification and contact details, the content of the order or the delivery address, if this is necessary for concluding and performing the purchase contract.

Another legal basis is compliance with a legal obligation (Article 6(1)(c) GDPR), for example retaining accounting records for the period required by law (Act No. 563/1991 Coll., on Accounting, as amended), fulfilling tax obligations, or obligations under consumer protection laws. However, processing beyond the scope of these obligations must have its own legal basis.

For marketing purposes, in practice the data subject’s consent is often used (Article 6(1)(a) GDPR), especially for newsletters, personalised advertising or remarketing, unless the so-called soft opt-in exception applies. Consent must be freely given, specific, informed and unambiguous, expressed by a clear affirmative action, not by a pre-ticked box or silently by the user continuing to use the website. For newsletters, in specific situations it is also possible to use the so-called soft opt-in, regulated under Czech law in Section 7(3) of Act No. 480/2004 Coll., on Certain Information Society Services, as amended.

An e-shop may use an email address obtained in connection with the sale of its own product or service to market similar goods or services, provided that the customer was given, at the time the email address was obtained, the opportunity to refuse easily and free of charge, and that this option is also provided in every subsequent marketing email. This regime is based primarily on ePrivacy rules rather than directly on the text of the GDPR, but in practice it is used very frequently when setting up e-shops from a legal perspective.

Legitimate interest (Article 6(1)(f) GDPR) may be a legal basis, for example, for basic website traffic analytics or for certain forms of direct marketing. This applies provided that the rights and freedoms of data subjects are respected and provided that special regulations (for example ePrivacy) do not require consent.

With cookies, the situation is more complex, because whether specific analytics cookies require consent depends on their nature, the possibilities of identifying the user, and the local legal framework. In the Czech Republic, the supervisory authority (the Office for Personal Data Protection) emphasises the requirement for consent for most cookies that are not strictly necessary for the functioning of the website, and the consent must meet the general GDPR standards.

The most common mistake in practice is that an e-shop uses consent as a “universal” basis for almost all processing. Or, conversely, it relies on legitimate interest where it would be safer to work with consent and a transparent explanation.

The attorneys of ARROWS advokátní kanceláře recommend always reviewing the specific data flows, processing purposes and tools used by the e-shop, and on that basis setting an appropriate combination of legal bases – one regime will apply to orders, another to accounting processing, and a completely different one to personalised remarketing on social networks.

Cookies and online identifiers: where the GDPR intersects with ePrivacy

Cookies are small text files that a website stores on the user’s device and that enable various functions – from keeping items in the shopping cart, to remembering logins, to detailed tracking of user behaviour across websites. From the GDPR perspective, cookies become personal data at the moment they allow a specific person to be identified directly or indirectly, especially in combination with other information.

In addition to the GDPR, cookies are also subject to ePrivacy regulation, which provides that storing cookies on a user’s device or accessing them is, as a rule, only possible on the basis of prior consent, with the exception of cookies necessary for providing a service explicitly requested by the user.

For an e-shop, this means that so-called “strictly necessary” cookies, for example those ensuring the functioning of the cart or login, may be used without consent, but analytics and marketing cookies usually require consent. Consent to cookies must meet the GDPR requirements – it must be freely given, specific, informed and unambiguous, expressed by a clear affirmative action. In practice, this means that the cookie banner must allow the user a genuine choice, i.e., not only “Accept all”, but also “Reject all” or “Set preferences”. Buttons must not be graphically manipulated to steer the user towards consent (so-called dark patterns).

The Czech supervisory authority and professional literature emphasise that consent cannot be inferred from continuing to browse the website, from merely closing the cookie banner, or from pre-ticked boxes. At the same time, the user should be able to withdraw consent at any time in the same way as it was given. The e-shop should be able to re-display the cookie banner when settings change or after a reasonable period of time has elapsed, typically after several months. 

In Czech practice, indicative periods of around 6–12 months are often used for requesting consent again, but it is always necessary to take into account the specific purposes, the type of cookies and local interpretative materials. Technical cookies that are necessary for the transmission of a communication itself or for providing a service requested by the user (for example, keeping the cart, ensuring secure login, language settings) usually do not require consent, but it is still advisable to inform users about their use.

For analytics cookies, in some cases, with very strict anonymisation or aggregation, it may be possible to consider processing outside the personal data regime. In practice, however, this requirement is often not met, for example where common cloud analytics tools are used with system identifiers of visitors.

Legal training for an e-shop should include specific examples of cookie banner settings, an explanation of the differences between individual cookie categories, the risks associated with using foreign analytics and marketing tools, the issue of transfers of personal data to third countries, and practical tips on how to work with data in compliance with the GDPR without the e-shop losing the ability to reasonably optimise marketing and the user experience.

Email marketing, newsletters and other communications

The GDPR does not in itself prohibit email marketing, but it requires that any processing of personal data has a legal basis (Article 6 GDPR), is transparent and respects the rights of data subjects. For sending newsletters or other marketing communications, consent is typically used (Article 6(1)(a) GDPR).

In practice, this means that the user actively signs up themselves—for example, by ticking a checkbox in the order form or completing a separate form on the website. Consent must be separate from other contractual terms, must not be pre-ticked, and should be sufficiently specific—for example, it is advisable to distinguish between consent to a newsletter, SMS marketing, and personalised advertising.

A recommended practice is the so-called double opt-in, where after the form is submitted the user receives a confirmation email in which they complete their registration by clicking a link. This strengthens the e-shop’s evidentiary position if a customer later claims they never subscribed to the newsletter.

At the same time, every marketing email should include a clear and simple unsubscribe option that can be used without having to log in or go through complicated steps. After unsubscribing, the email address must be removed from the mailing list; it is usually possible to retain a minimal record that this address no longer wishes to be contacted if the e-shop needs it to demonstrate compliance, but even then the data minimisation principle must be respected.

If the e-shop also uses email to send transactional information (order confirmation, invoices, delivery information), this is processing based on performance of a contract or a legal obligation, and consent is not required. However, this does not mean that marketing content can be inserted into transactional emails at will—prominent marketing elements may lead to the conclusion that the message is in fact a marketing email and should therefore be assessed under the rules for direct marketing.

The attorneys at ARROWS, a Prague-based law firm, often help clients in practice to set up consent wording, forms, double opt-in processes, and email footer content to minimise the risk of disputes with customers and with the supervisory authority, while keeping the solution commercially workable.

Customer rights: DSARs, erasure and portability

The GDPR grants customers a wide range of rights that an e-shop must respect and be prepared to fulfil within the statutory time limits (Articles 12–22 GDPR). These include, in particular, the right of access to personal data (Article 15), the right to rectification of inaccurate data (Article 16), the right to erasure (“the right to be forgotten”, Article 17), the right to restriction of processing (Article 18), the right to data portability (Article 20), and the right to object to processing (Article 21), especially to processing for direct marketing purposes.

The right of access allows a customer to request information about what personal data the e-shop processes about them, for what purposes, what the categories of data are, to whom the data are disclosed, and how long they will be stored (Article 15 GDPR).

The e-shop must respond to such a request without undue delay, and at the latest within one month of receiving the request, with the possibility to extend this period by a further two months depending on the complexity and number of requests (Article 12(3) GDPR). It must provide a copy of the processed data, at least to the extent that is reasonable and does not interfere with the rights of third parties.

The right to erasure allows, under certain conditions, a request for the deletion of personal data, for example if it is no longer necessary for the purposes for which it was collected, if the customer has withdrawn consent and there is no other legal basis for processing, or if the data was processed unlawfully (Article 17 GDPR).

The right to data portability (Article 20 GDPR) allows a customer to obtain personal data that the e-shop processes on the basis of consent or a contract and by automated means, in a structured, commonly used and machine-readable format, and, where applicable, to transmit it to another controller. In the e-commerce environment this is not the most common type of request, but it may be relevant, for example, for larger platforms with loyalty programmes or more extensive user account personalisation.

A key practical point is that data subject requests (so-called DSARs—Data Subject Access Requests) may arrive through various channels—by email, via customer support, social media, or chat. E-shop staff must be trained to recognise such submissions, not dismiss them as a “customer complaint”, and forward them to the right person or department for handling. Legal training should therefore also cover practical scenarios: how to identify that it is a GDPR request, how to respond correctly, how to verify the requester’s identity, and how to document everything.

The attorneys at ARROWS, a Prague-based law firm, also often work with clients to set up standardised responses, internal workflows, and templates for handling DSARs to minimise the risk of errors, delays, and subsequent complaints to the supervisory authority.

Security and incident reporting

The GDPR requires controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks, including pseudonymisation and encryption, ensuring the ongoing confidentiality, integrity, availability and resilience of systems, rapid recovery after an incident, and regular testing of security measures (Article 32 GDPR). 

In an e-shop environment, this means not only secure connections (HTTPS, TLS), encrypted databases and regular updates, but also access management for the e-shop administration, access logging, separation of production and test environments, and employee training on secure data handling.

If a personal data breach (a security incident or data leak) occurs that is likely to result in a risk to the rights and freedoms of natural persons, the controller must, without undue delay and, where feasible, no later than 72 hours after becoming aware of it, notify the competent supervisory authority (Article 33 GDPR).

In more serious cases where the risk reaches a high level, the affected customers must also be informed (Article 34 GDPR). This may concern, for example, a leak of a customer database including passwords, payment details, or personal data combined with sensitive information.

Security incidents in e-shops often arise due to human error—incorrectly configured access credentials, sharing access among employees, mis-sent emails, or inattention when handling data. Legal training should explain to employees what can constitute a security incident, what the internal reporting procedures are, who is responsible for communication with the authority, and what the consequences are if an incident is concealed or underestimated.

The attorneys at ARROWS, a Prague-based law firm, also assist clients with preparing and testing incident response plans and with representation in practice when notifying data breaches to supervisory authorities and affected customers.

Most common questions on an e-shop’s basic obligations under the GDPR

1. Can we collect any data if the customer agrees to it in the terms and conditions?
In practice, consent “hidden” in terms and conditions usually does not meet the GDPR requirements for freely given, specific and informed consent (Article 4(11) GDPR). It is not clearly separated from other arrangements and the customer is not sufficiently alerted to the option to refuse. Moreover, even where consent exists, the data minimisation principle applies (Article 5(1)(c) GDPR)—you cannot legitimise the collection of clearly excessive data merely by asking for it in the terms. In such situations, we recommend a detailed legal analysis of the consent wording and terms, with which the attorneys at ARROWS, a Prague-based law firm, can assist you following an individual consultation.

2. Is it enough to have general “privacy principles” somewhere on our website to meet the duty to inform?
The GDPR requires that information about processing be provided transparently, clearly and in a timely manner—ideally at the moment the data is collected (Articles 13 and 14 GDPR). A general document “tucked away” in the website footer is often not sufficient if it does not contain all the elements required under Article 13 GDPR and if the e-shop does not explicitly refer customers to it at key moments (order, registration, newsletter, cookies). The attorneys at ARROWS, a Prague-based law firm, therefore help clients tailor the duty to inform to individual collection points and processes, and also recommend an appropriate format and language for different types of customers.

3. Does every e-shop have to appoint a Data Protection Officer (DPO)?
The GDPR requires a DPO to be appointed only for certain types of controllers and processors—for example, where their core activities consist of large-scale regular monitoring of individuals or large-scale processing of special categories of data (Article 37 GDPR). Most standard e-shops do not meet this requirement, but appointing an internal or external expert can still be beneficial from a risk management perspective and for communication with authorities. If you are unsure whether the DPO obligation applies to you, the attorneys at ARROWS, a Prague-based law firm, can carry out a quick assessment and propose an optimal compliance model.

Legal training as a risk management tool in e-commerce

The GDPR legal framework emphasizes not only technical measures but also organizational measures, which include training and raising employee awareness (Article 24(1), Article 32(4) GDPR). For larger organizations that have a data protection officer, the GDPR expressly imposes on the DPO the duty to ensure awareness and training of persons involved in processing (Article 39(1)(b) GDPR).

Even without a formal DPO obligation, it remains true that without regular employee training it is not possible to maintain GDPR compliance in the long term—most incidents arise not because of “bad law”, but because of human error, misunderstanding, or lack of knowledge of processes.

In an e-shop environment, personal data is handled in essentially all key departments: customer service, marketing, IT, logistics, finance, management. Each of these groups needs a different type of information and a different level of detail. Customer service must be able to recognize a GDPR request, know what must not be disclosed to third parties over the phone, and how to securely verify the caller’s identity.

Marketing needs to understand the rules for consents, cookies, retargeting and segmentation. IT, in turn, must understand how technical changes to the website relate to GDPR obligations and how to properly set up logging, access rights and encryption.

High-quality legal training therefore needs to be structured and targeted. It is usually worthwhile to combine a general part explaining the basic GDPR principles, data subject rights and sanctions, with specialized modules for individual teams. For management, an overview of risks, responsibilities, compliance costs and a strategy for integrating GDPR into the company’s overall governance is important.

For marketing, practical examples of consent wording, cookie banners and newsletter forms are key, including which tool settings are still acceptable from a GDPR perspective and where you are already entering a risk zone.

In practice, the attorneys at ARROWS, a Prague-based law firm, emphasize that training should not be a purely theoretical interpretation of statutory provisions, but should be based on real scenarios from your e-shop. Typically, before the training they request basic information about the platform used, analytics and marketing tools, the structure of the marketing team and planned campaigns. On this basis, they then discuss specific situations during the training—for example, how to set up email collection for competitions lawfully, how to work with remarketing audiences, how to share data securely with an agency, or how to set retained data in a CRM system so that it complies with the storage limitation principle.

Properly designed training is also an important piece of evidence in the event of a dispute or inspection. If you can demonstrate that employees completed training, received internal policies, had key obligations explained to them and were given the opportunity to ask questions, it is more likely that the supervisory authority or a court will assess your overall setup as responsible, even if an individual made a partial mistake. ARROWS, a Prague-based law firm, is insured for damages up to CZK 400,000,000, and it is precisely thanks to this combination of expertise, experience and insurance capacity that many e-shops choose its attorneys as long-term partners for GDPR and related regulation.

How to set up processes and documentation after training

Training makes sense only if it is followed by adjustments to internal processes, documentation and contracts. The GDPR requires the controller to keep records of processing activities (Article 30 GDPR), in particular if it employs more than 250 people or if the processing is not occasional, includes special categories of data, or poses a risk to the rights and freedoms of data subjects.

In practice, most e-shops fall into a regime where it is worthwhile to keep records even if, strictly speaking, they would not have to, because it involves systematic processing of large volumes of customer data and marketing data.

The record of processing activities (Records of Processing Activities, ROPA) should include information on the purposes of processing, categories of data subjects and data, categories of recipients, transfers to third countries, retention periods and the security measures adopted (Article 30(1) GDPR). For an e-shop, this means, for example, describing separately processing related to orders, loyalty programs, marketing, analytics, customer support, or handling data subject rights. During training, it is appropriate to explain the entire ROPA concept and then, together with the attorneys at ARROWS, a Prague-based law firm, go through in practical terms how to create such a document and keep it up to date—ideally through cooperation between the legal, IT and business departments.

An important role is also played by the Data Protection Impact Assessment (DPIA), which is mandatory whenever a certain type of processing is likely to result in a high risk to the rights and freedoms of data subjects (Article 35 GDPR). In e-commerce, this may relate in particular to large-scale customer profiling, automated decision-making with significant effects, the use of CCTV systems in warehouses, or extensive tracking of user behavior on the website. A DPIA should identify risks, assess their severity and likelihood, and propose measures to reduce these risks to an acceptable level.

Equally important is the contractual framework with suppliers who process personal data for the e-shop—typically hosting companies, e-shop platform providers, payment gateways, logistics companies, marketing agencies, newsletter tool providers, cloud CRM and analytics platforms. The GDPR requires that processing be governed by a contract or other legal act (a so-called data processing agreement under Article 28 GDPR), which sets out the subject matter and duration of the processing, the nature and purpose, the type of personal data, the categories of data subjects, and the obligations and rights of the controller.

The contract must also ensure that the processor implements appropriate technical and organizational measures, processes the data only on the controller’s instructions, assists with handling data subject rights and incident response, and deletes or returns the data after the service ends.

Legal training should explain to participants the difference between a controller and a processor, what joint controllership means (Art. 26 GDPR), and when it is appropriate to enter into so-called data sharing agreements, for example between different companies within a group. After the training, it then makes sense to carry out an audit of key supplier contracts and amendments, review templates for data processing agreements, and set a unified procedure for assessing new suppliers (vendor due diligence)—an area in which the attorneys at ARROWS, a Prague-based law firm, often cooperate with IT security teams and compliance departments.

An essential part of GDPR setup in an e-shop is also a data retention and deletion policy (data retention policy), which in practice is often missing or purely formal. A properly configured policy sets out how long individual categories of data are retained (for example orders, complaints, marketing contacts, website logs, customer support records) and how data are deleted or anonymised after the retention period expires. It is also necessary to align these periods with other legal regulations (for example tax and accounting rules, limitation periods for complaints and enforcement of claims) and the practical needs of the business, for example for analysing customer behaviour over time.

Another key process is handling data subject requests and security incidents. It is advisable to have an internal policy or SOP (standard operating procedure) that specifies who receives requests, how they are recorded, how the applicant’s identity is verified, what the maximum response time is, and who approves any refusal of a request.

Similarly, an e-shop should have a crisis plan for security incidents, including a clear communication chain, an escalation procedure, pre-prepared notification templates for the supervisory authority and affected individuals, and a method for subsequently evaluating the event and learning from it.

Implementation after the training also includes creating or updating internal policies, a code of conduct for working with data, manuals for working with specific tools (CRM, e-mailing, analytics) from a GDPR perspective, and processes for onboarding new employees, including mandatory training before they are granted access to personal data. ARROWS, a Prague-based law firm, often offers clients a combination of training, preparation of internal policies, contract review, and ongoing external legal advice so that the e-shop does not have to address each individual issue ad hoc, but has long-term, systematic support.

Potential issues

How ARROWS can help (office@arws.cz)

Invalid cookie consent : the cookie banner forces users to accept consent, there is no “reject all” option, the buttons are visually unbalanced, and the purpose of individual cookie categories is not clearly described—there is a risk of intervention by the supervisory authority and a fine.

Cookie audits and setup: the attorneys at ARROWS, a Prague-based law firm, will review the current cookie banner, recommend adjustments to the wording, visual design, and technical behaviour, prepare updated documentation, and help set up a consent renewal process in line with GDPR and ePrivacy.

Missing or incomplete processor agreements : hosting providers, e-mailing tools, agencies, or payment gateways process data without proper contractual addenda, which complicates liability and increases the risk of sanctions.

Contractual and vendor audit: the attorneys at ARROWS, a Prague-based law firm, will map all suppliers, identify the role of controller or processor, prepare or review data processing agreements, set sub-processor terms, and establish a process for regular supplier assessments.

Non-existent or purely formal responses to customer requests : the e-shop has no process for handling rights of access, erasure, or objection to marketing; requests get lost or are handled after the deadline—there is a risk of complaints and sanctions.

DSAR process setup: ARROWS, a Prague-based law firm, will prepare a clear workflow for requests, response templates, an internal policy, and train front-line employees to correctly identify and escalate requests.

Security incidents and data breaches : the e-shop has no incident response plan, does not know when and how to report an incident to the authority and customers, and risks secondary reputational damage and a higher fine due to an unprofessional approach.

Incident response and representation before authorities: the attorneys at ARROWS, a Prague-based law firm, help develop an incident response plan, set internal processes, and in the event of a real data breach represent the e-shop in notifying the supervisory authority and communicating with affected individuals.

Excessive data retention periods : the e-shop retains customer data and behavioural data indefinitely without a clear purpose and documentation, which conflicts with the storage limitation principle and increases the impact of any data breach.

Retention and deletion policy: ARROWS, a Prague-based law firm, will set a retention policy for individual data types, align it with legal and business requirements, prepare deletion policies, and help ensure that IT systems can enforce them in practice.

International reach, Czech specifics, and new trends

GDPR is directly applicable in all EU Member States, including the Czech Republic, but at the same time it allows individual states to regulate certain issues through national laws. In the Czech environment, the key supplementary regulation is the Act on the Processing of Personal Data (Act No. 110/2019 Coll., as amended), which implements certain flexible elements of GDPR and regulates, for example, the status and powers of the Office for Personal Data Protection (Úřad pro ochranu osobních údajů).

For e-shops, it is also important to monitor Czech case law and the positions of the Office for Personal Data Protection, especially in the areas of cookies, marketing, and employee monitoring, as these may specify how the general GDPR rules are applied in practice.

From an international perspective, it is crucial for e-shops that GDPR also applies to entities outside the EU if they offer goods or services to individuals in the EU or monitor their behaviour (Art. 3(2) GDPR). This has a major practical impact, for example, on the use of foreign cloud services, analytics tools, advertising platforms, or CRM systems that may have servers outside the EU.

Under GDPR, transfers of personal data to third countries are possible only if an adequate level of protection is ensured (Chapter V GDPR). For example, through a European Commission adequacy decision, Standard Contractual Clauses (SCCs), or other appropriate safeguards.

The European Commission issues adequacy decisions for selected countries, territories, or sectors. It also issues them for organisations participating in specific frameworks (such as the EU-US Data Privacy Framework for certified organisations in the USA), which simplifies data transfers without the need for additional safeguards.

In recent years, a number of adequacy decisions have been adopted and updated, including for the United Kingdom after its withdrawal from the EU and for the United States of America with respect to organisations participating in a special privacy framework (EU-US Data Privacy Framework). For an e-shop using foreign tools, it is important to verify whether a particular provider falls under one of these decisions, or whether it is necessary to enter into Standard Contractual Clauses and carry out a supplementary transfer risk assessment.

The attorneys at ARROWS, a Prague-based law firm, have experience in setting up these international transfers for e-commerce clients and can also leverage the support of the ARROWS International network to address cross-border aspects.

A specific issue is also the processing of children’s personal data, especially where an e-shop targets a younger audience or offers online services that children may use. The GDPR provides that, for consent to processing in connection with the offer of information society services directly to a child, the child must be at least 16 years old, while Member States may lower this threshold, but not below 13 (Article 8 GDPR).

In practice, this means that if an e-shop targets younger users, it must consider how to verify age, how to present information in a way children can understand, and when parental consent is required.

A major trend in privacy protection is the strengthening of the data minimisation principle and “privacy by design” on a global scale, not only in the EU (Article 25 GDPR). A number of new legal frameworks, for example in certain U.S. states, are adopting the principle that the collection and use of personal data must be necessary and proportionate to the stated purposes, and merely “clicking through” terms may not be sufficient. For e-shops, this means that the strategy of “let’s collect as much data as possible, it might come in handy someday” is becoming increasingly risky from both a legal and reputational perspective.

Another trend is the increasing emphasis on transparency in algorithmic decision-making and profiling, including data subjects’ rights not to be subject to a decision based solely on automated processing that produces legal effects concerning them or similarly significantly affects them (Article 22 GDPR). In the environment of typical e-shops, this regulation is more of a marginal issue (for example, automated approval of larger purchases, credit limits, or dynamic pricing).

With the growing use of AI tools for personalisation, recommendation systems and customer scoring, the importance of this part of the GDPR can be expected to increase. Uncertainty and compliance costs are felt particularly by small and medium-sized enterprises, which often underestimate or postpone investments in personal data protection because they fear they cannot afford specialised teams or expensive technologies. However, analyses show that a reasonable investment in basic legal set-up, training and processes is, in the long run, cheaper than dealing with the consequences of incidents, fines and disputes.

The attorneys of ARROWS, a Prague-based law firm, therefore often work with clients in several phases – from an initial audit and training through prioritising measures to gradually “closing out” the details – so that compliance is achievable even for smaller e-shops without an in-house legal department.

Final summary

Properly setting up the handling of personal data in an e-shop under the GDPR is not a one-off task, but an ongoing process that begins with understanding the basic principles and legal bases for processing, continues through technical and contractual arrangements, and ends with the day-to-day practice of employees who work with the data.

For entrepreneurs, investors and e-shop management, it is essential to view the GDPR as part of risk management – poorly configured consents, cookies or security processes can lead to high fines, litigation, the blocking of marketing activities, and serious reputational damage.

Legal training focused directly on e-shops is an effective way to align legal, IT and marketing perspectives and create a shared framework for day-to-day data-related decision-making. However, a one-off seminar is not enough; training should be linked to an audit of the current state, updates to documentation, the set-up of processes, and regular reviews in response to changes in the business, technology and legislation.

ARROWS, a Prague-based law firm, has experience with GDPR and e-commerce in both Czech and international contexts, is insured for damages up to CZK 400,000,000, and thanks to the ARROWS International network can also support clients with cross-border operations. If you do not want to risk mistakes, damages, delays or fines due to insufficient personal data protection set-up in your e-shop, it is safer to entrust the preparation of legal training, related internal policies and contracts to professionals. If you are interested in an individual consultation or preparing training for your team, you can contact the attorneys of ARROWS, a Prague-based law firm, at any time by e-mail at office@arws.cz.

FAQ: Frequently asked questions about legal training for e-shops

1. How long does high-quality GDPR legal training for an e-shop usually take, and how many people should attend?
The duration of the training depends on the scope and target audience, but for a basic understanding of the principles and e-commerce specifics, a minimum of approximately three to four hours for key roles appears appropriate, potentially split into multiple blocks by teams. Attendees should primarily include managers responsible for the e-shop, heads of marketing, IT, customer service, and other staff who regularly come into contact with data; others can be trained in a shortened format or via e-learning. If you want to set the optimal scope and participant mix based on the size and type of your e-shop, contact ARROWS, a Prague-based law firm, at office@arws.cz and the attorneys will propose a specific scenario.

2. We are a smaller e-shop with a few employees – is it worth investing in individual legal training, or is a general online course sufficient?
For smaller e-shops, general online courses may cover basic GDPR awareness, but they usually do not address specific situations such as the configuration of a particular platform, tools or marketing campaigns. Individual training, even if shorter, can uncover specific errors and risks that would otherwise remain hidden and later lead to costly problems, so the investment often pays off in the form of preventing incidents and disputes. If you are considering which training format is most suitable for you financially and practically, the attorneys of ARROWS, a Prague-based law firm, will be happy to prepare options tailored to your budget and needs at office@arws.cz.

3. Do we still need a separate legal audit after the training, or is it enough that employees are instructed?
Training alone is usually not sufficient, because the GDPR also requires documentation, contractual arrangements, a retention policy, processes for DSARs and incidents, and other elements that cannot be addressed solely by instructing employees. In most cases, a combination works best – an initial audit, followed by training, and then updates to documentation and processes based on the identified risks; the scope of the audit can be tailored to the size and complexity of the e-shop. ARROWS, a Prague-based law firm, commonly offers a modular approach where you can start with a smaller scope and then follow up with further steps according to priorities; just get in touch at office@arws.cz.

4. Can an attorney from ARROWS, a Prague-based law firm, prepare the training in both Czech and English if we have an international team?
Yes, for e-shops with an international team, a combination of Czech and English versions of the training is practically essential so that all key employees understand their obligations and risks in a language they speak. The attorneys at ARROWS, a Prague-based law firm, routinely prepare training in multiple language versions and can tailor the content to reflect both Czech and international regulation, including transfers of data to third countries. If you need multilingual training or have teams in different countries, contact ARROWS, a Prague-based law firm, at office@arws.cz to discuss the specific options.

5. Will ARROWS, a Prague-based law firm, also assist us in the event of an inspection by the Office for Personal Data Protection if an issue arises despite the training?
Yes, the attorneys at ARROWS, a Prague-based law firm, routinely represent clients during inspections by supervisory authorities, help prepare documentation, communicate with the authority, and propose a defence strategy, including any available remedies. Well-documented training and the measures adopted often help reduce the assessed severity of a breach and thus the amount of any potential fine, while ARROWS, a Prague-based law firm, thanks to its experience and professional liability insurance coverage of up to CZK 400,000,000, can effectively protect your interests. If you find yourself facing an inspection or a threatened sanction, do not delay and contact ARROWS, a Prague-based law firm, at office@arws.cz as soon as possible so the situation can be addressed in time.

Disclaimer: The information contained in this article is for general informational purposes only and serves as a basic guide to the issue as of 2026. Although we strive for maximum accuracy, laws and their interpretation evolve over time. We are ARROWS Law Firm, a member of the Czech Bar Association (our supervisory authority), and for the maximum security of our clients, we are insured for professional liability with a limit of CZK 400,000,000. To verify the current wording of the regulations and their application to your specific situation, it is necessary to contact ARROWS Law Firm directly (office@arws.cz). We are not liable for any damages arising from the independent use of the information in this article without prior individual legal consultation.

Read also: