RoPA for E-Commerce: 8 Typical Processing Activities

April 27, 2026· Category: GDPR· As of: 2026-05-02· Reading time: ~6 min

Practitioner note: This is not legal advice. For specific situations, consult a qualified attorney or compliance officer.

TL;DR

8 typical e-commerce processing activities with lawful basis, data categories, recipients, retention — copy directly into your RoPA Excel
Order fulfillment retains 10 years (German Commercial Code/Tax Code); cookies max. 12 months
Newsletter: consent-based; document opt-in plus opt-out trail
Marketplace sales (Amazon, eBay) add separate processing activities for platform data flows
Excel format is sufficient if complete, dated, audit-ready; quarterly review cadence

1. Order Fulfillment

Purpose: Contract performance. Lawful basis: Art. 6(1)(b) GDPR. Data categories: master data, addresses, payment data, order data. Recipients: payment service providers, shipping carriers, tax advisor. Retention: 10 years (HGB/AO, German Commercial Code/Fiscal Code).

2. Customer Account

Purpose: Login plus order history. Lawful basis: Art. 6(1)(b). Data categories: credentials, profile data. Retention: until account deletion plus 12 months grace period.

3. Newsletter

Purpose: Marketing. Lawful basis: Art. 6(1)(a) consent. Data categories: email, click behavior. Recipients: newsletter provider (Brevo, Mailchimp). Retention: until withdrawal plus 3 years for proof-of-consent.

4. Cookies / Tracking

Purpose: reach measurement, personalization. Lawful basis: Section 25 TDDDG (German Telecommunications and Digital Services Data Protection Act) plus Art. 6(1)(a) consent. Retention: max. 12 months (DPA Conference position).

5. Product Reviews

Purpose: marketing plus quality feedback. Lawful basis: Art. 6(1)(f) legitimate interest. Data categories: pseudonym, review content. Retention: max. 5 years.

6. Shipping Tracking

Purpose: contract performance plus customer service. Lawful basis: Art. 6(1)(b). Recipients: DHL, UPS, Hermes, DPD. Retention: 6 months after delivery.

7. Returns Management

Purpose: contract performance. Lawful basis: Art. 6(1)(b) plus (f). Retention: 10 years (tax records).

8. Retargeting / Display Advertising

Purpose: personalized advertising. Lawful basis: Art. 6(1)(a) consent. Recipients: Google Ads, Meta Pixel. Retention: 12 months.

Summary

Eight processing activities cover the standard GDPR scope of a small to mid-size online shop. For marketplace sellers, add separate entries per platform (Amazon Seller Central, eBay, Otto Marketplace) because these create independent data flows. Update the RoPA quarterly and immediately after launching any new feature. Excel format is fully audit-ready when complete, dated, and version-controlled.

View GDPR Kit →

Frequently Asked Questions

Is an Excel spreadsheet sufficient?

Yes, if complete, dated, and audit-ready.

How often should it be updated?

Quarterly is recommended, and immediately for every new processing activity.

Is anything missing?

For marketplace sales (Amazon, eBay): additional processing activities for platform data flows.

Sources

Regulation (EU) 2016/679 — GDPR (Art. 30 RoPA) (As of: 2026-05-02)
Section 257 HGB — Commercial Code retention (as of: ongoing)
Section 147 AO — Fiscal Code retention (as of: ongoing)

Tools & self-assessments

GDPR Checklist 30 audit points for data protection compliance in SMEs. Fining Calculator Estimate the potential fine exposure for your organisation. GDPR Self-Assessment Structured self-test with maturity score and remediation roadmap. Cookie Banner Audit TDDG/GDPR review of your cookie banner with concrete correction notes.