So you have an amazing business idea, you thought it through, made financial and marketing plans, and decided to offer your products and services on your website.

It doesn’t take much to create one. Without having to know a single line of code, in just a few clicks, using ready-made templates, you have just opened an online store or an informational website about your business. Welcome to the internet.

Now, before hundreds of buyers fly to your website to spend their hard-earned money, there are some requirements for your website to be legally compliant.

You’ve probably heard of the GDPR law, cookie and privacy policy, acceptable use policy, refund policy (so many policies), terms and conditions, disclaimers, and similar.

All those things might seem so complex when reading about it online.

After all, the internet was supposed to help you sell goods easily, not the opposite.

This is why we’ve talked to Shpati Hoxha, a founding partner of the Albanian law firm Hoxha Memi Hoxha, with over 17 years of experience, to help you with these issues.

Here are some of the questions that mostly concern site owners selling goods or services online and his advice for each.

1. I heard of the GDPR law, but I am not sure if it affects my website. What exactly is the law and what does it mean to make a website legally compliant?


The GDPR (General Data Protection Regulation) is a new set of rules of the European Union (EU) that governs collection and processing of personal data.

As a rule, the GDPR does not apply to your site, if you are not established in the EU. The GDPR will however apply if you process personal data in relation to the offering of paid or unpaid goods or services to data subjects who are in the EU.

The GDPR will also apply if you are not established in the EU, but in a place where an EU Member State law applies by virtue of public international law.

To make a website GDPR compliant means first of all having a legal justification for data collection and processing activates. Obtaining the prior explicit consent of the data subject is the most common legal justification for the lawful processing of personal data.

Other justifications may be invoked under the GDPR for the lawful processing of personal data, for example, to satisfy a contract to which the data subject is a party, but specific conditions will apply.

In order for processing to be lawful, the consent of the data subject, the consent must:

  • be informed (this means that a setoff information must be given beforehand to the data subject, typically through a privacy policy);
  • be given freely (this means that the consent should not be a condition for accessing the website);
  • be specific (this means that the purpose of each specific use of the personal data must be consented);
  • be unambiguous (this means that an active choice, e.g. checking a box, is needed, and silent consents would generally not suffice);
  • be revocable (this means that the data subject must be able to withdraw the given consent at any time).

In order to have a lawful processing a privacy policy must be made available to the data subject. The privacy policy should inform the data subject, in a concise, transparent and plain language on the main aspects of the data processing activities, including who is the data processor, what is the purpose of the collection, how will the data is processed, how/where it will be stored, who may be granted access to it and what are the rights of the data subject etc.

Under the GDPR, data subjects may be additionally “associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

The use of these identifies, which are generally called “Cookies”, will be generally treated as personal data under the GDPR, as long as they are able to identify online users. As such, apart from cookies that are strictly necessary for the functioning of a website, will be subject to the GDPR requirements (specific consent, information, withdrawal etc.). With respect to the use of cookies, the provisions of the E-Privacy Directive are also relevant.

Note that the GDPR also requires the adoption of appropriate technical and organizational measures to ensure the protection of personal data.

Small business that do not have appropriate IT infrastructure and resources should rely on GDPR complaint serve providers.

Special requirements apply to larger organizations and to data processors that conduct higher-risk data processing activities.

If you are established outside of the EU, you must additionally consider if your website complies other requirements applicable in your jurisdiction. Having a GDPR compliant website will not necessary imply compliance with local requirements applicable in non-EU jurisdictions.

Useful information on how to implement the GDPR may be found in this link.

2. My company is not based in Europe but I only work with EU clients/website visitors. My website doesn't really collect personal data of those visitors, only email addresses. Do I really need to make my site GDPR compliant?

As mentioned, the GDPR will apply if you process personal data in relation to the offering of paid or unpaid goods or services to data subjects who are in the EU, even if you are not established in the EU.

Under the GDPR, personal data means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.

As such, if you collect e-mail addresses of data subjects who are in the EU, you must ensure that your website is GDPR compliant.

3. I have an e-commerce business selling products online. Do I need to have terms of use for each transaction?

In e-commerce transactions with a buyer being a consumer, the seller is required to provide a certain set of information before each order is place. This information includes at least:

  • Procedural steps for the stipulation of the contract between the parties;
  • Contract terms and general conditions;
  • Technical modalities to identify and correct errors before the placement of the order/request by the buyer;
  • The languages of the contract;
  • Archiving and access of the contract by the seller (if applicable)

For B2B e-commerce transactions, the above information may be avoided if the parties so agree.

Contract terms and general conditions must be provided to the buyer in a way that allows him to store and reproduce them.

4. Do I need to have a privacy policy on my website? If yes, in brief, what should it contain?

The privacy policy should inform the data subject, in a concise, transparent and plain language on at least the following:

  • The identification of the data controller/processor, its location and contact information;
  • The categories of personal data that are collected;
  • The methods used to collect the personal data;
  • The purpose of collecting personal data;
  • For what purpose will be the personal data be used;
  • Whether the personal data will be shared with third parties, categories of such third parties and purpose of sharing the data;
  • The location of storage of the personal data, security precautions and time limits for the storage of personal data;
  • Organizational measures adopted to protect privacy, safety and integrity of personal data, etc.
  • The type of cookies and cookie management policy
  • The rights available to the data subject;
  • Information on how to contact the data controller and the authorities.

    Examples of simple GDPR compliant privacy policy may be found in this link.

    5. How do I use pictures without copyright infringement?

    It is quite common for bloggers or small businesses to use pictures found on the internet. The fact that a picture found online may be easily downloaded or coped free of charge, does not mean that it is not protected by copyright.

    As such, it is a good practice to avoid using any picture found on the internet.

    To avoid copyright infringement claims, you should either use your own artwork, or purchase licenses from reputable stock image providers.

    If you are on a budget, you may also use pictures provided on free-to-use license, with or without attribution for the author.


    Disclaimer: This material is intended for general information purposes only and does not constitute legal advice or an opinion of any kind. Readers of this material are advised to seek specific legal advice by own legal counsel. The inclusion of links to other sites does not imply our recommendation or endorsement. We do not recommend nor are we responsible for any third-party content that may be accessed through links to another site.