Many non-European sellers assume GDPR doesn't apply to them. That's a costly misconception. The moment you sell products to consumers in the EU — on Amazon.de, bol.com, or your own Shopify store — European privacy law applies. Even if your company is based in the US, China, Australia, or anywhere else outside the EU.
The General Data Protection Regulation (GDPR) is the world's strictest privacy law. And it doesn't only apply to European companies.
Why GDPR applies to you as a non-EU seller
GDPR has a wide territorial scope. Article 3 states explicitly: the regulation applies to any organisation that offers goods or services to people in the EU — regardless of where that organisation is established.
🌍 In plain terms: the moment a European consumer visits your product page, places an order, or signs up for your newsletter, you are processing the personal data of EU residents. That puts you squarely under GDPR.
Personal data you typically process as an ecommerce seller includes:
- Name, email address and delivery address
- Payment details
- Browsing behaviour and cookies on your website
- Purchase history and return requests
- Customer service messages
What are your obligations under GDPR?
As a non-EU seller selling to European consumers, you have a number of concrete obligations. These are the most important ones:
1. Privacy policy
You need a clear, readable privacy notice that explains what data you collect, why, for how long you retain it, and who you share it with. It must be available in the language of the consumer — Dutch for Dutch customers, German for German customers.
2. Legal basis for processing
Every processing activity involving personal data requires a legal basis. In most ecommerce scenarios these are: performance of a contract (for orders), consent (for newsletters and marketing), or legitimate interest (for fraud prevention).
3. Cookie policy and consent
If your website places non-essential cookies — such as Google Analytics, Meta Pixel, or remarketing tags — you need explicit consent from the visitor. A simple banner with an "Accept" button is not enough. Visitors must also be able to actively decline, without losing access to the site's core functionality.
4. Data subject rights
EU consumers have legal rights over their personal data: access, correction, deletion, objection to marketing, and data portability. You are required to respond to such requests within one month.
5. Data breach notification
If a data breach occurs involving the personal data of EU residents, you must notify the relevant supervisory authority within 72 hours.
What are the risks of ignoring GDPR?
The fines are significant. GDPR has two tiers:
- Up to €10 million or 2% of global annual turnover for technical violations
- Up to €20 million or 4% of global annual turnover for fundamental violations of rights and principles
And it's not just regulators who enforce. EU consumers can file complaints directly with their national data protection authority — the AP in the Netherlands or the BfDI in Germany. In 2025, tens of thousands of complaints were filed about foreign webshops and marketplace sellers.
⚠️ Marketplaces like bol.com and Amazon.de also require sellers to operate in a GDPR-compliant manner. Non-compliance can lead to listing removal or account suspension.
GDPR and your marketplace account
Amazon and bol.com have their own data processing agreements that sellers must accept. These govern how customer data is processed and shared for order fulfilment. Once that data reaches your systems, you become the data controller.
This means: if you export customer data to your own CRM, email marketing tool, or ERP system, you are responsible for how that data is used and retained.
Practical steps to become GDPR-compliant
GDPR is complex, but a few targeted steps make the biggest difference for ecommerce brands:
- Add a GDPR-compliant privacy policy to your website in all languages of your target markets. Useful SaaS tools include iubenda and Termly.
- Implement a proper cookie consent manager that complies with the ePrivacy Directive — so visitors can actively give or decline consent.
- Set up an internal process for handling consumer requests about their personal data.
- Limit the retention period of customer data in your CRM and sales systems to what is strictly necessary.
- Sign data processing agreements with all parties that process customer data on your behalf, such as your fulfilment provider or customer service partner.
How a Merchant of Record helps
A Merchant of Record (MoR) acts as the legal selling party towards European consumers. This also has implications for GDPR responsibility: the MoR appears on the invoice and processes customer data as the data controller in the EU.
This means the MoR takes on a significant part of the GDPR responsibility for the transactional flow — from order to delivery and return. For non-EU brands without their own European entity, this is a key advantage: you have a local European party managing consumer-facing data processing, and a party that European regulators can hold accountable.
💡 Crossello acts as Merchant of Record for non-EU brands selling through European marketplaces. We are the registered European seller and process customer data in compliance with GDPR. You retain full control over your brand and your product.
Want to know how to sell compliantly in Europe without setting up a European entity? Get in touch for a no-obligation conversation.