Processing of personal data according to the GDPR


On this page you can find important information on the processing of personal data for users of JTL-Shop. It addresses a lot of questions that often come up within the scope of the General Data Protection Regulation (GDPR).

Please note that while this page provides you with useful information on the matter, it is not meant as legal consultation. For legally binding statements on the topic of the EU’s GDPR, please consult a legal adviser.

Go to GDPR help pages for JTL-Wawi


Processes and data storage in the software

In the following PDF you will find a table explaining where personal data is processed and stored in JTL-Shop. The information can be used by operators of JTL-Shops to answer enquiries about the rights of access and deletion.

PDF: Table overview for the storage of personal data in JTL-Shop 5

Data security

Transport encryption: how does JTL ensure that the transport of personal data is encrypted?

Personal data is stored in the JTL-Shop database (for the purpose of order processing). This data is synchronised with JTL-Wawi and partly also used in emails such as order confirmations. Depending on the plug-ins/extensions, there may even be an exchange of personal data with a third-party service provider (e.g. for credit assessment). Below we have listed a few tips to ensure data security:

  • Make sure that your online shop has a valid SSL certificate and that insecure HTTP requests are redirected to the secure protocol HTTPS (“SSL Only”).
  • Ensure that all communication to and from the online shop is done via the secure HTTPS protocol. This applies in particular to the online shop URL in the settings for the online shop connection in JTL-Wawi.
  • Make sure that you use TLS for encrypted transmission in as many email settings as possible (email settings in JTL-Wawi (Admin > Global), SMTP email settings in the shop back end, local email programs).
  • Restrict back-end access as well as access to maintenance tools such as PHPMyAdmin as much as possible (restrict the number of admin staff and, if necessary, take technical measures such as IP restrictions or .htaccess protection).

Application security: What protective measures against unauthorised access does the application include?

It is particularly important to protect the admin backend of the online shop against unauthorised access. For this purpose, JTL-Shop natively offers 2-factor authentication, which prevents unauthorised logins even in the event of data theft of login data such as user name and password. Further reading:Two-factor authentication.

The user administration of the admin back end allows group-based rights management as well as time-limited access, e.g. for support purposes. Use this option to prevent unauthorised or accidental access to personal data.

It is still absolutely necessary to keep the online shop as well as the server operating system and all other software components up to date and to install security patches/updates promptly. In the worst case, all data from the online shop could be accessed via critical security gaps in outdated versions of JTL-Shop or operating systems.

Privacy by design and privacy by default: Which default settings ensure the best possible data protection?

The form settings in JTL-Shop are preset to the necessary minimum according to the principle of data minimisation.

All communication to third-party interfaces such as PayPal or the use of the VAT ID check takes place via SSL-secured connections.

Rights of the data subjects

Right to be forgotten – will all personal data be deleted in due time?

Most personal data is automatically removed in JTL-Shop as soon as the purpose of storage in JTL-Shop is no longer required. For example, personal data for guest orders will be deleted from JTL-Shop by JTL-Wawi after the order has been shipped or canceled.

Right of erasure: How do I delete all personal data of the data subject upon request?

In JTL-Shop, a registered customer can delete their personal data (includes customer data as well as billing and delivery addresses) themselves after logging in via My account > Delete customer account. Please note: The deletion of the customer account in the online shop has no effect on the personal data of the data subject stored in JTL-Wawi.

Possibilities of the shop operator to delete personal data: In addition to deletion via JTL-Wawi and the subsequent online shop synchronisation, deletion is possible directly in the database of the online shop (see tables with personal data listed in PDF).

The deletion in JTL-Wawi and, if applicable, third-party software must usually be carried out separately.

Right of access and data portability: How do I export personal data in a structured format?

You can export personal data in just a few steps with JTL-DataTransfer: Tutorial: Exporting customer data with JTL-DataTransfer.

You can check whether the customer is also a newsletter recipient and whether personal data is available for this in the JTL-Shop backend(Marketing > Promotions > Newsletter > All subscribers) or in the shop database table tnewsletterempfaenger. In the case of newsletter recipients, the personal data includes: form of address, first name, last name, email address. An export with structured data is, for example, possible via phpMyAdmin with the integrated export function.

Cookies in JTL-Shop

Session cookies

JTL-Shop uses the technically necessary session cookie JTLSHOP by default. If this cookie is blocked in a visitor’s browser, the visitor will not be able to add items to the shopping bask (among other things). The cookie contains the visitor’s session ID via which the respective link to the visitor / customer is established. The lifetime of this session cookie is set by default so that the cookie is deleted as soon as the browser is closed. The lifetime can optionally be set via the admin back-end setting Cookie lifetime (setting no. 1568).

Please note: Plug-ins, template adjustments or custom code snippets installed or added by the online shop operator may use additional cookies.

Google reCAPTCHA

JTL-Shop offers the option to activate a Google reCAPTCHA plug-in to use for various forms.

Google reCAPTCHA helps distinguish humans from bots. Cookies are used in the visitor’s browser and the visitor’s IP address and the user agent are recorded.
The deviating data protection regulations of the Google company apply to this data:

Notes on the use of cookies

Additional (third-party) cookies are used depending on the use of extensions, template customisations or third-party snippets. Unfortunately, the various embedding options do not allow automatic recognition of third-party cookies by the online shop software.

Cookies that fall into the tracking/analysis/advertising category are currently considered to be technically unnecessary. The associated services are to be initially deactivated so that no tracking takes place.

Via informed consent, you can encourage your visitors to activate these cookies to use the corresponding services.

The use of such extensions or snippets and the associated obtaining of consent to the use of technically unnecessary cookies are the responsibility of the online shop operator.

How do I know which other cookies are used in my online shop?

The cookies used can be easily displayed in modern desktop browsers.
Important: Depending on the embedding type, some cookies may only be set on subpages in which third-party snippets are implemented. It may therefore be necessary to check various pages of the website for the use of cookies.



Further FAQs on the GDPR

Does JTL help with questions regarding the implementation of the GDPR?

While we cannot provide legal assistance, we try to assist you as much as possible with information on data processing in our software applications.

You can find a sample data privacy notice that is compliant with the EU’s GDPR here:

If you have any legal questions, please contact your legal advisor.