Shopify DSGVO Compliance Checklist for German Stores (2026 Guide)

Shopify is a Canadian-headquartered SaaS platform with EU operations. For German Shopify stores, this means DSGVO compliance is achievable — but requires conscious configuration. Many German Shopify stores running today are technically non-compliant in ways that would surface during a Datenschutzbehörde audit or after a customer complaint. The fix is mostly procedural, not technical, but you have to actually do it.

This guide walks through what DSGVO compliance for a Shopify store in Germany actually requires in 2026: AVV/DPA signing, cookie banner setup, sub-processor management, customer data export/erasure flows, and the US-Canada data residency reality you need to disclose.

For broader DSGVO context see our GDPR compliance guide.

What does DSGVO require of a German Shopify store?

Eight requirements that apply specifically:

1. Signed AVV / DPA with Shopify

Shopify provides a Data Processing Addendum (DPA) — the English equivalent of AVV (Auftragsverarbeitungsvertrag). Accessible from Shopify admin. Must be signed/accepted before store goes live.

2. Sub-processor list maintained and disclosed

Shopify uses sub-processors (Cloudflare, AWS, etc.). Document your platform + apps as sub-processors in your Datenschutzerklärung.

3. Cookie banner with consent gating

All marketing tracking (Meta Pixel, Google Ads, Klaviyo identify, analytics) must wait for explicit consent.

4. Legal pages: Impressum, Datenschutzerklärung, AGB, Widerrufsbelehrung

Required and linked from footer + checkout. Template from IHK or Trusted Shops.

5. Customer data export endpoint

Customer must be able to download their stored data (Article 15).

6. Customer data erasure flow

Customer must be able to request account deletion (Article 17). Reconcile with GoBD 10-year retention for financial records via pseudonymization.

7. Granular consent at signup

Newsletter signup and account creation each have explicit consent. No pre-ticked boxes.

8. Documentation of TOMs

Technical and Organizational Measures — how you protect data. Shopify provides theirs; you document yours.

What about Shopify’s US/Canada data residency?

This is the most-asked question. The honest 2026 reality:

Shopify is Canadian-headquartered. Customer data is typically processed across Shopify’s global infrastructure including US regions. Shopify has EU offices and EU customer support but the underlying infrastructure is multi-region.

Is this DSGVO-compliant?

Yes, with proper configuration:

• Sign Shopify’s DPA (Data Processing Addendum)
• DPA includes Standard Contractual Clauses for international data transfer
• Shopify maintains Schrems II-compliant supplementary measures
• Disclose this in your Datenschutzerklärung

Is it ideal?

DSGVO-strict cases (regulated industries, public-sector buyers, very privacy-conscious customer base) benefit from self-hosted alternatives like WooCommerce on Hetzner or Shopware self-hosted for cleaner data residency.

Most German B2C and standard B2B setups work well with properly configured Shopify and remain legally defensible.

For full data-residency context see our Shopify vs WooCommerce Germany guide and Shopify vs Shopware Germany guide.

How do you set up a DSGVO-compliant cookie banner on Shopify?

Four options:

Cookiebot

Most popular globally. Strong DSGVO posture. Auto-categorizes cookies. EU-region-pinnable. ~€10–€60/month depending on traffic.

Borlabs Cookie (German company)

Made in Hamburg. Strong DSGVO posture. Used by many German Shopify stores. Native German vendor for AVV simplicity.

Real Cookie Banner

Open-source-friendly, configurable. Used by many German agencies.

Consentmanager

German-market focused. Strong compliance posture.

Skip: Shopify’s built-in “Customer Privacy” controls alone — they don’t gate all third-party scripts properly. Use a real cookie banner.

What sub-processors does a typical German Shopify store have?

Document each in Datenschutzerklärung:

• Shopify (Canada/EU) — platform
• Stripe (Ireland for EU) — payment processing (if using Shopify Payments)
• Klarna (Sweden) — Klarna payments
• PayPal (Luxembourg for EU) — PayPal payments
• Klaviyo (US/EU) — email marketing (with DPA)
• Trusted Shops (Germany) — reviews + trust seal
• Sendcloud / Shipcloud (Netherlands/Germany) — shipping
• Sufio / invoicing app — invoice generation
• Analytics tool (Plausible EU / Matomo / GA4)
• Cookie banner tool

Each requires: DPA signed, disclosed in privacy policy, kept up to date.

How do you handle customer data export and erasure on Shopify?

Data export (Article 15)

Shopify has a built-in customer-data-request flow. Admin → Customers → Privacy → request export. Generates a structured data export including order history, customer details, addresses.

Verify: any custom apps also support this. If they don’t, you may have a gap.

Data erasure (Article 17)

Shopify has built-in customer deletion. Admin → Customers → delete. Erases customer record + anonymizes orders for GoBD retention.

Note: GoBD requires 10-year retention of financial records. Shopify’s erasure pseudonymizes the customer record while preserving order data for legal retention. This is the correct approach.

Custom app data

Custom apps storing customer data must also implement export and erasure. Verify before launch.

What about Klaviyo, Meta Pixel, and other marketing tools?

Standard pattern:

Klaviyo

• Sign Klaviyo DPA
• Use Klaviyo’s EU region (klaviyo.com EU)
• Klaviyo identify (the JS snippet that ties browser to known customer) must wait for cookie consent
• Email opt-in is double-opt-in (German standard)

Meta Pixel

• Document Meta as sub-processor
• Pixel script gated behind cookie consent (do NOT load before consent)
• Use Conversions API + Pixel for resilience (data through server-side gives you control)

Google Analytics 4

• DSGVO-configurable but requires careful setup
• IP anonymization on
• Data retention settings configured
• Gated behind cookie consent
• Consider Plausible (EU-hosted, no consent needed) or Matomo (self-hostable) as alternatives

TikTok Pixel, Pinterest Pixel, etc.

Same pattern. Each requires DPA + cookie consent gating.

What are the most common Shopify DSGVO mistakes German stores make?

Five patterns:

Cookie banner that doesn’t actually gate scripts

Banner looks compliant but tracking scripts still fire before consent. Most common DSGVO violation.

Not signing AVV / DPA

Shopify provides it; merchant doesn’t accept. Technically non-compliant.

Forgotten apps with customer data

A free app installed for a test 6 months ago that still has access to customer data. Audit your app permissions quarterly.

Incomplete legal pages

Impressum missing required elements (Handelsregister, Vertretungsberechtigte, USt-ID). Datenschutzerklärung copy-pasted without customizing to actual data flows.

No documented data export and erasure process

Customer requests data — and no one knows the process. Document the workflow before you’re under time pressure to respond.

When should you consider switching to a self-hosted alternative?

Five signals to evaluate WooCommerce / Shopware:

• Regulated industry where data residency in Germany is required
• Public-sector buyers with strict data sovereignty
• B2B customers with specific data location requirements in contracts
• Sensitivity to Shopify’s pricing trajectory
• Complex DPA negotiation needs

For most German B2C and standard B2B stores, properly-configured Shopify is defensible.

Frequently Asked Questions About Shopify DSGVO Compliance in Germany

Need help with Shopify DSGVO compliance?

If you’re setting up or auditing DSGVO compliance on your German Shopify store and want a 30-minute scoping conversation, book a meeting or send details via our contact page.