All Collections
Legal & GDPR
Be legally compliant by implementing edrone
Be legally compliant by implementing edrone

Tips and steps to take before implementing the edrone tool

Ilona Srebnicka avatar
Written by Ilona Srebnicka
Updated over a week ago

E-commerce law is evolving as fast as your business opportunities. We know that sometimes it's hard to keep up with everything. This article is a quick guide on how to act legally when running an online store and implementing edrone.

Keep in mind, however, that the regulations in your country regarding e-commerce law may differ from the ones in Poland.

GDPR in e-commerce

The GDPR regulation regulating the privacy of personal data, which has been in effect since 2018, has firmly established itself in our legal consciousness, which is why in this article, we will not focus on theory, but will only give you tips and steps you should follow as an online store owner before implementing edrone.

You are the data controller

When you run an online store, you decide for yourself what personal data of your customers you will acquire, how you will acquire it, what you will use it for, and to whom you will transfer the data (e.g. to edrone in connection with our cooperation) - These are the elements that make you the Administrator of your customers' personal data.

As a Personal Data Administrator, you should:

  • take care to process customers' personal data in accordance with the law the issue of data processing is regulated by the GDPR regulation, to a limited extent, the Personal Data Protection Act and other acts, but it is the GDPR that is the legal basis you need to know (REMEMBER - according to the GDPR, all operations on personal data will be their "processing", e.g. when you acquire a customer's personal data for the purpose of sending a newsletter, or send a message to a customer related to the purchasing process - you are processing their data);

  • fulfill your information obligation to your customers - that is, inform who will process their data, on what basis, for what purpose, whether they will be transferred to other entities (e.g. edrone), whether they will be transferred to third countries, etc. (here we are only signaling this problem-the information obligation is regulated by Article 13 of the GDPR);

  • take care of data security (you are the one who implements appropriate solutions to keep your customers' data safe, you are the one who keeps the required documentation, and if something happens to your customers' data - you may be responsible for it);

Your obligations as a Personal Data Controller are regulated by Article 24 of the GDPR - this is a regulation you need to know!

Where to start?

First, read Articles 13 and 24 of the GDPR. Review your GDPR documentation with special attention to your PRIVACY POLICY. You've probably noticed that most websites have privacy policies. Interestingly, the obligation to create such a document does not come directly from the regulations. However, it has become accepted that instead of creating several separate documents on the processing of personal data and other obligations under the current legislation-create one document, comprehensively regulating all these issues. Parties that do not process personal data do not have to worry about

about compliance with GDPR and will not have to prepare a privacy policy.

You, however, as the owner of an online store, will process customers' personal data, for example:

  • collecting newsletter signups;

  • collecting sign-ups for loyalty clubs, loyalty clubs, etc.;

  • and selling your products;

  • contacting customers through forms;

  • the ability for customers to add product reviews;

  • activities related to website traffic analytics, cookies, and other tracking files (we have prepared a separate article on cookies for you).

For the sake of comfort and legal compliance, it is worthwhile to ensure a transparent, comprehensive, and continuously updated privacy policy.

About the necessary changes in the privacy policy related to the use of edrone will be written about later in this article.

Marketing Consents (GDPR and other regulations)

As the GDPR is directly applicable throughout the European Union, if you read the previous section of this article you may have been assured that it is the same in your country, but e-commerce law is governed not only by the GDPR - which is the same throughout the European Union - but also by other national regulations.

Therefore, when reading this part of the article on marketing consents - remember that this is an example concerning the regulations in use in Poland - different regulations will apply in your country (probably they will be similar in substance, but you should check)

It is impossible to imagine running an online store without effective marketing activities. Most of them (e.g., sending newsletters) will involve the processing of personal data-i.e., WE WILL OPERATE UNDER GDPR, but not only GDPR, because the need to obtain consent for most marketing activities in Poland stems from the Telecommunications Law and the Law on the provision of electronic services.

According to GDPR, any processing of personal data requires an appropriate legal basis (Article 6 (1) of GDPR). Simply put-whatever we do with our customers' personal data, we must base our operations on the premises listed in the above-mentioned provision of GDPR. The most well-known premise is the consentRemember! Before you start processing your customers' personal data, check in art. 6 RODO, what premise listed there will correspond to your actions - without this, you cannot legally process your customers' data. to process the data subject's data, but there are others - such as the legitimate interest of the Controller, or the performance of a contract.

Remember! Before you start processing your customers' personal data, check in art. 6 RODO, what premise listed there will correspond to your actions - without this, you cannot legally process your customers' data.

It would be logical if the appropriate basis for processing data for direct marketing is the consent of the data subject (Article 6(1)(a) GDPR) - but that would be a mistake!

The proper basis for processing marketing data - is your legitimate interest (Article 6(1)(f) GDPR) - that is, in light of GDPR, we can process customers' personal data based on the premise of legitimate interest.

This we already know - now we need to remember that, in addition to GDPR, regulations under the Telecommunications Law are relevant in the context of direct marketing and the Law on Provision of Electronic Services.

What does this mean for us? Simply put, if we want to send information

of a marketing nature in most cases - we will need the customer's consent.

Remember! Marketing dispatches may require the customer's consent (this does not result from GDPR, but from other applicable regulations - the provisions of the communications law and the act on provision of electronic services on provision of electronic services.

What conditions should marketing consent meet?

For, a customer's consent to receive marketing content from us to be legal, it must be:

  • VOLUNTARY - the customer must be able to refuse to receive marketing content;

  • CONCRETE - the customer must know what marketing activities they are agreeing to and the scope of those activities (we don't collect blanket, blanket, confusing consents for the customer);

  • CONSCIOUS - the customer must know what they are actually consenting to;

  • UNIVERSAL- a clear affirmative action by the customer (checkboxes can no longer be checked by default, thus leaving no opportunity for self-checking);

  • EXPRESSED IN THE FORM OF A DECLARATION OR EXPRESS AFFIRMATIVE ACTION - when running a store, you have to show that the customer really did consent to marketing (in case of an audit, you will be the one who will have to show that the consents were properly collected).

In short, we cannot have any doubt that the customer wants to receive marketing content from us.

Tips for marketing consent

  • formulate consents in the simplest possible language;

  • in the consent clause, we add information that it can be withdrawn at any time

IMPORTANT! It must be as easy to withdraw consent as it is to give it - don't make it difficult for customers to withdraw consent

  • use the Double Opt-In model when obtaining consent (you will learn about its advantages later in this article);

  • remember that you can implement the information obligation (Article 13 of the GDPR) in layers (by referring, for example, to your privacy policy available on your website).

Examples of marketing consent clauses

Below is an example of a marketing consent clause that can be used when setting up a store account:

⬜ I declare that I am at least 16 years old (*16 is the minimum age of a person,

who, in accordance with the GDPR, may consent to the processing of his/her data), I know and accept the provisions of the Terms and Conditions (link) and Privacy Policy (link) ("mandatory field").

⬜ I agree to process my personal data for marketing purposes and to receive commercial information from [store_name].

using telecommunication terminal equipment (e.g., telephone) and electronic communication means that I have voluntarily entered

(e.g., SMS or e-mail). ("optional field")

Privacy policy update

In the article, we already said that the privacy policy is a place that comprehensively regulates data processing and other regulatory obligations related to the operation of the store, so we suggest, adding such a passage to your Privacy Policy:

On the basis of this consent, we will be able to contact you via e.g. phone, SMS or e-mail (depending on what data you give us at registration) for the purpose of promoting [store_name]'s services or goods, including but not limited to presenting information about current promotions or marketing actions. At any time you can opt out of receiving commercial information from [store_name] by withdrawing your consent.

Example of marketing consent for newsletter subscription

Marketing activities are very often conducted through the Newsletter. Below is an example of a marketing consent for subscribing to the Newsletter:

I consent to the processing of my personal data by XYZ for the purpose of receiving marketing information about products and services by means of electronic communication (e-mail). You can learn about the rules of processing your data in our Privacy Policy (LINK)


I agree to receive free commercial information

and marketing information in the form of a newsletter under the terms of the Terms and Conditions (link) / Privacy Policy (link)

IMPORTANT: As of January 2023, we must take into account the provisions of the Omnibus Directive when formulating the Newsletter sign-up checkbox.

You can find more information about the OMNIBUS Directive and Newsletter Subscription here:

Single opt-in, double opt-in - which model to choose when building a recipient base?

When building your Newsletter recipient base, you can use the following subscription models:

  1. DOUBLE OPT-IN - the customer will receive a message with a link activating the Newsletter subscription, the so-called "registration confirmation message";

  2. SINGLE OPT-IN - the customer will be immediately added to the Newsletter base without the need to confirm the subscription in the activation message.

We recommend choosing the Double Opt-in model - consisting of the fact that after entering a given email address in the Newsletter subscription form, an automatically generated message with an activation link will be sent to the user. After clicking on the received link, the user will be added to your subscriber base.

IMPORTANT: The DOUBLE OPT-IN sign-up model is a model that is considered secure from the point of view of data processing and legal compliance.

What should the registration confirmation email look like?

We present an example of the content of the email (in the double opt-in model) - Registration confirmation message:

Great! You're almost signed up for our exclusive newsletter. Before you click on the activation link, please read this information

(link to Privacy Policy). Remember that the Administrator of your data is: XYZ based in K.

You can always correct or rectify your data, revoke your consent at any time, or even request data transfer or deletion. The list of entities to whom we entrust your data is here. We do this in order to provide our services to the best of our ability. Your data will be kept for as long as necessary to secure your rights (e.g. the warranty period or statute of limitations when you buy a product). If you have any questions or concerns, please email us at Your safety and trust is most important to us!

P.S. Remember that you can always file a complaint with the President of the Office for Personal Data Protection, based in Warsaw, Poland.

Build your customer base legally

The solutions we've outlined for building your customer base (Double Opt-in model, marketing consent guidelines, proposed privacy policy updates) are designed to help you build your customer base safely and legally.

IMPORTANT: Using purchased customer bases is dangerous and can expose you to audits, fines, and even court proceedings.

Update the privacy policy - when you start using edrone

We've already mentioned that the primary document in which you can place all legally mandated content is the Privacy Policy.

Remember that the Privacy Policy should be tailored to the individual needs of your store and is intended to serve you and your customers first and foremost - so we strongly discourage the use of ready-made templates for these documents or copying them from other stores' websites.

There is no single template for a privacy policy - the regulations only provide guidance on the content of such a document.

Remember! According to GDPR- edrone will be a processor - an entity to which you transfer your customers' personal data, in connection with edrone's provision of services to you. You must inform your customers of this - do so by updating your privacy policy.

Can I combine email and text message consents?

No, we recommend separating consents. This practice is indicated as recommended in Polish and European jurisprudence.

Should I inform customers about this after making changes to my privacy policy? In what form?

This can be done in several ways. We recommend sending a newsletter to your entire customer base, where you mention the changes to the privacy policy and add a link to the relevant policy. Here is an example of how edrone customers do it:

Still need help?

If you still have any questions about processing your customers' personal data, marketing consents, or other e-commerce law issues go ahead and write to us at

Did this answer your question?