General Data Protection Regulation (GDPR)

On May 25, 2018 new data privacy regulations known as the General Data Protection Regulation (GDPR) go into effect in the European Union (EU). As a WineDirect client, here are some key pieces of information you should be aware of.

GDPR is a complicated regulation and there are many aspects that should be considered. Especially if you have a large number of EU customers or contacts, we encourage you to consult with a lawyer to ensure you are fully prepared and compliant. Please note that this page does not constitute legal advice, we have simply gathered the information for your reference.

For further guidance, the following regulators within the European Union have provided specific guidance on the GDPR:

As you evaluate what changes you might need to make to comply with GDPR, here are a few common issues you should consider:

Privacy Notice

You need to provide a Privacy Policy or Privacy Notice to everyone whose data you process. This includes customers as well as non-customers.

Customer Consent

You must secure specific consent before processing an individual’s data. This is of particular concern when opting people in to your marketing emails. Make sure you specifically ask customers or tasting room visitors if they want to opt into these types of communications. The same is true for cookies: if you currently use cookies to identify visitors to your website, you’ll want to review how you apply those to EU residents.

Note that receipt and order tracking emails are considered transactional communications and are exempt from this requirement.

Data Access and Portability

The GDPR gives individuals the right, in certain circumstances, to request a copy of their personal data that is being processed by a company. The GDPR requires that you provide your customers with a copy of their personal data in a common, easily readable, and portable format, so that they can use that data with a different service provider. This is covered in full in Article 20 of GDPR.

For WineDirect clients, all your customer data is accessible via the Admin Panel and can be easily exported to Excel via Reports. If you need help or have questions about accessing or exporting specific customer data, please contact support.

Right to Erasure or “Right to be Forgotten”

The GDPR gives individuals the right, in certain circumstances, to ask that their personal data be erased, or that a company restrict the processing of their personal data. This is covered in full in Article 17 of GDPR. If you receive such a request, please contact the support team or your Fulfillment Account Manager and we can help you do this.


What is GDPR?

GDPR stands for General Data Protection Regulation. It is the European Union’s new data privacy law and governs how companies use and process the personal data of European users. Additionally, it gives individuals specific rights over their personal data, including a right to access, correct, delete, and restrict processing of their data.

When does it come into effect?

May 25, 2018

My winery/business is not located in Europe. Do I need to worry about this?

Yes. GDPR affects all businesses who use and process personal data of any European Union (EU) citizen. It does not matter physically where your business is located.

What does “personal data” mean?

Personal data includes any piece of information that can be linked to an individual, such as name, email address and zip code. GDPR also considers information such as an IP address to be personal information. Click here for a full definition of what constitutes personal data under GDPR.

If a customer asks for a copy of their personal data, or wants me to erase their personal data, what do I do?

You can use Reports to extract your customers’ personal data from WineDirect - such as order history, credit card information, phone number and address.

If you have questions, or if a customer requests a data erasure, email or your Fulfillment Account Manager and we’ll assist you in executing the request.

How can I erase customer data while also maintaining accurate sales records for my business?

GDPR offers exceptions to erasure of customer data.  You may find that information in Article 17 of GDPR.  GDPR states that you are allowed to retain data on customers for the following reasons:

  • Compliance requirements enforced by governmental agencies.
  • Defense, establishment, or exercise of legal claims.

Based on the above, it is valid for you to retain customer sales information due to the compliance reporting requirements of various governments. Also, customer sales information is required by enforcement agencies in cases where fraud is suspected.

What steps has WineDirect taken to make sure my customers’ data is secure?

WineDirect is committed to maintaining the highest level of data security. We encrypt all data during transmission and we take reasonable measures to ensure our system is secure and non-breachable. Learn more about our security and PCI Compliance.

What is the difference between a “Data Processor” and a “Data Controller”?

Data Processor and Data Controller are terms used in the GDPR. Data Controller refers to the party that determines how and for what purposes personal data is processed. Data Processor refers to the party that processes personal data on behalf of the Controller. In this case, the Data Controller is you (the winery) and the Data Processor is WineDirect.

Have another question about GDPR? Please email us at or your Fulfillment Account Manager.