Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Intershop is an enterprise e-commerce platform developed by Intershop Communications AG in Jena, Germany. It powers B2B, B2C and B2X online shops for manufacturers, wholesalers and retailers across Europe. Intershop sets session, authentication and shopping cart cookies that are strictly necessary, but most production deployments also load optional analytics, recommendation and marketing modules that require prior consent under the GDPR and the ePrivacy Directive.
Intershop is one of the oldest German enterprise e-commerce platforms, developed by Intershop Communications AG in Jena since 1992. The current Intershop Commerce Platform is a Java based, modular suite that powers B2B, B2C and B2X shops for manufacturers, wholesalers and large retailers. It is typically deployed as a managed cloud service on AWS, Microsoft Azure or Google Cloud, but on premise installations remain common in regulated industries. Like every modern shop platform, Intershop relies on cookies and identifiers to keep the shopping cart, session and customer account consistent across page views.
A standard Intershop deployment sets a session cookie, an authentication cookie once the user signs in, and one or more cart cookies that hold the link between the visitor and a server side basket. These cookies are first party and strictly necessary for the shop to function. On top of that the platform processes order data, addresses, payment metadata, customer accounts, support tickets and product browsing history. Optional modules add tracking pixels, recommendation identifiers, A/B testing cookies and marketing automation tags, all of which are non strictly necessary.
For the strictly necessary cookies, the ePrivacy carve out in Article 5(3) of the ePrivacy Directive applies, so prior consent is not required. Order, account and address data are processed under contract performance (Article 6(1)(b) GDPR), which does not need consent either, but does require transparency under Articles 13 and 14 GDPR. Behavioural analytics, recommendations and marketing tags loaded by Intershop modules require prior consent under section 25 TTDSG in Germany or its equivalent in other EU member states, because they store and read identifiers on the visitor device beyond what is strictly necessary.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The session and cart cookies rely on contract performance and ePrivacy strictly necessary exemption. Marketing, personalisation and analytics modules rely on consent under Article 6(1)(a) GDPR. Fraud prevention features, such as device fingerprinting and risk scoring shared with payment service providers, usually rest on legitimate interest (Article 6(1)(f) GDPR) with a documented balancing test. The shop operator is the controller; Intershop Communications AG acts as a processor under Article 28 GDPR for the managed cloud offerings.
On premise Intershop installations keep customer data inside the operator infrastructure, which can be fully kept in Germany or in the EU. The Intershop Commerce Platform managed offerings, however, run on AWS, Microsoft Azure or Google Cloud, all of which involve US parent companies as additional controllers or sub processors. That means transfers to the United States are very likely, and Standard Contractual Clauses or the EU US Data Privacy Framework must be relied on. Operators should map their connected services (PSP, ERP, marketing automation, CDP) and document the resulting transfer chain.
Classify the Intershop cookies into strictly necessary, functional, analytics and marketing categories in your CMP. Keep cart and login cookies always on, but block all behavioural modules until consent is granted. Sign the Intershop data processing agreement, document the hosting region and the involved hyperscaler, and update your privacy notice with the recipients and transfer mechanisms. Run a DPIA for B2C shops with profiling, recommendation engines or sensitive product categories.
Websites using Intershop must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is normally required when the Intershop platform is used to process large volumes of B2C customer data, profiling and behavioural recommendations, or when sensitive product categories (health, pharmacy, financial services) are sold. The combination of long term customer profiles, behavioural analytics modules and frequent integration with marketing automation and customer data platforms means controllers should evaluate Article 35 GDPR triggers carefully, even though core checkout processing alone would not always require a DPIA.
Sample consent text
Our online shop runs on the Intershop Commerce Platform. We use strictly necessary cookies for your shopping cart, login and order processing, which do not require your consent. With your permission we also load optional Intershop analytics, recommendation and marketing modules that share aggregated browsing data with our analytics provider and, where applicable, with cloud infrastructure providers in the United States.
Third-party domains contacted
intershop.comintershop.decloud.intershop.comcdn.intershop.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| JSESSIONID | first_party | Session | Java server session identifier created by the Intershop application server to bind the visitor to a stateful session across requests. Strictly necessary for shopping cart and checkout. |
| intershop_basket | first_party | 30 days | Persistent shopping cart cookie used to retain the basket between visits and reattach it to the visitor after the session expires. Strictly necessary for cart functionality. |
| intershop_user | first_party | 30 days | Authenticated user identifier set after sign in to maintain the customer session across the storefront. Required for personalised content and order history. |
| intershop_pref | first_party | 12 months | Stores currency, language and storefront preferences chosen by the visitor to keep the experience consistent across visits. |
| intershop_ab | first_party | 90 days | Optional A/B testing cookie set by the Intershop personalisation module to allocate visitors to test variants. Requires prior consent. |
| intershop_reco | first_party | 12 months | Recommendation engine identifier used by the Intershop recommendation cartridge to personalise product suggestions. Requires prior consent. |
Intershop uses cookies for user preferences — inform visitors with a consent banner.
A default Intershop installation sets a session cookie (typically JSESSIONID or a renamed equivalent) that ties the visitor to a server side session, a basket cookie that links the visitor to a persistent shopping cart, and an authentication cookie once the user signs in. Optional modules add analytics, recommendation, A/B testing and marketing cookies that are non strictly necessary. The exact list depends on the installed cartridges, hyperscaler integrations and any third party plugins.
Consent is not required for the strictly necessary cookies that keep the shopping cart, session and login working, because they fall under the ePrivacy strictly necessary exemption in Article 5(3) of the ePrivacy Directive. Consent is required for analytics, recommendation, A/B testing, marketing and personalisation cookies loaded by additional Intershop modules or third party tags. These tags must remain blocked until the visitor opts in through a compliant CMP.
Account creation, login, checkout and order fulfilment are based on contract performance under Article 6(1)(b) GDPR. Marketing emails, behavioural personalisation and analytics are based on consent under Article 6(1)(a) GDPR. Fraud prevention and security monitoring are usually based on legitimate interest under Article 6(1)(f) GDPR. Statutory record keeping for tax and invoicing is based on legal obligation under Article 6(1)(c) GDPR.
It depends on the hosting model. On premise installations can be entirely operated from Germany or another EU country, with no transfer to the US. The managed Intershop Commerce Platform offerings run on US hyperscalers (AWS, Microsoft Azure, Google Cloud), which involves US parent companies as sub processors. In that case transfers must rely on Standard Contractual Clauses or the EU US Data Privacy Framework and must be disclosed in the privacy notice.
A DPIA is generally required when the shop handles large volumes of B2C customer data, performs profiling or behavioural recommendation, integrates with marketing automation and CDPs, or sells sensitive product categories. A pure B2B shop with low data volumes and no profiling might not need one, but most modern Intershop deployments meet at least two of the Article 35 GDPR triggers, so a documented DPIA is recommended.
Map the cookies generated by the core platform and by each enabled cartridge, classify them in your CMP, and keep cart/login cookies always on while gating analytics and marketing modules behind consent. Sign the Intershop data processing agreement, configure data residency settings, document the hyperscaler and any sub processors, and update your records of processing activities. Implement granular access controls in the back office and run a DPIA where appropriate.
Direct alternatives for enterprise B2B e-commerce include SAP Commerce Cloud, Salesforce Commerce Cloud, Adobe Commerce (Magento), Oracle Commerce, Spryker and commercetools. For B2C heavy retail there are also Shopware (German), Shopify Plus and BigCommerce. From a GDPR perspective Shopware and Spryker are interesting alternatives because they are headquartered in Germany; commercetools also offers strong EU hosting options.
List the strictly necessary cookies (session, cart, login) with their names and durations and explain that they fall under the ePrivacy exemption. List each additional Intershop module that sets cookies (analytics, recommendation, A/B testing, marketing) with its purpose, retention and the recipient, and link to your CMP for granular controls. Mention the hosting provider as a sub processor and document any transfers to the US in the privacy notice.