Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
OXID eShop is a German open-source e-commerce platform developed by OXID eSales AG (Freiburg). It powers thousands of B2C and B2B online stores in the DACH region and beyond. Because it is self-hosted, the merchant remains the data controller for all customer data and chooses the server location. OXID eShop sets functional cookies for the cart, the session, and (depending on configuration) marketing or analytics modules.
OXID eShop is an open-source e-commerce platform developed by OXID eSales AG, headquartered in Freiburg im Breisgau. Available in Community, Professional, and Enterprise editions, it powers a large share of mid-market online stores in Germany, Austria, and Switzerland. Because it is self-hosted, the merchant chooses the infrastructure, the modules, and the data flows. OXID eShop is built around a PHP/Smarty core and is highly extensible through modules and themes.
The platform itself sets a small number of strictly necessary cookies: the session identifier (sid), a session checksum (sid_key), and the language and currency preferences. Optional cookies depend on the active modules: newsletter trackers, social pixels, recommendation engines, analytics scripts, payment gateway scripts, and reCAPTCHA. OXID eShop stores customer data (name, address, phone, email, order history, password hashes) in its own MySQL/MariaDB database, fully under the merchant control.
For German merchants, both GDPR and TTDSG apply. TTDSG section 25 requires consent before any non-essential storage or access on the user device, including marketing pixels, analytics, and personalisation cookies. The strictly necessary cookies of OXID eShop (cart, session, language, security) are exempt under section 25(2)(2) TTDSG. The order data itself is processed under Art. 6(1)(b) for contract performance and Art. 6(1)(c) for compliance with tax and commercial law obligations.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
OXID eShop itself does not transfer data to third countries. Transfers arise from the modules a merchant chooses to enable: PayPal, Stripe, Klarna, Mollie, Adyen for payment; Google Analytics, Matomo, etracker for analytics; Facebook Pixel, Google Ads, Microsoft Advertising for marketing. Each of these modules has its own GDPR profile. A typical EU-only setup uses EU-hosted payment providers, Matomo, and a privacy-friendly newsletter solution to keep all flows inside the EEA.
Deploy a Consent Management Platform (CMP) compatible with the OXID eShop module ecosystem, list every module-generated cookie in the cookie policy, document the merchant DPAs with each module vendor, choose EU-hosted alternatives for analytics and email when possible, and apply data minimisation in the customer account (avoid collecting fields you do not strictly need). Provide a clear deletion workflow for customer accounts under Art. 17 GDPR.
Websites using OXID eShop must obtain user consent under GDPR regulations.
DPIA considerations
OXID eShop processes the full customer lifecycle: account creation, order, payment, delivery, and post-sale communication. Because it is self-hosted, the controller is the merchant. Key DPIA considerations: (1) order data including name, address, phone, email, and purchase history is processed under Art. 6(1)(b) for contract performance; (2) payment data is generally tokenised through gateway modules, but the choice of gateway determines US transfers; (3) recommendation and personalisation modules can amount to profiling under Art. 22 GDPR if they drive automated decisions; (4) marketing modules (newsletter, social pixels, retargeting) require consent and a cookie banner; (5) B2B installations may process limited employee personal data of customer staff. A DPIA is recommended for stores with personalisation, loyalty programmes, or scoring features.
Sample consent text
Our online store runs on OXID eShop. We use strictly necessary cookies to keep your cart, session, and language preference, and only set marketing or analytics cookies after you have given consent through the cookie banner. Your order and account data is processed to fulfil the purchase and to comply with our legal obligations (Art. 6(1)(b) and (c) GDPR). You can manage your consent at any time via the cookie settings.
Third-party domains contacted
oxid-esales.comwww.oxid-esales.comdocs.oxid-esales.comgithub.com/OXID-eSalesCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sid | Strictly necessary / Session | Session (end of browser session) | Stores the unique session identifier used to maintain the shopping cart, the customer login state, and the multi-step checkout context. |
| sid_key | Strictly necessary / Security | Session | Cryptographic checksum used to validate the session ID against tampering and CSRF, ensuring that the session cookie has not been forged. |
| language | Strictly necessary / Preference | 1 year | Stores the visitor language preference so the shop displays the correct localised content on the next visit. |
| currency | Strictly necessary / Preference | 1 year | Stores the visitor currency preference for product prices and checkout totals. |
| oxid_basket | Strictly necessary / Cart | Up to 30 days | Persists the basket content for guest visitors between sessions so they can continue shopping without losing their selection. |
| oxid_admin_* | Strictly necessary / Admin | Session | Internal cookies set in the OXID administration backend for authenticated staff users. Not set on the public storefront. |
OXID eShop uses cookies for user preferences — inform visitors with a consent banner.
OXID eShop sets a small set of strictly necessary cookies: sid (session identifier), sid_key (session checksum), language, currency, and a basket persistence cookie. These are required for the shop to function and are exempt under the ePrivacy cart and session use cases. Additional cookies come from modules (marketing, analytics, payment, captcha) and require consent.
For the strictly necessary cookies, no consent is required. For any marketing, analytics, personalisation, or social media module activated on the store, consent is required under TTDSG section 25 (Germany) and Art. 5(3) ePrivacy. A Consent Management Platform (CMP) integrated with OXID eShop should gate those modules.
Order processing relies on Art. 6(1)(b) GDPR (contract performance) for the purchase itself, and Art. 6(1)(c) for legal obligations (invoicing, tax retention up to 10 years under German HGB section 257). Marketing communications require either Art. 6(1)(a) consent or the strict customer-relationship exception of UWG section 7(3).
Not by itself. The platform is self-hosted, typically on EU infrastructure for German merchants. Transfers arise only from third-party modules (US payment gateways, US analytics, US marketing pixels). Choose EU-hosted modules or document SCCs for each US module.
A DPIA is recommended for stores with personalisation, recommendation engines, loyalty scoring, or marketplaces that handle large volumes of personal data. A basic B2C store with a small product catalogue and EU-hosted modules can usually rely on a documented Records of Processing Activities (RoPA) without a full DPIA.
Host the store in the EU, deploy a TTDSG-compliant CMP, audit every activated module for its data flows, prefer EU payment gateways (Mollie, Stripe with EU residency, Klarna), use Matomo or etracker for analytics, sign DPAs with each processor, keep a deletion workflow for customer accounts, and document everything in your RoPA.
Other EU-friendly self-hosted e-commerce platforms include Shopware (Germany), Shopgate Cloud, Spryker (Germany), Sylius (open source, France), Magento Open Source/Adobe Commerce, PrestaShop (France), and headless options like Saleor, Medusa, or Vendure.
List the core OXID cookies (sid, sid_key, language, currency, basket) in a strictly-necessary section. Then list each module-generated cookie with its name, purpose, duration, and category. Map each non-essential category to a CMP toggle so visitors can grant or refuse it. Revisit the list whenever a new module is activated.