Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
OXID eShop Community Edition is the free open source variant of the OXID eShop platform developed by OXID eSales AG in Freiburg, Germany. It is a PHP based shop system used by thousands of German speaking SMEs, with a modular architecture and a strong B2B and B2C feature set. Because OXID is self hosted, the privacy profile is largely controlled by the merchant: the core platform only sets strictly necessary cart and session cookies, but optional modules can introduce analytics, recommendation and marketing tags that need prior consent.
OXID eShop is a German e-commerce platform developed by OXID eSales AG, headquartered in Freiburg im Breisgau. The Community Edition is the free, open source variant released under the OSL 3.0 licence. It is widely used by SMEs in Germany, Austria and Switzerland for B2B, B2C and B2B2C scenarios. OXID eShop CE is a PHP and MySQL application that is installed on infrastructure controlled by the merchant, which gives the operator a high degree of control over hosting region, data flows and security measures.
A standard OXID eShop CE installation sets a PHP session cookie (typically named sid or sid_key), an authentication cookie once the user signs in, and a persistent basket cookie that retains the cart between visits. These cookies are first party and strictly necessary. The platform processes order data, addresses, payment metadata, customer accounts, support tickets and product browsing history. Optional modules from the OXID Exchange marketplace can add analytics, recommendation, marketing automation and chat features, with their own cookies and identifiers.
The session, cart and login cookies fall under the ePrivacy Article 5(3) strictly necessary exemption, so they do not require consent. Order and account data are processed under contract performance (Article 6(1)(b) GDPR), without needing consent, but with transparency obligations under Articles 13 and 14 GDPR. Analytics modules (Google Analytics, Matomo, Econda) and marketing modules (Google Ads, Meta Pixel, Criteo) introduce non strictly necessary cookies that require prior consent under section 25 TTDSG in Germany or its equivalents in other EU states.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
The session, cart and authentication cookies rely on contract performance and ePrivacy strictly necessary exemption. Marketing, personalisation and analytics modules rely on consent under Article 6(1)(a) GDPR. Fraud prevention features (PSP risk scoring, address validation services) usually rest on legitimate interest (Article 6(1)(f) GDPR) with a documented balancing test. The merchant is always the controller; OXID eSales AG is not a processor by default because the platform is self hosted, but commercial support contracts may make it a processor for specific operations.
Because OXID eShop CE is self hosted, all transfers to third countries originate from choices made by the merchant: the hosting provider (often a German or Austrian web host with EU only data centres), the payment service provider, the shipping carrier, the analytics module and the marketing automation tool. A merchant who selects EU only hosting and EU only payment, analytics and CRM modules can run an OXID shop without any non EEA personal data transfer at all, which simplifies the privacy notice considerably.
Inventory the modules installed on top of OXID eShop CE and classify each set of cookies into strictly necessary, functional, analytics and marketing. Keep cart, login and basket cookies always on, and block all non essential modules until consent is granted through a CMP. Map the third party providers (PSP, carriers, marketing tools) in your records of processing activities, sign DPAs with each of them and document the hosting region. Run a DPIA when the shop combines profiling with sensitive product categories.
Websites using OXID eShop Community Edition must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is normally not required for a standard OXID eShop Community Edition installation focused on order processing, because the core data flows fall under contract performance and are usually hosted inside the EEA on infrastructure controlled by the merchant. A DPIA should be considered when the merchant adds large scale profiling modules, behavioural recommendation, loyalty programmes that build long term customer profiles, or sells sensitive product categories.
Sample consent text
Our online shop runs on OXID eShop Community Edition, a German open source platform by OXID eSales AG. Strictly necessary cookies are used to operate the shopping cart, login and checkout; they do not require your consent. With your permission we also activate optional analytics, recommendation and marketing modules that can share aggregated browsing data with our third party providers.
Third-party domains contacted
oxid-esales.comoxidforge.orgexchange.oxid-esales.comgithub.com/OXID-eSalesCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sid | first_party | Session | PHP session identifier set by OXID eShop to bind the visitor to a server side session that holds the shopping cart and user state. |
| sid_key | first_party | Session | Validation key paired with sid to prevent session fixation attacks. Strictly necessary for the checkout flow. |
| oxid_basket | first_party | 30 days | Persistent cart cookie used by OXID to retain the basket between visits and reattach it after the session expires. |
| language | first_party | 12 months | Stores the storefront language chosen by the visitor so that the shop is rendered in the same language on subsequent visits. |
| currency | first_party | 12 months | Stores the currency selected by the visitor in shops configured with multiple currencies. |
| displayedCookiesNotification | first_party | 12 months | Stores the dismissal state of the basic OXID cookie notification; replaced by the CMP cookie when a fully featured CMP is integrated. |
OXID eShop Community Edition uses cookies for user preferences — inform visitors with a consent banner.
By default OXID eShop Community Edition sets a session cookie (sid or sid_key) used to bind the visitor to a PHP server session, a basket cookie that persists the cart between visits, and an authentication cookie after sign in. Optional modules from the OXID Exchange or third party providers can add analytics, A/B testing, recommendation and marketing cookies, which are non strictly necessary.
Consent is not required for the strictly necessary cookies (session, cart, login) because they fall under the Article 5(3) ePrivacy strictly necessary exemption. Consent is required for analytics, A/B testing, recommendation and marketing modules installed on top of OXID. These tags must remain blocked until the visitor opts in through a compliant CMP.
Account creation, login, checkout and order fulfilment are based on contract performance (Article 6(1)(b) GDPR). Marketing communications, behavioural personalisation and analytics modules are based on consent (Article 6(1)(a) GDPR). Fraud prevention and security can rely on legitimate interest (Article 6(1)(f) GDPR) with a documented balancing test. Tax and invoicing retention is based on legal obligation (Article 6(1)(c) GDPR).
OXID eShop CE is self hosted, so whether data leaves the EEA is entirely under the merchant control. A typical setup with EU hosting, an EU payment provider and EU analytics keeps the entire data flow inside the EEA. Transfers to the United States only occur if the merchant chooses US based modules or providers (Google Analytics, Meta Pixel, Stripe, Salesforce, HubSpot), in which case Standard Contractual Clauses or the EU US Data Privacy Framework must be relied on.
A DPIA is not generally required for a standard installation focused on order processing. It becomes recommended when the merchant adds large scale profiling modules, integrates with a CDP, sells sensitive product categories (health, pharmacy, financial services) or implements loyalty programmes that build long term customer profiles, because these scenarios meet several Article 35 GDPR criteria.
Choose an EU hosting provider, classify the cookies generated by the core platform and each module in your CMP, keep cart and login cookies always on and block non essential modules behind consent. Sign DPAs with each third party provider (PSP, fulfilment, analytics, marketing) and document the third country transfers if any. Implement role based access in the admin back end and run a DPIA when triggered by Article 35 GDPR criteria.
For self hosted PHP open source e-commerce, the closest alternatives are Magento Open Source (Adobe), PrestaShop, Shopware Community Edition and WooCommerce. EU based and German friendly alternatives include Shopware (Germany), PrestaShop (France) and Sylius (France). For SaaS, Shopify, BigCommerce and Lightspeed eCom are mainstream options with different privacy profiles.
List the strictly necessary cookies (session, cart, login) with their names and durations and explain the ePrivacy exemption. List each module that introduces additional cookies (analytics, recommendation, marketing) with purpose, retention and recipient, and link to your CMP for granular controls. Mention any third country transfers triggered by the modules in the privacy notice with the applicable transfer mechanism.