Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
OXID eShop Enterprise Edition is the commercial enterprise grade variant of the OXID eShop platform developed by OXID eSales AG in Freiburg, Germany. It targets mid market and enterprise B2B, B2C and B2B2C retailers with advanced features (multi store, multi language, B2B workflows, advanced personalisation and the OXID Cloud Connector). The platform sets strictly necessary cart and session cookies; the enterprise modules add analytics, recommendation, A/B testing and marketing cookies that require prior consent.
OXID eShop Enterprise Edition is the commercial enterprise grade variant of the German OXID eShop e-commerce platform developed by OXID eSales AG in Freiburg im Breisgau. It targets mid market and enterprise retailers needing advanced multi store, multi language and B2B workflow support, alongside a more integrated cloud connector and a long term support package. It is mainly deployed by manufacturers, wholesalers and B2B brands in Germany, Austria and Switzerland.
The platform sets strictly necessary cookies for PHP session (sid, sid_key), persistent basket (oxid_basket) and authentication. Enterprise modules add cookies for advanced personalisation, segmentation, A/B testing and integration with marketing automation. The back end processes the full order, customer account and B2B contract data with role based access control.
Session, cart and login cookies fall under the Article 5(3) ePrivacy strictly necessary exemption. Enterprise personalisation, segmentation, recommendation and marketing modules add non strictly necessary cookies that require prior consent under TTDSG in Germany and its equivalents elsewhere in the EU. Order, account and contract data are processed under contract performance and legitimate interest, with transparency obligations under Articles 13 and 14 GDPR.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Strictly necessary cookies and core processing rely on contract performance (Article 6(1)(b) GDPR). Marketing, personalisation and analytics rely on consent (Article 6(1)(a) GDPR). Fraud prevention and security rely on legitimate interest (Article 6(1)(f) GDPR). Statutory retention for tax and invoicing relies on legal obligation (Article 6(1)(c) GDPR). The merchant is the controller; OXID eSales AG is a processor only for paid support and managed services contracts.
OXID eShop Enterprise Edition is typically deployed on private German or EU hosting, sometimes on certified hyperscaler EU regions. Transfers outside the EEA only occur if the merchant chooses non EU payment providers, analytics or marketing modules. In that case, Standard Contractual Clauses or the EU US Data Privacy Framework apply and must be reflected in the privacy notice.
Inventory all modules installed on top of OXID eShop Enterprise Edition, classify the cookies they set in the CMP, keep cart and login cookies always on and gate the rest behind consent. Sign DPAs with all third party providers and document the EU hosting region. Run a DPIA when profiling, large scale B2C processing or sensitive product categories are involved, and align the deployment with the security and access control practices appropriate for enterprise data.
Websites using OXID eShop Enterprise Edition must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for OXID eShop Enterprise Edition deployments because the enterprise modules are typically combined with profiling, recommendation engines, marketing automation and integration with CDPs, which raises the scale and profiling triggers of Article 35 GDPR. Sensitive product categories or B2B workflows that include employee data also push the deployment towards a documented DPIA.
Sample consent text
Our online shop runs on OXID eShop Enterprise Edition, a German platform by OXID eSales AG. Strictly necessary cookies operate the shopping cart, login and checkout without requiring your consent. With your permission we also activate optional enterprise modules for analytics, recommendation and marketing that can share aggregated browsing data with our third party providers.
Third-party domains contacted
oxid-esales.comenterprise.oxid-esales.comexchange.oxid-esales.comcloud.oxid-esales.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| sid | first_party | Session | PHP session identifier used by OXID eShop Enterprise to bind the visitor to a server side session holding cart and user state. |
| sid_key | first_party | Session | Validation key paired with sid to prevent session fixation. Strictly necessary. |
| oxid_basket | first_party | 30 days | Persistent shopping cart cookie that retains the basket between visits. |
| language | first_party | 12 months | Stores the language chosen by the visitor. |
| currency | first_party | 12 months | Stores the currency selected by the visitor in multi currency shops. |
| oxid_ee_personalization | first_party | 12 months | Set by enterprise personalisation modules to store segment membership and personalised content choices. Requires consent. |
OXID eShop Enterprise Edition uses cookies for user preferences — inform visitors with a consent banner.
The platform sets a PHP session cookie (sid, sid_key), a persistent basket cookie (oxid_basket) and an authentication cookie after sign in. Enterprise modules add cookies for personalisation, segmentation, A/B testing, recommendation and marketing automation, which are non strictly necessary.
No consent is required for the strictly necessary cookies (session, basket, login). Consent is required for the cookies introduced by enterprise modules (personalisation, A/B testing, marketing) under the ePrivacy implementations across the EU.
Contract performance for cart, login and order processing; consent for marketing, personalisation and analytics modules; legitimate interest for fraud prevention; legal obligation for tax and invoicing retention.
Not by default. The platform is self hosted or partner hosted, typically in Germany or the EU. Third country transfers only occur if the merchant chooses non EU sub providers (PSP, analytics, marketing), in which case Standard Contractual Clauses or the EU US Data Privacy Framework apply.
Recommended, because enterprise modules often combine profiling, recommendation and CDP integration, which meets several Article 35 GDPR criteria. Sensitive product categories or B2B workflows with employee data also raise the threshold.
Inventory all modules, classify cookies in your CMP, keep cart and login always on, gate the rest behind consent. Sign DPAs with third parties, document the EU hosting region, run a DPIA where appropriate, apply role based access control and align with security best practices.
SAP Commerce Cloud, Salesforce Commerce Cloud, Adobe Commerce, Spryker, commercetools, Shopware Enterprise (Germany). EU based alternatives such as Shopware Enterprise and commercetools simplify the transfer chain.
List the strictly necessary cookies with names and durations. List each module that introduces non strictly necessary cookies with purpose, retention and recipient. Reference the CMP for granular controls and mention any third country transfers triggered by the modules.