Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Shopware is a leading German ecommerce platform with a community open source edition and a commercial Cloud and Enterprise tiers. Hosted in Frankfurt and Belgium for the Cloud, fully under German DPA oversight. Strictly necessary cookies plus consent for analytics and marketing extensions.
Shopware is a major German ecommerce platform with roots in the early 2000s. Shopware 6, released in 2019, is a modern API first PHP and Symfony based platform with a Vue.js admin and a Twig storefront. The product line includes Shopware 6 Community (open source, free, self hosted), Shopware 6 Professional and Enterprise (commercial, self hosted) and Shopware Commercial Cloud (managed PaaS). The Shopware Store offers more than 5,000 extensions covering payment, shipping, marketing, ERP integration and design.
Strictly necessary: session- (session, basket and login), csrf_token (session, CSRF protection), sw-cache-hash (1 year, cache invalidation), sw-states (session, cookie banner state), shopware6CookieConsent (1 year, stores the consent choices made on the built in cookie banner). With Shopware native analytics (Shopware Analytics) activated: sw-tracking-* cookies for behavioural tracking. Store extensions add their own cookies depending on the integration (Mailchimp, Klaviyo, Google Analytics, Facebook Pixel, Trusted Shops).
The strictly necessary cookies are exempt under ePrivacy art. 5(3) and German TTDSG paragraph 25. The Shopware native cookie banner is preconfigured with the German TTDSG categories (technisch erforderlich, statistik, marketing) and provides a Granular Consent UI. The newsletter subscription requires a double opt in under the German UWG, which Shopware ships as the default behaviour. The customer account, the order history and the invoicing rely on contract and legal obligation bases. Shopware native analytics and any third party Store extension require consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Shopware Commercial Cloud runs on Google Cloud Frankfurt and Belgium by default. Self hosted installations run where the merchant deploys them, typically on a German or European host (Hetzner, IONOS, Mittwald, Plus.Line, Cloudways with EU region). shopware AG, headquartered in Schoppingen near Munster, is supervised by the North Rhine Westphalia DPA. The Boston US office handles a portion of customer success and engineering, with SCC 2021 in place for any incidental transfer.
Pick the Cloud EU region or a German host for self hosted, sign the shopware AG Auftragsverarbeitungsvertrag, activate the Shopware cookie banner with the TTDSG categories, configure the double opt in newsletter under UWG, audit cookies after each Store extension install, document the chain in your record of processing under GDPR art. 30, and train support on the Shopware customer account DSAR self service flow.
Websites using Shopware must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for a Shopware 6 store with strictly necessary cookies only. A DPIA is recommended when the Shopware native analytics, the Customer Account product reviews, the Shopware Email Marketing or any third party extension from the Shopware Store (Mailchimp, Klaviyo, Google Analytics, Facebook Pixel, Trusted Shops, eKomi) is activated. The DPIA should document the EU hosting choice (Cloud) or the merchant infrastructure (self hosted), the retention of order history, the double opt in flow for the newsletter and the legal basis for each marketing flow.
Sample consent text
Our store runs on Shopware 6 by shopware AG (Germany). Strictly necessary cookies (session-, csrf_token, sw-cache-hash, sw-states) keep your basket and your session working without consent. With your consent we activate the Shopware native analytics, the marketing extensions from the Shopware Store, the personalisation features and the double opt in newsletter under the German UWG. Data is hosted in the European Union (Cloud) or on our own infrastructure (self hosted). You can accept, refuse or withdraw at any time.
Third-party domains contacted
shopware.comshopware.storeshopware.desbp.shopware.comaccount.shopware.comstore.shopware.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| session- | First party (Shopware 6) | Session | Stores the shopping basket and the customer login session for the Shopware 6 storefront |
| csrf_token | First party (Shopware 6) | Session | CSRF protection token for the storefront and the customer account forms |
| sw-cache-hash | First party (Shopware 6) | 1 year | Stores the cache version hash used to invalidate cached pages when the catalogue or context changes |
| sw-states | First party (Shopware 6) | Session | Stores transient UI states such as the cookie banner display state |
| shopware6CookieConsent | First party (Shopware 6 cookie banner) | 1 year | Stores the visitor consent choices made on the Shopware native cookie banner per TTDSG categories |
| sw-tracking-* | First party (Shopware Analytics, optional) | Persistent | Set when the Shopware native analytics module is activated; tracks behavioural data for merchant analytics |
Shopware uses cookies for user preferences — inform visitors with a consent banner.
Strictly necessary: session- (session), csrf_token (session), sw-cache-hash (1 year), sw-states (session), shopware6CookieConsent (1 year, consent state). With Shopware Analytics: sw-tracking-* cookies. Store extensions add their own cookies depending on the integration (Mailchimp, Klaviyo, Google Analytics, Facebook Pixel, Trusted Shops).
Strictly necessary cookies do not need consent under ePrivacy art. 5(3) and German TTDSG paragraph 25. Consent is required for Shopware native analytics, the newsletter (double opt in under UWG) and any Store extension that loads tracking. The Shopware cookie banner handles the German TTDSG categories natively.
Contract (GDPR art. 6(1)(b)) and legal obligation (art. 6(1)(c)) for orders and invoices. Legitimate interest (art. 6(1)(f)) and ePrivacy art. 5(3) exemption for the session cookies. Consent (art. 6(1)(a)) for Analytics and marketing extensions. UWG explicit opt in for the newsletter.
For the Cloud edition: no, data stays on Google Cloud Frankfurt and Belgium. For self hosted: only where the merchant deploys. Limited transfers to the shopware AG Boston office under SCC 2021. The platform is German with North Rhine Westphalia DPA oversight.
Usually no for a Shopware store with strictly necessary cookies only. Recommended when Shopware Analytics, Customer Account product reviews, Email Marketing or third party Store extensions are activated.
Pick the Cloud EU region or a German host for self hosted, sign the shopware AG AVV, activate the Shopware cookie banner with TTDSG categories, configure double opt in newsletter under UWG, audit cookies after Store extension installs, document the chain in your record of processing.
Other EU ecommerce platforms: Shopify (Canada with EU sub processors), Adobe Commerce (Magento), Sylius (Poland), Saleor (Poland), CommerceTools (Germany), Spryker (Germany), Salesforce Commerce Cloud, BigCommerce (US), Centra (Sweden), PrestaShop (France). Shopware, Commercetools and Spryker are the most German centric.
List shopware AG (Germany) as the data processor for Cloud edition (or just yourself for self hosted), declare the strictly necessary cookies and the consent based cookies separately, mention the German DPA jurisdiction, link to the Shopware Datenschutzerklärung and document the Store extensions used in your sub processor list.