Home Kennisbank Privacyrecht Can an online store sell my personal information? | Claim.Cafe
Privacyrecht

Can an online store sell my personal information? | Claim.Cafe

Redactie 5 min read 25 Mar 2026 4 times read
Kort antwoord

No, an online store is not allowed to simply sell your personal information. The General Data Protection Regulation (GDPR) prohibits this unless you have given explicit permission. If you do not do this, the webshop is violating the law and you can take action.

Can an online store sell my personal information?

No, an online store is not allowed to simply sell your personal information. The General Data Protection Regulation (GDPR) prohibits this unless you have given explicit permission. If you do not do this, the webshop is violating the law and you can take action.

Last checked: March 2026. Legal information may change — always check the current legislation onwetten.nl.

What does the law say?

Europe has a strict privacy law: the General Data Protection Regulation, also known as the GDPR. In English this is called the GDPR. This law regulates how companies handle your personal data. Think of your name, address, email address, telephone number and payment details.

The core of the GDPR is simple: a company may only use your data if there is a valid reason for doing so. These reasons are listed in the law. The best-known reason is permission — you explicitly indicate that you agree. But there are also other reasons, such as the execution of an agreement (you have ordered something) or a legal obligation.

Selling your data to a third party — for example a marketing company or an insurer — is normally not automatically included. A webshop needs your separate, explicit permission for this. That consent must be freely given. That means: you cannot be forced. You must also be able to easily withdraw your consent.

The GDPR is laid down in European legislation and further elaborated in the Dutch GDPR Implementation Act. You can find the text of this onwetten.nl. The Dutch Data Protection Authority (AP) is the Dutch supervisory authority. The AP can impose fines on companies that violate the GDPR. These fines can amount to tens of millions of euros.

Article 6 of the GDPR (check this article onwetten.nl for the most current version) describes the six bases on which processing of personal data is permitted. Sale of data to third parties is rarely automatically included. Article 7 of the GDPR (check this article onwetten.nl for the most current version) regulates the conditions for consent. That consent must be demonstrable. An online store must be able to prove that you said yes.

In short: the law is clear. Your data is yours. An online store is not allowed to do whatever it wants with it.

When does this apply to you?

These rules apply to you as soon as you buy something from an online store that is active in the European Union. It does not matter whether the webshop is located in the Netherlands or in another EU country. Even web shops outside the EU must follow the GDPR if they offer products or services to people in Europe.

Suppose you have created an account with a Dutch webshop. You have entered your name, address and email address. The webshop forwards that data to an advertising company without you knowing. This is a violation of the GDPR, unless you have given permission for this.

But please note: consent must be clear. A small box at the bottom of a registration form that is already checked does not count. The GDPR requires that consent must be actively given. You have to check that box yourself. And you must know what exactly you are giving permission for.

Do you recognize one of these situations?

  • You suddenly receive emails from companies you have never purchased anything from.
  • You will see personalized advertisements that refer to your purchases elsewhere.
  • You receive mail from parties that should not know your address.

Then there is a good chance that your data has been shared or sold without your permission. This is not normal and you do not have to accept it.

Even if you have given permission, you always have the right to withdraw that permission. This is stated in Article 7 of the GDPR (check this article onwetten.nl for the most current version). After withdrawal, the webshop may no longer use your data for that purpose.

Step-by-step plan — what can you do now?

  1. Check the privacy statement of the webshop. This is mandatory and must clearly explain what happens to your data. Is there nothing about sales to third parties? Then it is not allowed.
  2. Submit a request for access. You have the right to know what information the webshop has about you. Send an email and request this. The webshop must respond within one month.
  3. Withdraw your consent. If you have ever consented to data sharing, please send an email to withdraw that consent. Keep a copy of that email.
  4. Request deletion of your data. This is called the "right to be forgotten". You can ask for your details to be complete