GDPR compliance
This document explains how commercetools supports merchants in deleting the personal data of customers in compliance with the European Union's Data Protection Regulation (GDPR).
If a customer asks for a complete record of their personal data collected by you, the merchant, refer to our resources supporting the storage of personal data. This document outlines the retrieval and deletion of such data in a manner compliant with GDPR. As a merchant, please review your data model carefully to ensure that no other Composable Commerce resource (for example Product or Category) contains or refers to personal data.
This document is informational and does not constitute legal advice.
Retrieval of collected data
For each of the resources supporting the storage of personal data, it is possible to conduct customer-specific retrievals. Here is an overview of the retrievals needed to be performed:
- Customer: Get Customer
- Cart: Get Cart by Customer ID
- Order: Query Order using Customer ID in Predicate
- Payment: Query Payment using Customer ID in Predicate
- Review: Query Review using Customer ID in Predicate
- Shopping List: Query ShoppingLists using Customer ID in Predicate
- Discount Code: Query CartDiscounts with Discount Code required where Cart Predicate contains Customer ID
- Custom Object: Query CustomObjects with reference to the customer-related identifier in Predicate
- Message: Query Messages for all resource identifiers returned from the above queries
- Business Unit: Query BusinessUnit checking for a matching Customer ID in the Associates of the Business Unit using a Predicate
- Quote: Query Quotes using Customer ID in Predicate
- Quote Request: Query QuoteRequests using Customer ID in Predicate
- Staged Quote: Query StagedQuotes using Customer ID in Predicate
To ease the retrieval process, commercetools offers a data erasure tool available on GitHub. This open-source NodeJS tool facilitates bulk retrieval for all listed resources and is customizable to fit your specific data model, including Custom Objects and Types.
Data erasure of personal data
If a customer exercises their right to be forgotten, requesting the deletion of their data, be aware that a standard DELETE request might not remove all data. A DELETE request will for example not erase personal data that are part of Messages, or from the logs that commercetools keeps internally for some time to reconstruct data in case of faulty system behavior.
To ensure GDPR compliance, Composable Commerce offers a dataErasure parameter in DELETE requests. When set to true, it ensures the removal of all personal data related to the object, including Messages and internal logs.
Here are the endpoints for GDPR-compliant deletion (set dataErasure=true):
- Delete Customer
- Delete Cart
- Delete Order
- Delete Payment
- Delete Review
- Delete ShoppingList
- Delete DiscountCode
- Delete CustomObject
- Delete BusinessUnit
- Delete Quote
- Delete QuoteRequest
- Delete StagedQuote
Use the open-source NodeJS tool for bulk deletion and customization for Custom Objects and Types.
Traceability of collected data
If a customer requires evidence of actions taken on their data, contact support with a request that includes the Customer ID and the resource identifiers for which the change history is needed. Our support team will provide a list of Messages documenting individual changes to each resource.
For any changes performed on a resource within the Merchant Center after 25 May 2018, Change History will include the User ID of the individual who performed the change.