GDPR compliance

This document explains how commercetools supports merchants in deleting the personal data of customers in compliance with the European Union's Data Protection Regulation (GDPR).

If a customer asks for a complete record of their personal data collected by you, the merchant, refer to our resources supporting the storage of personal data. This document outlines the retrieval and deletion of such data in a manner compliant with GDPR. As a merchant, please review your data model carefully to ensure that no other Composable Commerce resource (for example Product or Category) contains or refers to personal data.

This document is informational and does not constitute legal advice.

Retrieval of collected data

For each of the resources supporting the storage of personal data, it is possible to conduct customer-specific retrievals. Here is an overview of the retrievals needed to be performed:

To ease the retrieval process, commercetools offers a data erasure tool available on GitHub. This open-source NodeJS tool facilitates bulk retrieval for all listed resources and is customizable to fit your specific data model, including Custom Objects and Types.

Data erasure of personal data

If a customer exercises their right to be forgotten, requesting the deletion of their data, be aware that a standard DELETE request might not remove all data. A DELETE request will for example not erase personal data that are part of Messages, or from the logs that commercetools keeps internally for some time to reconstruct data in case of faulty system behavior.
To ensure GDPR compliance, Composable Commerce offers a dataErasure parameter in DELETE requests. When set to true, it ensures the removal of all personal data related to the object, including Messages and internal logs.

Here are the endpoints for GDPR-compliant deletion (set dataErasure=true):

Use the open-source NodeJS tool for bulk deletion and customization for Custom Objects and Types.

Traceability of collected data

If a customer requires evidence of actions taken on their data, contact support with a request that includes the Customer ID and the resource identifiers for which the change history is needed. Our support team will provide a list of Messages documenting individual changes to each resource.

For any changes performed on a resource within the Merchant Center after 25 May 2018, Change History will include the User ID of the individual who performed the change.