Data Erasure of Personal Data
In some countries, especially the ones in the European Union, you are required by law (such as the GDPR) to erase personal data of a customer on request, also known as Right to be Forgotten.
DELETE request may not clean up all data, both visible at the HTTP API layer (for example personal data may be part of messages) and invisible (the commercetools platform internally keeps logs for some time, to reconstruct data in case of faulty system behavior).
Endpoints that store personal data therefore offer a parameter for
DELETE requests called
dataErasure. If set to
true, the commercetools platform guarantees that all personal data related to the particular object, including invisible data, is erased, in compliance with the GDPR. You are, however, responsible for identifying and deleting all objects that belong to a customer, and deleting them.
The parameter is available for:
Personal data must not be stored in objects other than the ones listed above.