24 May 2018
Enhancement
Privacy

In some countries, especially the ones in the European Union, you are required by law (such as the GDPR) to erase personal data of a customer on request, also known as Right to be Forgotten.

A default DELETE request may not clean up all data, both visible at the HTTP API layer (for example personal data may be part of messages) and invisible (commercetools Composable Commerce internally keeps logs for some time, to reconstruct data in case of faulty system behavior).

Endpoints that store personal data therefore offer a parameter for DELETE requests called dataErasure. If set to true, commercetools Composable Commerce guarantees that all personal data related to the particular object, including invisible data, is erased, in compliance with the GDPR. You are, however, responsible for identifying and deleting all objects that belong to a customer, and deleting them.

The parameter is available for:

  • Customers
  • Orders
  • Carts
  • Payments
  • ShoppingLists
  • Reviews
  • Discount Codes
  • CustomObjects

Personal data must not be stored in objects other than the ones listed above.