Tutorial

This tutorial explains how commercetools supports merchants to be compliant with EU’s General Data Protection Regulations (GDPR).
Please note that this tutorial does not constitute legal advice.

Resources Supporting the Storage of Personal Data

If a customer contacts you as a merchant and requests to receive a complete list of all personal data which has been collected by you, you have to be aware of the following commercetools resources that may contain or refer to customer data:

You furthermore have to take into consideration any Custom Types containing customer data for any customizable resource which you may have defined in your data model.

In the following, it will be explained how the resources mentioned in this paragraph can be retrieved and ultimately erased in a GDPR compliant manner. As a merchant, please review your data model carefully to ensure that no other commercetools resource, such as e.g. Product or Category, contains or refers to personal data.

Retrieval of Collected Data

For each of the resource listed above, it is possible to conduct customer specific retrievals. Here is an overview of the retrievals needed to be performed:

Tool

To ease the retrieval process, commercetools has made a tool available on Github. Using this NodeJS tool, you can perform a bulk retrieval across all the listed resources. We have made it open source, so you can customize the retrieval in regards to your specific data model pertaining to Custom Objects and Custom Types.

Request to Erase Collected Data

Should a customer execute on “the right to be forgotten”, i.e. make the request to have all collected data erased, it is important to be aware that a default DELETE request may not clean up all data. A DELETE request will e.g. not erase personal data that are part of Messages, or from the logs that commercetools keeps internally for some time in order to reconstruct data in case of faulty system behavior.
To erase in a GDPR-compliant manner, commercetools therefore offers a parameter for DELETE requests called dataErasure. If set to TRUE, the commercetools platform guarantees that all personal data related to the particular object, including Messages as well as internally logged data, are erased.

For an overview, here are the documentation links for the individual delete actions. To erase in a GDPR-compliant manner, dataErasure=TRUE must be set:

Tool

As with the retrieval of customer related data, the open source NodeJS tool allows you to perform the delete actions in a bulk fashion, and you can customize it in regards to the Custom Objects and Custom Types of your data model.

Request to Access Traceability of Collected Data

Should a customer request of you to show the traceability of actions taken against the collected data, you will have to contact https://support.commercetools.com and submit a request for this. The request will need to include the Customer ID as well as all the resource identifiers for which the change history is needed. Our support team will then make sure that you get a list of Messages capturing the individual changes to each resource.

For any changes performed on a resource within the Merchant Center after 5/25/2018, the change history will include the User ID that performed the change.