Deleting Personal Data of Customers in Compliance with the European Union's Data Protection Regulation

This tutorial explains how commercetools supports merchants to be compliant with EU's General Data Protection Regulations (GDPR).

Warning icon

Please note that this tutorial does not constitute legal advice.

If a customer contacts you as a merchant and requests to receive a complete list of all personal data which has been collected by you, you have to be aware of the resources supporting the storage of personal data.

In the following, it will be explained how the resources mentioned in this paragraph can be retrieved and ultimately erased in a GDPR compliant manner. As a merchant, please review your data model carefully to ensure that no other commercetools Composable Commerce resource (for example Product or Category) contains or refers to personal data.

Retrieval of Collected Data

For each of the resources supporting the storage of personal data, it is possible to conduct customer specific retrievals. Here is an overview of the retrievals needed to be performed:


To ease the retrieval process, commercetools has made a tool available on GitHub. Using this NodeJS tool, you can perform a bulk retrieval across all the listed resources. We have made it open source, so you can customize the retrieval in regards to your specific data model pertaining to Custom Objects and Custom Types.

Request to Erase Collected Data

Should a customer execute on the right to be forgotten, making the request to have all collected data erased, it is important to be aware that a default DELETE request may not clean up all data. A DELETE request will for example not erase personal data that are part of Messages, or from the logs that commercetools keeps internally for some time to reconstruct data in case of faulty system behavior.
To erase in a GDPR-compliant manner, commercetools Composable Commerce therefore offers a parameter for DELETE requests called dataErasure. If set to TRUE, commercetools Composable Commerce guarantees that all personal data related to the particular object, including Messages as well as internally logged data, are erased.

For an overview, here are the documentation links for the individual delete actions. To erase in a GDPR-compliant manner, dataErasure=TRUE must be set:


As with the retrieval of customer related data, the open-source NodeJS tool allows you to perform the delete actions in a bulk fashion, and you can customize it in regards to the Custom Objects and Custom Types of your data model.

Request to Access Traceability of Collected Data

Should a customer request of you to show the traceability of actions taken against the collected data, you will have to contact https://support.commercetools.comExternal link icon and submit a request for this. The request will need to include the Customer ID as well as all the resource identifiers for which the change history is needed. Our support team will then make sure that you get a list of Messages capturing the individual changes to each resource.

For any changes performed on a resource within the Merchant Center after 2018-05-25, the change history will include the User ID that performed the change.