Deleting Personal Data of Customers in Compliance with the European Union's Data Protection Regulation

Resources Supporting the Storage of Personal Data

If a customer contacts you as a merchant and requests to receive a complete list of all personal data which has been collected by you, you have to be aware of the following commercetools resources that may contain or refer to customer data:

• Customer
• Cart
• Order
• Payment
• Review
• Shopping List
• Discount Code
• Custom Object
• Message

You furthermore have to take into consideration any Custom Types containing customer data for any customizable resource which you may have defined in your data model.

In the following, it will be explained how the resources mentioned in this paragraph can be retrieved and ultimately erased in a GDPR compliant manner. As a merchant, please review your data model carefully to ensure that no other commercetools resource (for example Product or Category) contains or refers to personal data.

Retrieval of Collected Data

For each of the resource listed above, it is possible to conduct customer specific retrievals. Here is an overview of the retrievals needed to be performed:

• Customer: Get Customer
• Cart: Get Cart by Customer ID
• Order: Query Order using Customer ID in Predicate
• Payment: Query Payment using Customer ID in Predicate
• Review: Query Review using Customer ID in Predicate
• Shopping List: Query Shopping List using Customer ID in Predicate
• Discount Code: Query Cart Discount with Discount Code required where Cart Predicate contains Customer ID
• Custom Object: Query Custom Object with reference to customer related identifier in Predicate
• Message: Query Message for all resource identifiers returned from the above queries

Tool

To ease the retrieval process, commercetools has made a tool available on Github. Using this NodeJS tool, you can perform a bulk retrieval across all the listed resources. We have made it open source, so you can customize the retrieval in regards to your specific data model pertaining to Custom Objects and Custom Types.

Request to Erase Collected Data

Should a customer execute on the right to be forgotten, making the request to have all collected data erased, it is important to be aware that a default DELETE request may not clean up all data. A DELETE request will for example not erase personal data that are part of Messages, or from the logs that commercetools keeps internally for some time to reconstruct data in case of faulty system behavior.
To erase in a GDPR-compliant manner, commercetools therefore offers a parameter for DELETE requests called dataErasure. If set to TRUE, the commercetools platform guarantees that all personal data related to the particular object, including Messages as well as internally logged data, are erased.

For an overview, here are the documentation links for the individual delete actions. To erase in a GDPR-compliant manner, dataErasure=TRUE must be set:

• Delete Customer
• Delete Cart
• Delete Order
• Delete Payment
• Delete Review
• Delete Shopping List
• Delete Discount Code
• Delete Custom Object

Tool

As with the retrieval of customer related data, the open source NodeJS tool allows you to perform the delete actions in a bulk fashion, and you can customize it in regards to the Custom Objects and Custom Types of your data model.

Request to Access Traceability of Collected Data

Should a customer request of you to show the traceability of actions taken against the collected data, you will have to contact https://support.commercetools.com and submit a request for this. The request will need to include the Customer ID as well as all the resource identifiers for which the change history is needed. Our support team will then make sure that you get a list of Messages capturing the individual changes to each resource.

For any changes performed on a resource within the Merchant Center after 2018-05-25, the change history will include the User ID that performed the change.