3 min. read
Categories: News
Sylius Loves GDPR
Sylius Loves GDPR

The EU’s General Data Protection Regulation, better known as GDPR, goes into effect on the 25 May 2018. It will standardise the processing of personally identifiable information (like addresses, names, phone numbers, etc.) by all companies and institutions operating within the European Union.

In order to help you with auditing your Sylius store, this blog post provides information about collecting, accessing and storing the personal data. Based on that, it is recommended to create appropriate policies to comply with GDPR.

Personal data flow in Sylius

Sylius frontend collects and processes personal data, when:

  • a customer registers an account
  • a customer edits their account details
  • a customer manages an address in their address book
  • a customer checks out, passing the data required for order fulfilment
  • a customer reviews a product

Sylius frontend gives access to the personal data, when:

  • a customer visits account details edition page
  • a customer manages addresses in their address book
  • a customer browses their order history
  • a customer browses product’s reviews

Sylius backend collects and processes personal data, when:

  • an admin creates a customer
  • an admin edits a customer
  • an admin impersonates a customer (giving the admin an access to personal data entry points in Sylius frontend)
  • an admin edits a product review made by a customer

Sylius backend gives access to the personal data, when:

  • an admin browses through customer list
  • an admin browses through order list
  • an admin shows a customer details or their order history
  • an admin browses product reviews

Personal data stored in Sylius

Customer-related data:

  • Customer (sylius_customer table)
    • ID
    • Group ID
    • Email
    • First name
    • Last name
    • Birthdate
    • Gender
    • Phone number
  • Customer address (sylius_address table)
    • ID
    • Customer ID
    • First name
    • Last name
    • Company name
    • Street
    • City
    • Postcode
    • Phone number
    • Country code
    • Province code or province name
  • Customer address history (sylius_address_log_entry table)
    • Address ID
    • Action
    • Details (address data)
  • Customer user account (sylius_shop_user table)
    • ID
    • Customer ID
    • Username
    • Email
    • Password
    • Last login date
    • Verification date
    • Roles

Order-related data:

  • Order (sylius_order table)
    • ID
    • Customer ID
    • Shipping address ID
    • Billing address ID
    • Customer notes
    • Checkout completion date
  • Payment (sylius_payment table)
    • ID
    • Order ID
    • Payment method ID
    • Payment details (might contain sensitive data)

Product-related data:

  • Review (sylius_product_review table)
    • ID
    • Customer ID
    • Product ID
    • Title
    • Comment
    • Rating

FAQs

Are these all personally identifiable information stored in Sylius?

Sylius plugins and core customisations can store additional personal data that has not been mentioned in this document. It is recommended to check your own data storage and policies for complying with the GDPR.

Does Sylius transfer personal data to any third party?

Sylius does not send any personal data to third parties by default. However, plugins, core customisations or payment processors might do that. For example, after setting up an integration with PayPal, it will transfer personal data like, among others, the billing address, the order amount, the order items names and prices. Another common integration is the newsletter system, which might export customers’ email addresses to an external, third-party organisation.

How can I import or export customer data?

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Sylius does not provide a solution for it out-of-the-box, we recommend using a community maintained bundle like FriendsOfSylius/SyliusImportExportPlugin.

How can I delete customer personal data from my store?

The GDPR introduces a right for individuals to have personal data erased. However, some customer and order related data might not be a subject of this request if the company operating the store needs it to comply with a legal obligation. Therefore, we’re not providing an out-of-the-box solution for that.

We’re working on a customizable solution that will automate deleting personal data to ease the effort needed for that operation. One of the design principles is to allow plugin providers to define default behaviour for personal data deletion if they’re storing the data outside Sylius’ default data storage described above.

Conclusion

May 25th is coming tomorrow! For more information related to GDPR, you might wish to read ICO’s Guide to GDPR and visit European Commission’s site.

Tags:
Share:
Kamil Kokot
Kamil is a self-taught developer, working mostly as a Solution Specialist. Currently focused on empowering development teams by improving Sylius architecture and processes. A tea lover and a minimalist, interested in linguistics and cognitive science.
More from our blog
Cloud 3 min read 17.06.2024
We are thrilled to announce that we just signed a strategic partnership with Platform.sh, and as a result, we are extending our offer with Sylius Cloud powered by Platform.sh. Platform.sh is a modern Platform-as-a-Service (PaaS) solution that allows businesses to leverage the cloud environment without losing access to the code… Read More
Technical 3 min read 11.06.2024
Abstract 1.12 released in Q4 2022 1.13 on Apr 23rd, 2024 (a year later than we anticipated while releasing 1.12) 3859 commits 23 contributors A stabilized Sylius API powered by API Platform It’s been a long and bumpy road. Having it behind our backs was a highway that led Sylius… Read More
Business Ecosystem News 3 min read 06.06.2024
Welcome to the May summary! As an open-source eCommerce framework, Sylius continues to evolve with significant contributions from our vibrant community and valuable product updates. Apart from describing the technical changes, we will also quickly summarize the Sylius Technical Fundamentals & Sylius Polish Community Meetup and eCommerce Day Kaunas, as… Read More
Comments