The EU’s General Data Protection Regulation, better known as GDPR, goes into effect on the 25 May 2018. It will standardise the processing of personally identifiable information (like addresses, names, phone numbers, etc.) by all companies and institutions operating within the European Union.
In order to help you with auditing your Sylius store, this blog post provides information about collecting, accessing and storing the personal data. Based on that, it is recommended to create appropriate policies to comply with GDPR.
Sylius frontend collects and processes personal data, when:
Sylius frontend gives access to the personal data, when:
Sylius backend collects and processes personal data, when:
Sylius backend gives access to the personal data, when:
Sylius plugins and core customisations can store additional personal data that has not been mentioned in this document. It is recommended to check your own data storage and policies for complying with the GDPR.
Sylius does not send any personal data to third parties by default. However, plugins, core customisations or payment processors might do that. For example, after setting up an integration with PayPal, it will transfer personal data like, among others, the billing address, the order amount, the order items names and prices. Another common integration is the newsletter system, which might export customers’ email addresses to an external, third-party organisation.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Sylius does not provide a solution for it out-of-the-box, we recommend using a community maintained bundle like
The GDPR introduces a right for individuals to have personal data erased. However, some customer and order related data might not be a subject of this request if the company operating the store needs it to comply with a legal obligation. Therefore, we’re not providing an out-of-the-box solution for that.
We’re working on a customizable solution that will automate deleting personal data to ease the effort needed for that operation. One of the design principles is to allow plugin providers to define default behaviour for personal data deletion if they’re storing the data outside Sylius’ default data storage described above.