The future of Sylius API. Read more

Blog

Welcome to our blog, where we share news related to Sylius and post about technology & eCommerce.

Kamil Kokot
24.05.2018 | 3 mins read

Sylius Loves GDPR

The EU’s General Data Protection Regulation, better known as GDPR, goes into effect on the 25 May 2018. It will standardise the processing of personally identifiable information (like addresses, names, phone numbers, etc.) by all companies and institutions operating within the European Union.

In order to help you with auditing your Sylius store, this blog post provides information about collecting, accessing and storing the personal data. Based on that, it is recommended to create appropriate policies to comply with GDPR.

Personal data flow in Sylius

Sylius frontend collects and processes personal data, when:

  • a customer registers an account
  • a customer edits their account details
  • a customer manages an address in their address book
  • a customer checks out, passing the data required for order fulfilment
  • a customer reviews a product

Sylius frontend gives access to the personal data, when:

  • a customer visits account details edition page
  • a customer manages addresses in their address book
  • a customer browses their order history
  • a customer browses product’s reviews

Sylius backend collects and processes personal data, when:

  • an admin creates a customer
  • an admin edits a customer
  • an admin impersonates a customer (giving the admin an access to personal data entry points in Sylius frontend)
  • an admin edits a product review made by a customer

Sylius backend gives access to the personal data, when:

  • an admin browses through customer list
  • an admin browses through order list
  • an admin shows a customer details or their order history
  • an admin browses product reviews

Personal data stored in Sylius

Customer-related data:

  • Customer (sylius_customer table)
    • ID
    • Group ID
    • Email
    • First name
    • Last name
    • Birthdate
    • Gender
    • Phone number
  • Customer address (sylius_address table)
    • ID
    • Customer ID
    • First name
    • Last name
    • Company name
    • Street
    • City
    • Postcode
    • Phone number
    • Country code
    • Province code or province name
  • Customer address history (sylius_address_log_entry table)
    • Address ID
    • Action
    • Details (address data)
  • Customer user account (sylius_shop_user table)
    • ID
    • Customer ID
    • Username
    • Email
    • Password
    • Last login date
    • Verification date
    • Roles

Order-related data:

  • Order (sylius_order table)
    • ID
    • Customer ID
    • Shipping address ID
    • Billing address ID
    • Customer notes
    • Checkout completion date
  • Payment (sylius_payment table)
    • ID
    • Order ID
    • Payment method ID
    • Payment details (might contain sensitive data)

Product-related data:

  • Review (sylius_product_review table)
    • ID
    • Customer ID
    • Product ID
    • Title
    • Comment
    • Rating

FAQs

Are these all personally identifiable information stored in Sylius?

Sylius plugins and core customisations can store additional personal data that has not been mentioned in this document. It is recommended to check your own data storage and policies for complying with the GDPR.

Does Sylius transfer personal data to any third party?

Sylius does not send any personal data to third parties by default. However, plugins, core customisations or payment processors might do that. For example, after setting up an integration with PayPal, it will transfer personal data like, among others, the billing address, the order amount, the order items names and prices. Another common integration is the newsletter system, which might export customers’ email addresses to an external, third-party organisation.

How can I import or export customer data?

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Sylius does not provide a solution for it out-of-the-box, we recommend using a community maintained bundle like FriendsOfSylius/SyliusImportExportPlugin.

How can I delete customer personal data from my store?

The GDPR introduces a right for individuals to have personal data erased. However, some customer and order related data might not be a subject of this request if the company operating the store needs it to comply with a legal obligation. Therefore, we’re not providing an out-of-the-box solution for that.

We’re working on a customizable solution that will automate deleting personal data to ease the effort needed for that operation. One of the design principles is to allow plugin providers to define default behaviour for personal data deletion if they’re storing the data outside Sylius’ default data storage described above.

Conclusion

May 25th is coming tomorrow! For more information related to GDPR, you might wish to read ICO’s Guide to GDPR and visit European Commission’s site.

Getting started with Sylius
Online course (8h)

Kamil Kokot
See my roles

A huge talent and a crazy imagination owner. Exceptional joker. Programmer by day, Krzysztof Krawczyk (famous polish evergreen songs composer) fan by night. Frequent concert-goer who loves to learn useless skills.

Be the first to find out about new posts. Join to our newsletter!