3 min. read
Categories: News
Sylius Loves GDPR
Sylius Loves GDPR

The EU’s General Data Protection Regulation, better known as GDPR, goes into effect on the 25 May 2018. It will standardise the processing of personally identifiable information (like addresses, names, phone numbers, etc.) by all companies and institutions operating within the European Union.

In order to help you with auditing your Sylius store, this blog post provides information about collecting, accessing and storing the personal data. Based on that, it is recommended to create appropriate policies to comply with GDPR.

Personal data flow in Sylius

Sylius frontend collects and processes personal data, when:

  • a customer registers an account
  • a customer edits their account details
  • a customer manages an address in their address book
  • a customer checks out, passing the data required for order fulfilment
  • a customer reviews a product

Sylius frontend gives access to the personal data, when:

  • a customer visits account details edition page
  • a customer manages addresses in their address book
  • a customer browses their order history
  • a customer browses product’s reviews

Sylius backend collects and processes personal data, when:

  • an admin creates a customer
  • an admin edits a customer
  • an admin impersonates a customer (giving the admin an access to personal data entry points in Sylius frontend)
  • an admin edits a product review made by a customer

Sylius backend gives access to the personal data, when:

  • an admin browses through customer list
  • an admin browses through order list
  • an admin shows a customer details or their order history
  • an admin browses product reviews

Personal data stored in Sylius

Customer-related data:

  • Customer (sylius_customer table)
    • ID
    • Group ID
    • Email
    • First name
    • Last name
    • Birthdate
    • Gender
    • Phone number
  • Customer address (sylius_address table)
    • ID
    • Customer ID
    • First name
    • Last name
    • Company name
    • Street
    • City
    • Postcode
    • Phone number
    • Country code
    • Province code or province name
  • Customer address history (sylius_address_log_entry table)
    • Address ID
    • Action
    • Details (address data)
  • Customer user account (sylius_shop_user table)
    • ID
    • Customer ID
    • Username
    • Email
    • Password
    • Last login date
    • Verification date
    • Roles

Order-related data:

  • Order (sylius_order table)
    • ID
    • Customer ID
    • Shipping address ID
    • Billing address ID
    • Customer notes
    • Checkout completion date
  • Payment (sylius_payment table)
    • ID
    • Order ID
    • Payment method ID
    • Payment details (might contain sensitive data)

Product-related data:

  • Review (sylius_product_review table)
    • ID
    • Customer ID
    • Product ID
    • Title
    • Comment
    • Rating


Are these all personally identifiable information stored in Sylius?

Sylius plugins and core customisations can store additional personal data that has not been mentioned in this document. It is recommended to check your own data storage and policies for complying with the GDPR.

Does Sylius transfer personal data to any third party?

Sylius does not send any personal data to third parties by default. However, plugins, core customisations or payment processors might do that. For example, after setting up an integration with PayPal, it will transfer personal data like, among others, the billing address, the order amount, the order items names and prices. Another common integration is the newsletter system, which might export customers’ email addresses to an external, third-party organisation.

How can I import or export customer data?

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Sylius does not provide a solution for it out-of-the-box, we recommend using a community maintained bundle like FriendsOfSylius/SyliusImportExportPlugin.

How can I delete customer personal data from my store?

The GDPR introduces a right for individuals to have personal data erased. However, some customer and order related data might not be a subject of this request if the company operating the store needs it to comply with a legal obligation. Therefore, we’re not providing an out-of-the-box solution for that.

We’re working on a customizable solution that will automate deleting personal data to ease the effort needed for that operation. One of the design principles is to allow plugin providers to define default behaviour for personal data deletion if they’re storing the data outside Sylius’ default data storage described above.


May 25th is coming tomorrow! For more information related to GDPR, you might wish to read ICO’s Guide to GDPR and visit European Commission’s site.

Kamil Kokot
Kamil is a self-taught developer, working mostly as a Solution Specialist. Currently focused on empowering development teams by improving Sylius architecture and processes. A tea lover and a minimalist, interested in linguistics and cognitive science.
More from our blog
Business News Technical 3 min read 28.09.2020
Get ready for global sales & operations with the most advanced payment solution from the famous fintech giant, now available in Sylius out of the box. Read More
Business News 3 min read 14.09.2020
We proudly present to you the latest version of the Sylius eCommerce Platform – 1.8, which comes with a brand new, unified API powered by API Platform, Loyalty points system for Sylius Plus, and as you can probably see, a brand new sylius.com website! Numbers This new release is a… Read More
Business Ecosystem News 3 min read 13.08.2020
Read why the French market leader trusted Sylius in a strategic re-platforming process to get a competitive eCommerce advantage. Read More