On 25 May 2018, the European General Data Protection Regulation (GDPR) will come into force and replace national regulations. In addition, the GDPR will apply to all companies and institutions operating within the EU that work with personal data such as names, addresses, bank details and dates of birth. The standardised processing of personal data is primarily aimed at better transparency in handling consumer data and the improved protection of this data. This wiki article is intended to provide you with a brief summary regarding the processing of personal data in Shopware so that you can prepare the required documentation (for example the list of processing activities, or LPA for short) or prepare the data protection declaration for a Shopware instance better. Since implementing the GDPR differs very considerably from one company to another, when implementing it in your shop you should always consult your legal adviser in order to meet all the requirements here. You can obtain a general overview of the contents of the GDPR from our whitepaper.
At this point we would like to show you what personal data is processed directly in Shopware. As an eCommerce system it is of course absolutely necessary to process data from the customer, to record supplier addresses, for example. Here you should note that not only the software itself, but also the underlying hardware is involved in the processing. Since your host has a very individual set-up, you should clarify with him, if necessary, the extent to which communication is taking place there (e.g. with a separate database server, where the application communicates with the database via a network). Here it should only be about processing this data in Shopware on the software side.
This point is deliberately kept very general for now. Shopware itself stores a wide variety of data that is either directly related to the user (= personal) or not directly related to the user (anonymised). Anonymised data is not personal data and is not covered by the GDPR, which means that no special measures are required here. N.B.: Pseudonymised data that can be assigned to a person, for example by using an indicator, (e.g. via bank details, a customer number or an order number) counts as personal data again, even if it is not immediately apparent who the person is. The personal data is always required when Shopware accepts an entry from the customer or the shop owner has to work with this data. This may involve the registration or assessment function in the frontend, or the processing of orders via the backend. Of course, personal data can also be picked up via the RestAPI with authorisation. Anonymised data can of course also be recorded, for example to provide article recommendations ("Customers also purchased”, "Customers also looked at", etc.) and statistics in the backend. Since it is easy to lose the overview due to Shopware's innumerable functions, we would like to list for you the data that is stored in Shopware.
This list may be incomplete. Plug-ins can extend data storage and thus expand extensive areas in Shopware. Whether you process other personal data is something you must assess individually in your shop.
In Article 4 (1) of the GDPR, personal data is defined as follows: "Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
In order to carry out an order and other actions in the shop, the customer requires a customer account. The contents include the address data, but also additional personal information, depending on what you have configured in your settings. Queries regarding date of birth or the details of the company name are both possible. Here you should specifically check the registration of your shop in order to obtain an overview of what data you are collecting from the customer. In the Shopware database, all the tables contain the customer data with the abbreviation "s_user*". But you can of course also consult this data in the backend by opening the customer in question at Customer > Customer.
Of course, the checkout is the heart of every online shop. In order to issue an order in Shopware, the customer first requires a customer account, of course. All this information is also stored together in the order. Then the products that the customer purchases in your shop are added, along with the customer's IP address. In addition, the referrer – that is, the source used by the customer to reach your shop – is also stored there. You can see all the relevant information via the backend at Customer > Orders, and in the database in the tables with the abbreviation "s_order". Further information for processing IP addresses can be found at: Are Ip-addresses saved in Shopware?
Shopware's own SEPA function is seldom used today. Most shop owners use an external solution that does not store this data in Shopware, and only transfers the successful payment to Shopware (for example, PayPal Plus). If you use Shopware's own SEPA function, this also amounts to processing personal data, of course. Our SEPA function is explained here: SEPA-Configuration
The SEPA data entered by the customer is kept in the table s_core_payment_data.
As mentioned above, the IP addresses for individual orders are stored. In addition, a list of places where an IP address is stored is provided in this document: Are Ip-addresses saved in Shopware?
Like many other systems, Shopware provides a function for Newsletter registration. For example, the form can be found in the shop footer, or an expanded form is available via /newsletter. What data is collected here depends largely on the basic setting "Check extended fields in newsletter registration". Depending on the definition, additional information is collected here, such as the customer's first name and last name. Documents regarding the Newsletter can be found here: Newsletter
All the information that the customer stores in the frontend can be found in the administration interface in the "Marketing > Newsletter > Administration > Receiver" area. In the database, the tables s_campaigns_mailaddresses and s_campaigns_maildata are used to store the data. In addition, you can also define whether the double opt-in procedure is to be used when registering for the newsletter; for this purpose the basic setting "Double opt-in for newsletter subscriptions" is used. The opt-in data is stored in the table s_core_optin.
The forms in Shopware send an e-mail with the data entered by the customer to the address stored on the form. The shop owner can decide what data is requested there and this can vary and be customized. Thus you should review independently what data you process and how you do so in the backend under Content > Forms. The documents regarding the form function can be found at: Forms
On the article details page, Shopware provides the opportunity to give a product review. This must be confirmed via the double opt-in if the basic setting "Double opt-in for customer reviews". The table s_core_optin is responsible for the opt-in procedure. The confirmed reviews can then be viewed, deleted or approved in the backend under Items > Customer reviews. Here you can find documents regarding the ratings function in Shopware: Customer reviews
The Administration interface is a bit special in this area, since you can of course view and set up customer records there, as well as administration users who are also linked by an e-mail address. Thus the backend not only processes the customers' data in your shop, but also the data of your staff, to a certain extent. You can configure the user administration of the backend under Configuration > User administration. It is also possible to restrict individual areas of the backend or to allow read-only access. Documents regarding the rights and roles in the backend can be found here: User administration
If you have connected additional systems, such as an ERP, this normally communicates with the shop using the RestAPI. The users of the RestAPI are set up via the backend as described above. Here you can find a list of the data that you can obtain via the RestAPI: RestAPI
Shopware uses anonymised content to provide your customers in the shop with individual cross-selling proposals. This concerns, for example, the functions "Customers also bought" and "Customers also viewed". There the behaviour of the customers in your shop is analysed anonymously and used to display recommendations. You can manage these functions via the performance module in the backend. Additional documents regarding this area can be found at: Cross selling
In the backend you can also consult statistics on the purchasing behaviour, orders and much more. Documents regarding the statistics can also be found in our documentation: Analysis
You can also manage the recording of statistics via the performance module, and the option to exclude individual IP addresses from documentation is also available in the basic settings. This data is retained from all the data recorded in the Shopware database.
The encrypted transfer of data is normally achieved via the HTTPs protocol. To be able to use this in your shop, you first require a valid SSL certificate that must be set up on your server. Then you can activate SSL in your shop by using these instructions: How to configure and activate an SSL-certificate
Here a general distinction must be made between encrypted transfer of data and encrypted storage. We always recommend operating all areas of the shop via HTTPs so that all personal data is transferred via HTTPs in encrypted form. This data is then stored in the relevant database tables. The data itself is only encrypted when this is required, e.g. the user password.
Whether setting cookies that are technically not required for operating the shop makes an opt-in necessary or not is disputed among legal experts. We recommend that you implement one of the established solutions for information on data protection law regarding cookies. More information can be found at https://www.cookiechoices.org; please consult your legal adviser on this issue. Shopware itself already provides the opportunity to activate the cookie reference as default.
Shopware stores cookies in the visitor's browser in order to guarantee the basic settings of the shop. Using the cookies enables, for example, the content of the shopping cart, the login status and also the CSRF protection. Shopware cannot be used without permitting cookies in the browser. IMPORTANT: Shopware only ever stores IDs in the customer's browser, the relevant information is assigned in the application area.
By using the session cookie, Shopware decides whether the relevant user has an active shopping cart and whether the user is logged in. It therefore serves as identification between browser and server. No additional information is stored in the browser apart from the session ID. The sessions are handled and controlled via PHP on the server side and this must be seen as independent of Shopware.
In addition, Shopware produces an individual CSRF cookie when the shop is visited so that the customer can navigate the individual areas of the shop. Here information on CSRF protection can be found: CSRF protection hint
One of the new features in 5.3 is the SLT cookie that enables the shop to recognise customers when they return to the shop, even if the session has already expired. All information on the SLT cookie can be found here: Shopware login token
The SLT cookie can also be deactivated in the basic settings.
If a customer places a product on the notepad, a cookie with the name "sUniqueID" is created for this purpose in order to save the content of the notepad. The saved products are stored in the table s_order_notes.
In addition, the information on the "last viewed articles" is stored in the browser's local storage. You can find the documentation for this function here: Last viewed
In this table you will find relevant cookies for the use of Shopware:
Cookie name | Function | Storage period |
__csrf_token-1 | Required for the validation of client details. | Is bound to the browser session. |
session-1 | Identifies the current session, the user and their shopping cart. | Is bound to the browser session. |
cookiePreferences | The information about which cookies the customer wants is stored in a serialised string. | The information is stored for half a year. |
slt | Allows the customer to be recognised when returning to the shop, even if the session has already expired. | Stored for one year or deleted by manual logout of the client. |
sUniqueID | Is responsible for the allocation of the watch list and is used when using the watch list. | Stored for one year. |
x-ua-device | Serves to determine the end device used, e.g. for the correct display of the shop. | Is bound to the browser session. |
allowCookie | Saves the cookie settings of the shop customer. | Does not expire. |
timezone | The time zone is saved, for example, for time information in e-mails. | |
PHPSESSID | PHP session, which are used to assign the current session (shopping cart, etc.). | Is bound to the browser session. |
csrf | All CSRF cookies are used to validate form entries in order to prevent XSS attacks. | Is bound to the browser session. |
sw-cache-hash | Technical cookie for the cache functionality. | |
cookie-preference | For the client's cookie preferences if these are configured in the offcanvas. | The information is stored for half a year. |
sw-states | Technical cookie for the cache functionality. |
IP-adresses will be saved in a regular Shopware-installation. These are used to identify users in your shop in four different cases.
The ip-address of an order can be found in the order details. Therefore you open an order at Customers > Orders.
The ip-address is shown on the Order Overview (1). The last three digits of the ip-address are anonymised.
The full ip-address can be found in the database table "s_order" in the column "remote_addr".
The database table "s_core_log" collects all activity by backend users. This table can be used to recreate, when specific changes were made. Based on the ip-address you might be able to specify, who made these changes.
This data is used in the statistics, to calculate the visitors per day.
The table s_statistics_currentusers is used to temporarily save data for the "Online visitors"-widget and is cleared every three minutes.
Websites require a data protection declaration under the GDRP as well. Thus information must be provided on the underlying legal bases and on the requirement to conclude a contract or whether there is another obligation to provide the data. It is also necessary for you to find out in the data protection declaration how you are to handle personal data. The data protection declaration may be a shop page that you link to the relevant areas in your shop, for example. Here it is important that you provide this information "upon collection" of the personal data. Thus the data protection declaration should normally be accessible with only one click. This is typically performed in the footer and also in the checkout area. Here the documents regarding the Shop pages in Shopware can be found: Shop pages
You can normally adapt individual texts in the checkout or wherever you process personal data, by using the snippet management. The snippet management can be found here: Snippets
The forms also provide the possibility of integrating an additional checkbox: Checkbox example
We wish to point out that serious sanctions apply in cases of non-compliance with these duties to provide information. If there is no data protection declaration, processing is normally against the law. You may also be liable to pay a fine, and damages or injunctive relief may be claimed if the duties to provide information are fulfilled incorrectly. Consumer protection associations and data protection groups may also instigate proceedings against a website operator without a data protection declaration. Finally, competitors may also issue warnings.
You can simply go to Basic settings > Frontend > Login/registration to activate the option "Data protection conditions must be accepted via checkbox". In the registration process you will then find a checkbox that has an additional link to the data protection provisions. You can adapt the text and link it to the relevant shop page by using the snippet "RegisterLabelDataCheckbox". However, a separate checkbox is not absolutely necessary. It is also sufficient to refer to the data protection information in the ordering process (e.g. "I have read the data protection information."), if this is linked to the data protection notes.
Due to the GDPR launch Shopware can display privacy notes at all relevant places in the frontend. As of Shopware 5.4.3 you'll find the related setting in the basic settings in Additional settings > Privacy.
Shopware does not transfer any information to third parties by default. This may of course be done in addition through add-ons. For example, if you set up PayPal in your shop, data from the shop (the delivery address, the order amount and the shopping cart) will be transferred to PayPal. There are of course also a number of other service providers that process data from Shopware further if you set up an add-on of this kind in your shop. Some prominent examples here could be payment providers, ERP systems as well as newsletter service providers. The best way to find out what data is transferred to third parties here is to ask the manufacturer of the respective add-on.
The GDPR states that the shop owner must provide a customer with the data relating to him in structured form on request. Here Shopware provides the import/export function with which you can export all the relevant data of a customer. The module provides the possibility of setting up a customer stream for the relevant profiles (orders, customers, newsletter recipients). Here you can set up a customer stream in advance with the customers involved and produce an export, for example. Please note that depending on the customer's registration (quick buyer or customer account) there may also be more than one customer account. Documents regarding the export possibilities (CSV and XML) can be found here: Import/Export
The database also provides the option of providing the information to a customer via an SQL query.
All the data defined in this document can normally be deleted conveniently via the backend. So if a customer asks you to delete all his personal data, you can simply delete this data by using the ordering and customer module in the backend. This automatically removes the various links as well. You can also use the newsletter module to remove the recipient from the list of recipients. Shopware thus provides the option of removing all personal data via the backend on the customer's request without problems. Whether and when you are obliged to delete customer data is a legal issue that you should clarify with your legal adviser. It is unfortunately impossible to make generalised statements on this point.
For some time now, we at Shopware have been working with well-known certification bodies to ensure that the system meets the requirements of the GDPR, which comes into force in May. It has been found that according to our current information, Shopware already provides shop owners with the necessary functions they need to create the settings required by the rules of the GDPR. Thus, for example, Shopware already provides all the required tools in the regular end user documentation, such as for removing personal data from the system, which is a core requirement of the new General Data Protection Regulation. No special plug-in/update is planned in relation to the GDPR.
If it turns out to be necessary to adapt our software, we will of course provide the appropriate adaptation in the form of an update.
Starting at Shopware 5.4.3, GDPR related tutorials are no longer needed, as they have been integrated into the core of Shopware. You can find these options in your basic settings under "privacy".
To insert a reference into your theme, you can use this tutorial. Before you do that, you should have the basic knowledge of making adjustments in the template. Tutorial - Making changes in the template
Implementation
In this file you have to make the first adjustment. /themes/Frontend/YourTheme/frontend/index/footer-navigation.tpl
There you have to add the following code:
{extends file="parent:frontend/index/footer-navigation.tpl"}
{block name="frontend_index_footer_column_newsletter_form"}
{$smarty.block.parent}
{s name="IndexFooterNewsletterPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}
{/block}
The second adjustment must be added in this file: /themes/Frontend/YourTheme/frontend/newsletter/index.tpl
There you have to add the following code:
{extends file="parent:frontend/newsletter/index.tpl"}
{block name="frontend_newsletter_form_submit"}\
{s name="IndexFooterNewsletterPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}
{$smarty.block.parent}
{/block}
For displaying the adjustments in the frontend you must compile your theme.
If the file is not yet included in your theme, you must create it yourself in the attached path.
This adjustment creates a new snippet IndexFooterNewsletterPrivacy, which can also be edited in the backend. The link in the snippet refers to the standard shop page "Privacy". If you use your own shop page, the link must be adjusted.
Frontend after the adjustment
Newsletter registration in the footer
The added reference (1) below the newsletter registration in the footer.
Complete newsletter form
The reference (1) at the end of the newsletter form.
You can use this tutorial to insert a note into your theme. Before you do that, you should have the basic knowledge of making adjustments in the template. Tutorial - Making changes in the template
Implementation
In the file: /themes/Frontend/YourTheme/frontend/register/index.tpl you have to add the following code. If the file does not exist in your theme, you have to create it manually.
{extends file="parent:frontend/register/index.tpl"}
{block name='frontend_register_index_form_submit'}
<div class="register--privacy">
{s name="RegisterPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}
</div>
{$smarty.block.parent}
{/block}
Alternatively you can activate the checkbox for the data protection provisions under Configuration > basic settings > Additional settings> Privacy > Data protection conditions must be accepted via checknox:
This adjustment creates a new snippet RegisterPrivacy, which can also be edited in the backend. The link in the snippet refers to the standard shop page "Privacy". If you use your own shop page, the link must be adjusted.
Frontend after the adjustment
The note (1) at the end of the registration.
You can use this tutorial to insert a note into your theme. Before you do that, you should have the basic knowledge of making adjustments in the template. Tutorial - Making changes in the template
Snippet
In the file: /themes/Frontend/YourTheme/frontend/detail/comment/form.tpl you have to add the following code. If the file does not exist in your theme, you have to create it manually.
{extends file="parent:frontend/detail/comment/form.tpl"}
{block name='frontend_detail_comment_input_actions'}
<p>{s name="CommentPrivacy"}I have read <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}</p>
{$smarty.block.parent}
{/block}
For displaying the adjustments in the frontend you must compile your theme.
This adjustment creates a new snippet CommentPrivacy, which can also be edited in the backend. The link in the snippet refers to the standard shop page "Privacy". If you use your own shop page, the link must be adjusted.
Frontend after the Adjustment
Checkbox
You also can insert a checkbox. For that you have to add the following code in this file: /themes/Frontend/YourTheme/frontend/detail/comment/form.tpl
{extends file="parent:frontend/detail/comment/form.tpl"}
{block name='frontend_detail_comment_input_actions'}
<p>
<input name="comment-checkbox" type="checkbox" id="commentcheckbox" required="required" aria-required="true" value="1" class="chkbox is--required" />
<label for="commentcheckbox" class="chklabel">{s name="CommentPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a> {/s}</label>
</p>
{$smarty.block.parent}
{/block}
Frontend after the adjustment
Tips and tricks
Under certain circumstances, it may not be necessary to collect individual personal data. If, for example, you do not want to save the customer's e-mail address, you can disable the Double-Opt-In procedure. You can disable this in the basic settings under Storefront> E-Mail Settings> Double-Opt-In for article ratings.
You can use this tutorial to insert a note into your theme. Before you do that, you should have the basic knowledge of making adjustments in the template. Tutorial - Making changes in the template
Implementation
In the file: /themes/Frontend/YourTheme/frontend/forms/form-elements.tpl you have to add the following code. If the file does not exist in your theme, you have to create it manually.
{extends file="parent:frontend/forms/form-elements.tpl"}
{block name='frontend_forms_form_elements_form_submit'}
{s name="SupportPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}
{$smarty.block.parent}
{/block}
For displaying the adjustments in the frontend you must compile your theme.
This adjustment creates a new snippet SupportPrivacy, which can also be edited in the backend. The link in the snippet refers to the standard shop page "Privacy". If you use your own shop page, the link must be adjusted.
Frontend after the adjustment
The added note (1).
Checkbox instead of a note
Alternatively you can insert a checkbox which must be checked to send out the form. Proceed as follows.
Create the field (1) in the form.
If you want to deactivate the checkbox initially, insert a "0" in the field "Options". For confirmation you can output (1) your input-value in the email.
Adjustment (1) in the frontend.
You can use this tutorial to insert a note into your theme. Before you do that, you should have the basic knowledge of making adjustments in the template. Tutorial - Making changes in the template
Snippet
In the file: /themes/Frontend/YourTheme/frontend/blog/comment/form.tpl you have to add the following code. If the file does not exist in your theme, you have to create it manually.
{extends file="parent:frontend/blog/comment/form.tpl"}
{block name='frontend_blog_comments_input_submit'}
<p>{s name="BlogPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}</p>
{$smarty.block.parent}
{/block}
For displaying the adjustments in the frontend you must compile your theme.
This adjustment creates a new snippet BlogPrivacy, which can also be edited in the backend. The link in the snippet refers to the standard shop page "Privacy". If you use your own shop page, the link must be adjusted.
Frontend after the adjustment
Checkbox
You also can insert a checkbox. For that, add the following code in this file: /themes/Frontend/YourTheme/frontend/blog/comment/form.tpl
{extends file="parent:frontend/blog/comment/form.tpl"}
{block name='frontend_blog_comments_input_submit'}
<p>
<input name="blog-checkbox" type="checkbox" id="blogcheckbox" required="required" aria-required="true" value="1" class="chkbox is--required" />
<label for="blogcheckbox" class="chklabel">{s name="CommentPrivacy"}I have read the <a title="ata protection information" href="{url controller=custom sCustom=29}">ata protection information</a>{/s}</label>
</p>
{$smarty.block.parent}
{/block}
Frontend after the adjustment
Tips and tricks
Under certain circumstances, it may not be necessary to collect individual personal data. If, for example, you do not want to save the customer's e-mail address with the blog comments, you can disable the Double-Opt-In procedure. You can disable this in the basic settings under Storefront> E-Mail Settings> Double-Opt-In for article ratings.
You can use this tutorial to insert a note into your theme. Before you do that, you should have the basic knowledge of making adjustments in the template. Tutorial - Making changes in the template
Snippet
In the file: /themes/Frontend/YourTheme/frontend/plugins/notification/index.tpl you have to add the following code. If the file does not exist in your theme, you have to create it manually.
{extends file="parent:frontend/plugins/notification/index.tpl"}
{block name='frontend_detail_index_notification_button'}
{$smarty.block.parent}
<p>{s name="NotificationPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}</p>
{/block}
For displaying the adjustments in the frontend you must compile your theme.
This adjustment creates a new snippet NotificationPrivacy, which can also be edited in the backend. The link in the snippet refers to the standard shop page "Privacy". If you use your own shop page, the link must be adjusted.
Frontend after the Adjustment
Checkbox
You also can insert a checkbox. For that you have to add the following code in this file: /themes/Frontend/YourTheme/frontend/detail/comment/form.tpl
{extends file="parent:frontend/plugins/notification/index.tpl"}
{block name='frontend_detail_index_notification_button'}
{$smarty.block.parent}
<p>
<input name="notification-checkbox" type="checkbox" id="notificationcheckbox" required="required" aria-required="true" value="1" class="chkbox is--required" />
<label for="notificationcheckbox" class="chklabel">{s name="NotificationPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}</label>
</p>
{/block}
Frontend after the adjustment
Tips and tricks
Under certain circumstances, it may not be necessary to collect individual personal data. If, for example, you do not want to save the customer's e-mail address, you can disable the Double-Opt-In procedure. You can set this options in the basic settings under Storefront> E-Mail Settings.