General Data Protection Regulation (GDPR)

On 25 May 2018, the European General Data Protection Regulation (GDPR) will come into force and replace national regulations. In addition, the GDPR will apply to all companies and institutions operating within the EU that work with personal data such as names, addresses, bank details and dates of birth. The standardised processing of personal data is primarily aimed at better transparency in handling consumer data and the improved protection of this data. This wiki article is intended to provide you with a brief summary regarding the processing of personal data in Shopware so that you can prepare the required documentation (for example the list of processing activities, or LPA for short) or prepare the data protection declaration for a Shopware instance better. Since implementing the GDPR differs very considerably from one company to another, when implementing it in your shop you should always consult your legal adviser in order to meet all the requirements here. You can obtain a general overview of the contents of the GDPR from our whitepaper.

What personal data is processed in Shopware?

At this point we would like to show you what personal data is processed directly in Shopware. As an eCommerce system it is of course absolutely necessary to process data from the customer, to record supplier addresses, for example. Here you should note that not only the software itself, but also the underlying hardware is involved in the processing. Since your host has a very individual set-up, you should clarify with him, if necessary, the extent to which communication is taking place there (e.g. with a separate database server, where the application communicates with the database via a network). Here it should only be about processing this data in Shopware on the software side.

This point is deliberately kept very general for now. Shopware itself stores a wide variety of data that is either directly related to the user (= personal) or not directly related to the user (anonymised). Anonymised data is not personal data and is not covered by the GDPR, which means that no special measures are required here. N.B.: Pseudonymised data that can be assigned to a person, for example by using an indicator, (e.g. via bank details, a customer number or an order number) counts as personal data again, even if it is not immediately apparent who the person is. The personal data is always required when Shopware accepts an entry from the customer or the shop owner has to work with this data. This may involve the registration or assessment function in the frontend, or the processing of orders via the backend. Of course, personal data can also be picked up via the RestAPI with authorisation. Anonymised data can of course also be recorded, for example to provide article recommendations ("Customers also purchased”, "Customers also looked at", etc.) and statistics in the backend. Since it is easy to lose the overview due to Shopware's innumerable functions, we would like to list for you the data that is stored in Shopware.

This list may be incomplete. Plug-ins can extend data storage and thus expand extensive areas in Shopware. Whether you process other personal data is something you must assess individually in your shop.

In Article 4 (1) of the GDPR, personal data is defined as follows: "Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

Customer data

In order to carry out an order and other actions in the shop, the customer requires a customer account. The contents include the address data, but also additional personal information, depending on what you have configured in your settings. Queries regarding date of birth or the details of the company name are both possible. Here you should specifically check the registration of your shop in order to obtain an overview of what data you are collecting from the customer. In the Shopware database, all the tables contain the customer data with the abbreviation "s_user*". But you can of course also consult this data in the backend by opening the customer in question at Customer > Customer.

Orders

Of course, the checkout is the heart of every online shop. In order to issue an order in Shopware, the customer first requires a customer account, of course. All this information is also stored together in the order. Then the products that the customer purchases in your shop are added, along with the customer's IP address. In addition, the referrer – that is, the source used by the customer to reach your shop – is also stored there. You can see all the relevant information via the backend at Customer > Orders, and in the database in the tables with the abbreviation "s_order". Further information for processing IP addresses can be found at: Are Ip-addresses saved in Shopware?

Bank details (SEPA)

Shopware's own SEPA function is seldom used today. Most shop owners use an external solution that does not store this data in Shopware, and only transfers the successful payment to Shopware (for example, PayPal Plus). If you use Shopware's own SEPA function, this also amounts to processing personal data, of course. Our SEPA function is explained here: SEPA-Configuration 
The SEPA data entered by the customer is kept in the table s_core_payment_data.

IP addresses

As mentioned above, the IP addresses for individual orders are stored. In addition, a list of places where an IP address is stored is provided in this document: Are Ip-addresses saved in Shopware?

Newsletter

Like many other systems, Shopware provides a function for Newsletter registration. For example, the form can be found in the shop footer, or an expanded form is available via /newsletter. What data is collected here depends largely on the basic setting "Check extended fields in newsletter registration". Depending on the definition, additional information is collected here, such as the customer's first name and last name. Documents regarding the Newsletter can be found here: Newsletter

All the information that the customer stores in the frontend can be found in the administration interface in the "Marketing > Newsletter > Administration > Receiver" area. In the database, the tables s_campaigns_mailaddresses and s_campaigns_maildata are used to store the data. In addition, you can also define whether the double opt-in procedure is to be used when registering for the newsletter; for this purpose the basic setting "Double opt-in for newsletter subscriptions" is used. The opt-in data is stored in the table s_core_optin.

Forms

The forms in Shopware send an e-mail with the data entered by the customer to the address stored on the form. The shop owner can decide what data is requested there and this can vary and be customized. Thus you should review independently what data you process and how you do so in the backend under Content > Forms. The documents regarding the form function can be found at: Forms

Reviews

On the article details page, Shopware provides the opportunity to give a product review. This must be confirmed via the double opt-in if the basic setting "Double opt-in for customer reviews". The table s_core_optin is responsible for the opt-in procedure. The confirmed reviews can then be viewed, deleted or approved in the backend under Items > Customer reviews. Here you can find documents regarding the ratings function in Shopware: Customer reviews

Backend

The Administration interface is a bit special in this area, since you can of course view and set up customer records there, as well as administration users who are also linked by an e-mail address. Thus the backend not only processes the customers' data in your shop, but also the data of your staff, to a certain extent. You can configure the user administration of the backend under Configuration > User administration. It is also possible to restrict individual areas of the backend or to allow read-only access. Documents regarding the rights and roles in the backend can be found here: User administration

RestAPI

If you have connected additional systems, such as an ERP, this normally communicates with the shop using the RestAPI. The users of the RestAPI are set up via the backend as described above. Here you can find a list of the data that you can obtain via the RestAPI: RestAPI

Which data is stored anonymously?

Shopware uses anonymised content to provide your customers in the shop with individual cross-selling proposals. This concerns, for example, the functions "Customers also bought" and "Customers also viewed". There the behaviour of the customers in your shop is analysed anonymously and used to display recommendations. You can manage these functions via the performance module in the backend. Additional documents regarding this area can be found at: Cross selling

Statistics

In the backend you can also consult statistics on the purchasing behaviour, orders and much more. Documents regarding the statistics can also be found in our documentation: Analysis

You can also manage the recording of statistics via the performance module, and the option to exclude individual IP addresses from documentation is also available in the basic settings. This data is retained from all the data recorded in the Shopware database.

What information is transferred in encrypted form?

The encrypted transfer of data is normally achieved via the HTTPs protocol. To be able to use this in your shop, you first require a valid SSL certificate that must be set up on your server. Then you can activate SSL in your shop by using these instructions: How to configure and activate an SSL-certificate

Here a general distinction must be made between encrypted transfer of data and encrypted storage. We always recommend operating all areas of the shop via HTTPs so that all personal data is transferred via HTTPs in encrypted form. This data is then stored in the relevant database tables. The data itself is only encrypted when this is required, e.g. the user password. 

What information is stored in the user's browser?

Whether setting cookies that are technically not required for operating the shop makes an opt-in necessary or not is disputed among legal experts. We recommend that you implement one of the established solutions for information on data protection law regarding cookies. More information can be found at https://www.cookiechoices.org; please consult your legal adviser on this issue. Shopware itself already provides the opportunity to activate the cookie reference as default. 

Cookies (session, SLT, CSRF)

Shopware stores cookies in the visitor's browser in order to guarantee the basic settings of the shop. Using the cookies enables, for example, the content of the shopping cart, the login status and also the CSRF protection. Shopware cannot be used without permitting cookies in the browser. IMPORTANT: Shopware only ever stores IDs in the customer's browser, the relevant information is assigned in the application area.

Session

By using the session cookie, Shopware decides whether the relevant user has an active shopping cart and whether the user is logged in. It therefore serves as identification between browser and server. No additional information is stored in the browser apart from the session ID. The sessions are handled and controlled via PHP on the server side and this must be seen as independent of Shopware.

CSRF

In addition, Shopware produces an individual CSRF cookie when the shop is visited so that the customer can navigate the individual areas of the shop. Here information on CSRF protection can be found: CSRF protection hint

SLT

One of the new features in 5.3 is the SLT cookie that enables the shop to recognise customers when they return to the shop, even if the session has already expired. All information on the SLT cookie can be found here: Shopware login token

The SLT cookie can also be deactivated in the basic settings.

Notepad

If a customer places a product on the notepad, a cookie with the name "sUniqueID" is created for this purpose in order to save the content of the notepad. The saved products are stored in the table s_order_notes.

Last viewed articles

In addition, the information on the "last viewed articles" is stored in the browser's local storage. You can find the documentation for this function here: Last viewed

Cookies overview

In this table you will find relevant cookies for the use of Shopware:

Which ip-addresses are saved in Shopware?

IP-adresses will be saved in a regular Shopware-installation. These are used to identify users in your shop in four different cases.

s_order

The ip-address of an order can be found in the order details. Therefore you open an order at Customers > Orders.

The ip-address is shown on the Order Overview (1). The last three digits of the ip-address are anonymised.

The full ip-address can be found in the database table "s_order" in the column "remote_addr".

s_core_log

The database table "s_core_log" collects all activity by backend users. This table can be used to recreate, when specific changes were made. Based on the ip-address you might be able to specify, who made these changes.

s_statistics_pool

This data is used in the statistics, to calculate the visitors per day.

s_statistics_currentusers

The table s_statistics_currentusers is used to temporarily save data for the "Online visitors"-widget and is cleared every three minutes.

How can I integrate the data protection declaration into my shop?

Websites require a data protection declaration under the GDRP as well. Thus information must be provided on the underlying legal bases and on the requirement to conclude a contract or whether there is another obligation to provide the data. It is also necessary for you to find out in the data protection declaration how you are to handle personal data. The data protection declaration may be a shop page that you link to the relevant areas in your shop, for example. Here it is important that you provide this information "upon collection" of the personal data. Thus the data protection declaration should normally be accessible with only one click. This is typically performed in the footer and also in the checkout area. Here the documents regarding the Shop pages in Shopware can be found: Shop pages

You can normally adapt individual texts in the checkout or wherever you process personal data, by using the snippet management. The snippet management can be found here: Snippets

The forms also provide the possibility of integrating an additional checkbox: Checkbox example

We wish to point out that serious sanctions apply in cases of non-compliance with these duties to provide information. If there is no data protection declaration, processing is normally against the law. You may also be liable to pay a fine, and damages or injunctive relief may be claimed if the duties to provide information are fulfilled incorrectly. Consumer protection associations and data protection groups may also instigate proceedings against a website operator without a data protection declaration. Finally, competitors may also issue warnings.

How can I link the data protection declaration in the registration by checkbox?

You can simply go to Basic settings > Frontend > Login/registration to activate the option "Data protection conditions must be accepted via checkbox". In the registration process you will then find a checkbox that has an additional link to the data protection provisions. You can adapt the text and link it to the relevant shop page by using the snippet "RegisterLabelDataCheckbox". However, a separate checkbox is not absolutely necessary. It is also sufficient to refer to the data protection information in the ordering process (e.g. "I have read the data protection information."), if this is linked to the data protection notes.

Is there an option to integrate a data protection reference at all relevant places in the shop?

Due to the GDPR launch Shopware can display privacy notes at all relevant places in the frontend. As of Shopware 5.4.3 you'll find the related setting in the basic settings in Additional settings > Privacy.

What personal data is transferred to third parties by Shopware?

Shopware does not transfer any information to third parties by default. This may of course be done in addition through add-ons. For example, if you set up PayPal in your shop, data from the shop (the delivery address, the order amount and the shopping cart) will be transferred to PayPal. There are of course also a number of other service providers that process data from Shopware further if you set up an add-on of this kind in your shop. Some prominent examples here could be payment providers, ERP systems as well as newsletter service providers. The best way to find out what data is transferred to third parties here is to ask the manufacturer of the respective add-on.

How can I have personal data output in structured form?

Import/Export

The GDPR states that the shop owner must provide a customer with the data relating to him in structured form on request. Here Shopware provides the import/export function with which you can export all the relevant data of a customer. The module provides the possibility of setting up a customer stream for the relevant profiles (orders, customers, newsletter recipients). Here you can set up a customer stream in advance with the customers involved and produce an export, for example. Please note that depending on the customer's registration (quick buyer or customer account) there may also be more than one customer account. Documents regarding the export possibilities (CSV and XML) can be found here: Import/Export

Database

The database also provides the option of providing the information to a customer via an SQL query.

How can I delete all personal data from my shop?

All the data defined in this document can normally be deleted conveniently via the backend. So if a customer asks you to delete all his personal data, you can simply delete this data by using the ordering and customer module in the backend. This automatically removes the various links as well. You can also use the newsletter module to remove the recipient from the list of recipients. Shopware thus provides the option of removing all personal data via the backend on the customer's request without problems. Whether and when you are obliged to delete customer data is a legal issue that you should clarify with your legal adviser. It is unfortunately impossible to make generalised statements on this point.

FAQs

To what extent is Shopware prepared for the new GDPR?

For some time now, we at Shopware have been working with well-known certification bodies to ensure that the system meets the requirements of the GDPR, which comes into force in May. It has been found that according to our current information, Shopware already provides shop owners with the necessary functions they need to create the settings required by the rules of the GDPR. Thus, for example, Shopware already provides all the required tools in the regular end user documentation, such as for removing personal data from the system, which is a core requirement of the new General Data Protection Regulation. No special plug-in/update is planned in relation to the GDPR.

Are the relevant functions installed automatically with software updates?

If it turns out to be necessary to adapt our software, we will of course provide the appropriate adaptation in the form of an update.

Starting at Shopware 5.4.3, GDPR related tutorials are no longer needed, as they have been integrated into the core of Shopware. You can find these options in your basic settings under "privacy".

How am I able to display a privacy policy note for newsletter registrations?

To insert a reference into your theme, you can use this tutorial. Before you do that, you should have the basic knowledge of making adjustments in the template. Tutorial - Making changes in the template

Implementation

In this file you have to make the first adjustment. /themes/Frontend/YourTheme/frontend/index/footer-navigation.tpl

There you have to add the following code:

 
{extends file="parent:frontend/index/footer-navigation.tpl"}
{block name="frontend_index_footer_column_newsletter_form"}
	{$smarty.block.parent}
	{s name="IndexFooterNewsletterPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}
{/block}
 

The second adjustment must be added in this file: /themes/Frontend/YourTheme/frontend/newsletter/index.tpl

There you have to add the following code:

 
{extends file="parent:frontend/newsletter/index.tpl"}
{block name="frontend_newsletter_form_submit"}\
	{s name="IndexFooterNewsletterPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}
	{$smarty.block.parent}
{/block}
 

For displaying the adjustments in the frontend you must compile your theme.

If the file is not yet included in your theme, you must create it yourself in the attached path.

This adjustment creates a new snippet IndexFooterNewsletterPrivacy, which can also be edited in the backend. The link in the snippet refers to the standard shop page "Privacy". If you use your own shop page, the link must be adjusted.

Frontend after the adjustment

Newsletter registration in the footer

The added reference (1) below the newsletter registration in the footer.

Complete newsletter form

The reference (1) at the end of the newsletter form.

How am I able to display a privacy policy note for registrations?

You can use this tutorial to insert a note into your theme. Before you do that, you should have the basic knowledge of making adjustments in the template. Tutorial - Making changes in the template

Implementation

In the file: /themes/Frontend/YourTheme/frontend/register/index.tpl you have to add the following code. If the file does not exist in your theme, you have to create it manually.

 
{extends file="parent:frontend/register/index.tpl"}
{block name='frontend_register_index_form_submit'}
	<div class="register--privacy">
		{s name="RegisterPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}
	</div>
	{$smarty.block.parent}
{/block}
 

Alternatively you can activate the checkbox for the data protection provisions under Configuration > basic settings > Additional settings> Privacy > Data protection conditions must be accepted via checknox:

This adjustment creates a new snippet RegisterPrivacy, which can also be edited in the backend. The link in the snippet refers to the standard shop page "Privacy". If you use your own shop page, the link must be adjusted.

Frontend after the adjustment

The note (1) at the end of the registration.

How am I able to display a privacy policy note for evaluations?

You can use this tutorial to insert a note into your theme. Before you do that, you should have the basic knowledge of making adjustments in the template. Tutorial - Making changes in the template

Snippet

In the file: /themes/Frontend/YourTheme/frontend/detail/comment/form.tpl you have to add the following code. If the file does not exist in your theme, you have to create it manually.

 
{extends file="parent:frontend/detail/comment/form.tpl"}
{block name='frontend_detail_comment_input_actions'}
    <p>{s name="CommentPrivacy"}I have read <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}</p>
 
    {$smarty.block.parent}
{/block}
 

For displaying the adjustments in the frontend you must compile your theme.

This adjustment creates a new snippet CommentPrivacy, which can also be edited in the backend. The link in the snippet refers to the standard shop page "Privacy". If you use your own shop page, the link must be adjusted.

Frontend after the Adjustment

Checkbox

You also can insert a checkbox. For that you have to add the following code in this file: /themes/Frontend/YourTheme/frontend/detail/comment/form.tpl

 
{extends file="parent:frontend/detail/comment/form.tpl"}
{block name='frontend_detail_comment_input_actions'}
    <p>
        <input name="comment-checkbox" type="checkbox" id="commentcheckbox" required="required" aria-required="true" value="1" class="chkbox is--required" />
        <label for="commentcheckbox" class="chklabel">{s name="CommentPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a> {/s}</label>
    </p>
    {$smarty.block.parent}
{/block}
 

Frontend after the adjustment

Tips and tricks

Under certain circumstances, it may not be necessary to collect individual personal data. If, for example, you do not want to save the customer's e-mail address, you can disable the Double-Opt-In procedure. You can disable this in the basic settings under Storefront> E-Mail Settings> Double-Opt-In for article ratings.

How am I able to display a privacy policy note for my forms?

 You can use this tutorial to insert a note into your theme. Before you do that, you should have the basic knowledge of making adjustments in the template. Tutorial - Making changes in the template

Implementation

In the file: /themes/Frontend/YourTheme/frontend/forms/form-elements.tpl you have to add the following code. If the file does not exist in your theme, you have to create it manually.

 
{extends file="parent:frontend/forms/form-elements.tpl"}
{block name='frontend_forms_form_elements_form_submit'}
  {s name="SupportPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}
{$smarty.block.parent}
{/block}
 

For displaying the adjustments in the frontend you must compile your theme.

This adjustment creates a new snippet SupportPrivacy, which can also be edited in the backend. The link in the snippet refers to the standard shop page "Privacy". If you use your own shop page, the link must be adjusted.

Frontend after the adjustment

The added note (1).

Checkbox instead of a note

Alternatively you can insert a checkbox which must be checked to send out the form. Proceed as follows.

Create the field (1) in the form.

If you want to deactivate the checkbox initially, insert a "0" in the field "Options". For confirmation you can output (1) your input-value in the email.

Adjustment (1) in the frontend.

How am I able to display a privacy policy note for blog comments?

You can use this tutorial to insert a note into your theme. Before you do that, you should have the basic knowledge of making adjustments in the template. Tutorial - Making changes in the template

Snippet

In the file: /themes/Frontend/YourTheme/frontend/blog/comment/form.tpl you have to add the following code. If the file does not exist in your theme, you have to create it manually.

 
{extends file="parent:frontend/blog/comment/form.tpl"}
{block name='frontend_blog_comments_input_submit'}
    <p>{s name="BlogPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}</p>
 
    {$smarty.block.parent}
{/block}
 

For displaying the adjustments in the frontend you must compile your theme.

This adjustment creates a new snippet BlogPrivacy, which can also be edited in the backend. The link in the snippet refers to the standard shop page "Privacy". If you use your own shop page, the link must be adjusted.

Frontend after the adjustment

Checkbox

You also can insert a checkbox. For that, add the following code in this file: /themes/Frontend/YourTheme/frontend/blog/comment/form.tpl

 
{extends file="parent:frontend/blog/comment/form.tpl"}
{block name='frontend_blog_comments_input_submit'}
	<p>
	    <input name="blog-checkbox" type="checkbox" id="blogcheckbox" required="required" aria-required="true" value="1" class="chkbox is--required" />
	    <label for="blogcheckbox" class="chklabel">{s name="CommentPrivacy"}I have read the <a title="ata protection information" href="{url controller=custom sCustom=29}">ata protection information</a>{/s}</label>
	</p>
    {$smarty.block.parent}
{/block}
 

Frontend after the adjustment

Tips and tricks

Under certain circumstances, it may not be necessary to collect individual personal data. If, for example, you do not want to save the customer's e-mail address with the blog comments, you can disable the Double-Opt-In procedure. You can disable this in the basic settings under Storefront> E-Mail Settings> Double-Opt-In for article ratings.

How am I able to display a privacy policy note for email notifications?

You can use this tutorial to insert a note into your theme. Before you do that, you should have the basic knowledge of making adjustments in the template. Tutorial - Making changes in the template

Snippet

In the file: /themes/Frontend/YourTheme/frontend/plugins/notification/index.tpl you have to add the following code. If the file does not exist in your theme, you have to create it manually.

 
{extends file="parent:frontend/plugins/notification/index.tpl"}
{block name='frontend_detail_index_notification_button'}
 
{$smarty.block.parent}
    <p>{s name="NotificationPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}</p>
{/block}
 

For displaying the adjustments in the frontend you must compile your theme.

This adjustment creates a new snippet NotificationPrivacy, which can also be edited in the backend. The link in the snippet refers to the standard shop page "Privacy". If you use your own shop page, the link must be adjusted.

Frontend after the Adjustment

Checkbox

You also can insert a checkbox. For that you have to add the following code in this file: /themes/Frontend/YourTheme/frontend/detail/comment/form.tpl

 
{extends file="parent:frontend/plugins/notification/index.tpl"}
{block name='frontend_detail_index_notification_button'}
{$smarty.block.parent}
	<p>
	    <input name="notification-checkbox" type="checkbox" id="notificationcheckbox" required="required" aria-required="true" value="1" class="chkbox is--required" />
	    <label for="notificationcheckbox" class="chklabel">{s name="NotificationPrivacy"}I have read the <a title="data protection information" href="{url controller=custom sCustom=29}">data protection information</a>{/s}</label>
	</p>
{/block}
 

Frontend after the adjustment

Tips and tricks

Under certain circumstances, it may not be necessary to collect individual personal data. If, for example, you do not want to save the customer's e-mail address, you can disable the Double-Opt-In procedure. You can set this options in the basic settings under Storefront> E-Mail Settings.