General Data Protection Regulation (GDPR)

On May 25, 2018, the European data protection basic regulation (GDPR) came into force and replaced national regulations. The GDPR applies to all companies and institutions operating in the in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. for example, names, addresses, bank details and birthdays are covered by the GDPR. The unifying regulation within the EU aims to give control to individuals over their personal data making it more transparent. In addition, it aims to extend the protection of such personal data. This should simplify the processing of personal data for international companies. This wiki article should give you a short summary about the processing of personal data in Shopware 6, so that it's easier to create the necessary documentation (e.g. the directory of processing activities or short DPA) or the privacy policy for a Shopware instance. Since the implementation of the GDPR varies from company to company, you should always consult your legal advisor when implementing it into your store to ensure that all requirements are met. You can get a general overview of the contents of the GDPR in our whitepaper.

What personal data is processed and stored in Shopware 6?

Here we would like to show you which personal data is processed directly in Shopware 6. As an eCommerce system, it is of course absolutely necessary to process customer data in order to record delivery addresses, for example. It's important to note that not only the software itself is involved in the processing, but also the hardware behind it. Since the setup of your hoster is highly individual, you should clarify with your hoster to what extent the communication takes place there (e.g. with a disjointed database server, where the application communicates with the database over a network). We will only focus on the software-sided processing of this data in Shopware 6.

This is intentionally kept very general for now. Shopware 6 itself stores a wide variety of data, which either have a direct reference (= personal) or no direct reference (= anonymized) to the user. Anonymized data is not personal data and does not fall under the GDPR, so no special measures need to be taken.

Pseudonymized data, which can be assigned to a person e.g. by means of a code number (e.g. bank details, a customer number or an order number) are again personal data, even if it is not instantly recognizable who the person is.

Personal data is always required when Shopware 6 accepts a customer input or when the store operator has to work with this data. This can be the registration or review function in the front end, but also the processing of orders through the back end. Of course personal data can also be retrieved over the RestAPI with authorization. In addition, anonymized data is also collected in order to be able to play out article recommendations ("customers also bought", "customers also looked at",  ...) and statistics in the backend. Since you can easily lose track of the countless functions of Shopware 6, we hereby list the data that is stored in Shopware.

This list may be incomplete. Plugins are able to extend the data storage and Shopware 6 extensively. You must evaluate whether you process further personal data individually in your Shop!

The European Commission defines personal data as:
  
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
  
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR.

Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.

The GDPR protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.

Customer data

The customer can setup a customer account in order to use more functions than just placing a order. This contains, among other things, the address , but also other personal information, depending on what you have configured in your settings. It's possible to request the date of birth, as well as the company name. Here you should specifically check the registration of your store to get an overview of the data you collect from the customer. In the database of Shopware 6 all tables containing customer data start with the abbreviation "customer*". But you can also view this data in the admin, by opening the respective customer under Customers > Overview.

Orders

The heart of every online store is of course the checkout. To place an order in Shopware, has the option to register a customer account, or to continue without one. In both ways the customer will hand out the billing information. All this information is being stored combined in the order. In addition, the products that the customer purchases in your store and the customer's IP address are stored. In addition, the referrer - the source through which the customer reached your store - is also stored. You can view all relevant information in the admin under Orders > Overview and in the database in the tables with the abbreviation "order*"

IP addresses

As mentioned above, IP addresses are stored for individual orders. In addition, you will find a list of areas where an IP address is stored in this document: Which IP addresses are stored?

Newsletter

Like many other systems, Shopware 6 offers a newsletter registration function. Here, for example, the form can be found in the footer of the store or in the user account of the customer. A documentation of the newsletter and which data is collected here can be found here: Newsletter

All information that the customer deposits in the frontend can be found in the Shopware Admin in the area "Marketing > Newsletter Recipients. In the database the table newsletter_recipient is used to store the data.

Forms

The forms in Shopware 6 send an e-mail, with the data entered by customers, to the address stored in the shopping experiences for the form. In the standard system, the form of address, name and surname, as well as the e-mail address and telephone number are requested here.

Reviews

On the article detail page Shopware provides the possibility to give a product review. A review can only be submitted when the customer is logged in, and is therefore linked to the customer account. You can view, delete or release the given reviews in the backend under Catalogs > Reviews. Here you can find a documentation about the rating function in Shopware: Reviews

Shopware Admin

The admin interface is special this area. Here you can not only view and create customer records, but also administration users, which are linked to an e-mail address. So the admin does not only process the data of the customers in your store, but also to a certain extent the data of your employees. You can configure the user management of the backend under Settings > User Management. There is also the possibility to restrict individual areas of the admin or to allow read-only access. A documentation about rights and roles in the admin can be found here: User administration 

API

If you have connected further systems, such as an ERP, it will communicate with the store. This happens either through an installed plugin or the API. The users of the API are usually created in the administration. Here you will find a list of data that you can get using the Rest-API: API

What information is transmitted encrypted?

The encrypted transmission of data is usually done using the HTTPs protocol. To use this in your store, you first need a valid SSL certificate, which has to be installed on your server. Afterwards you can use the SSL encryption for your store by assigning an HTTPS domain to the sales channel. 
Here you have to differentiate between encrypted data transfer and encrypted storage. We generally recommend to operate the store using HTTPs, so that all personal data is transmitted encrypted over HTTPs. The storage of this data is then done in the respective database tables. The data itself is only encrypted if this is necessary, e.g. the user password.

What information is stored in the user's browser?

Whether or not the setting of cookies, which are not technically necessary for the operation of the store, requires an opt-in is a matter of dispute between lawyers. We recommend implementing at least one of the established solutions for data protection information on cookies. You can find more information about this at www.cookiechoices.org; please consult your legal advisor.

Shopware itself provides the possibility to activate the cookie hint by default.

Cookies (Session, CSRF)

Shopware stores cookies in the visitor's browser to ensure the basic functions of the store. The cookies are used, for example, to determine the contents of the shopping cart, the login status and also the CSRF protection. Without having enabled cookies in the browser, Shopware cannot be used. IMPORTANT: Shopware always stores only IDs in the customer's browser, the assignment to the respective information is done in the application area.

Session

Based on the session cookie, Shopware decides whether the respective user has an active shopping cart and whether the user is logged in. It serves as identification between browser and server. No further information except the session ID is stored in the browser. The handling of sessions is controlled by PHP on the server side and can be viewed independently of Shopware.

CSRF

On top of that, Shopware generates an individual CSRF cookie when the customer visits the store, so that the customer can access the individual areas of the store. Here you can find information about CSRF protection: CSRF-Protection

Timezone

A fixed time is set in the database, which is converted according to the user's time zone with the help of the time zone cookie. This means that the user is always shown the correct time. The cookie is set for both frontend and admin functions.

Which IP addresses are stored?

IP addresses are stored in the Shopware by default. This serves for the unique identification of the user in the store. Shopware stores the IP addresses by default in four places.

order_customer

In every order the IP address of the customer is stored. By default this is not displayed or used in the admin. It's stored in the database table order_customer.

customer

The IP address of the last order is stored in the customer table. By default this is not displayed or used in the admin.

log_entry

In the table log_entry all activities of backend users are stored. With the help of this table it is possible to track when changes have been made, for example. You can then assign them to a person based on their IP address.

version_commit_data

The database table version_commit_data stores data about the current usage. Here, for example, necessary data is stored that is needed while an order is being processed. The IP address of visitors and customers is also stored here.

How can I integrate the privacy policy into my store?

The GDPR requires a privacy policy for the websites as well. Therefore, information must now be provided on the legal basis on which it is based, as well as on whether it is required for the conclusion of a contract or whether there is any other obligation to provide the information. It is necessary that you inform customers in the privacy policy how you deal with their personal data. The data privacy policy can, for example, be an shopping experience page that you link to a relevant area of your store. It is important that you provide this information "when personal data is collected". Therefore, the privacy policy should regularly be accessible with just one click. By default there is a shopping experience page called privacy, which is already linked at the necessary places like in the checkout or in forms. Under Settings-> Shop > Basic information YOU can also select your own shopping experience page.
Here you can find the documentation for the shopping experience in Shopware: Shopping experience 

We would like to point out that the sanctions for non-compliance with these information obligations are severe. In the absence of a privacy policy, the processing is usually illegal. Furthermore, fines can be imposed, damages or a claim for injunction can be asserted if the information duties are fulfilled incorrectly. In addition, consumer protection associations as well as data protection associations can take action against a website operator without a privacy policy. Finally, competitors may threaten with a formal warning notice.

What personal data is transferred by Shopware to third parties?

By default, Shopware does not transfer information to third parties. Extensions can of course change this. For example, if you use PayPal in your store, data from the store (the delivery address, the order amount and the shopping cart) will be transferred to PayPal. There are of course many other service providers that process data from Shopware, if you use such an extension in your store. Prominent examples are payment providers, ERP systems and also newsletter service providers. To find out which data is transferred to third parties, please ask the manufacturer of the respective extension.

Shopware 6 provides a Cookie Consent Manager that includes all default cookies used in the Shopware. In addition, the cookies used by Shopware plugins are also added as soon as a corresponding plugin is used.

The Consent Manager is programmed in such a way that you can also integrate cookies from your own plugins. A more detailed explanation can be found in the developer documentation.

FAQ

How can the user subsequently change his cookie settings? In the service menu or footer menu, you can provide the user with a link. To do this, create another category that you can display in the service or footer menu. You can find a detailed description of how to add the new category to your footer or service menu here.
Select Link as the category type for the new category and External for the link type under Customisable Link. Enter the following in the Link destination area:


/cookie/offcanvas

Afterwards, the Cookie Consent Manager can be opened again at any time via this link in the footer or service menu.

How can I have personal data output in a structured way?

Import/Export

The GDPR stipulates that a customer is provided with structured data concerning him/her by the store operator upon request. For this purpose Shopware offers the import/export function which allows you to export all relevant data of a customer. Please note that depending on the registration of the customer (quick order or customer account) more than one customer account may exist. A documentation about the export options (CSV and XML) can be found here: Import / Export

Database

The database also offers the possibility of outputting information about a customer by using an SQL-Query. All customer-specific data is located in the tables that begin with customer*.

How can I delete all personal data from my store?

All data defined in this document can usually be deleted comfortably through the Shopware Admin. If a customer wants you to delete all personal data, you can delete this data by using the customer module in the admin. The respective links are automatically removed. You can also remove the recipient from the recipient list using the newsletter module. Shopware offers the possibility to remove all personal data through the admin on customer request. Whether and when you are obliged to delete customer data is a legal question that you should clarify with your legal counsel. Unfortunately, it is not possible to make general statements about this.

FAQ

To what extent is Shopware prepared for the new GDPR?

For some time now, we at Shopware have been working with the well-known certification bodies to ensure that the system meets the requirements of the GDPR. In the process, it has turned out that, according to our current state of knowledge, Shopware provides store operators with the functions they need to make the necessary settings required by the rules of the GDPR. For example, Shopware already provides all necessary tools in the regular end-user documentation, e.g. also to remove personal data from the system, which is a core requirement of the new basic data protection regulation. A special plugin/update is not planned with regard to the GDPR.

Are corresponding functions automatically imported with SW updates?

Should the need arise to adapt our software, we will of course provide an appropriate adaptation per update.

How can I refer to the privacy policy in the registration?

In the registration of new customers, the text module general.privacyNotice refers to the privacy policy. In the standard version, this text block links to the store page privacy that's located in the shopping experience.

How can I refer to the privacy policy in the forms?

When you create forms that ask for customer data, a checkbox is automatically added that refers to the privacy policy.

The Footer Navigation shows the categories you select in the sales channel configuration for this purpose.
Under Catalogs > Categories you can add a sub category below the category you have chosen as entry point for the footer navigation. Below that, you add another sub category and name it Privacy, for example.

In the category configuration of the category Privacy you then select the layout Privacy from the Shopping experience in the Layout assignment section. If you now activate the Privacy category and all categories above this category, the menu item Privacy will be displayed in the footer menu. 

What happens to shopping baskets from abandoned orders?

Shopware saves the shopping baskets of shop visitors for later recovery. This includes the shopping baskets of guest orderers / visitors as well as the saved shopping baskets of shop customers. Most of these are removed by the completion of the order process, but abandoned shopping baskets remain. Shopware deletes these at regular intervals. By default, all shopping baskets older than 120 days are removed. 

You can adjust this period. To do this, create the file shopware.yaml in the config/packages/ directory. With this content you can define after how many days a saved shopping cart should be deleted:


shopware:
  cart:
    expire_days: 1

Please note that this setting will of course also change the time, where restoring the saved shopping carts of your registered customers is possible.

Was this article helpful?