My Cart

GDPR 1.0 Guarantees Straightforward Customer Personal Data Management in Compliance with the Main GDPR Regulations

As we all know, GDPR came into force on May 28, 2018, and now, it affects a lot of ecommerce businesses in Europe and abroad.

GDPR 1.0 Guarantees Straightforward Customer Personal Data Management in Compliance with the Main GDPR Regulations

In this light, many entrepreneurs are interested in some solutions that would allow them to follow the regulation terms and provide customers with all the rights they can require.

And today, Magento 2 merchants have a great chance to effectively shape their business in general and manage user privacy policy in particular according to GDPR regulations with our brand new extension.

Welcome! GDPR 1.0 for Magento 2 is released!

GDPR for Magento 2

The GDPR module collects customer consents to process their personal data and allows you to stay compliant with the most essential GDPR regulations, including the right to access, copy, change, transfer, and erase customer personal data effectively.

What makes it different

  • Be compliant with the main GDPR regulations by allowing customers to access, copy, change, transfer, and delete their personal information;

  • Collect data consents on registration, checkout, and other website pages;

  • Allow customers to send data access, transfer, and deletion requests right from their personal accounts;

  • Verify customers by email in order to avoid frauds;

  • Track customer statuses on the backend;

  • Use the extension API to get and delete data from third-party solutions.

GDPR Backend Configuration and Management

General Settings

The configuration of the extension is extremely simple and straightforward. In fact, it includes only four setting options.

The General section of the configuration page allows you to specify the CMS page that should be used as Data Protection Policy Page. And, the Email Settings section makes it possible to configure the notification system used by the extension.

General Settings

General Settings

  • Sender - the contact to be used as a sender for outgoing emails;

  • Removal Confirmation Email Template - an email template to be used as a confirmation of data removal requests sent to customers;

  • Data Access Confirmation Template - an email template to be used as a confirmation of data access requests sent to customers.

That’s it. Now, we can proceed to other backend sections.

Data Access Requests

The right to access own personal data is a basic right declared by GDPR, and using the extension, customers can easily ask Magento admins to send them full and detailed information related to them personally in Magento or other CRM or/and ERP systems that use and process their data.

For customers, the process is absolutely simple and takes only one button click in their accounts and a short verification procedure by email.

All verified requests appear in the Data Access Request grid.

Data Access Requests grid (truncated)

Data Access Requests grid (truncated)

As we can see, the grid comprises the following columns:

  • Name - name of the customer;

  • Email - customer’s email;

  • Status - request status (pending, processing, completed, canceled).

  • Web Site - the website a request was submitted to;

  • Created At - date and time of the request;

  • Resolved at - date and time when the request was resolved;

  • Actions - the column allows changing request status and download data in two formats - PDF and XML.

Note: The PDF format (human-readable format) is provided in order to exercise the right to access the information, while the XML format allows customers to send data to other applications (the right to transfer data).

The mass-action drop-down allows customers to change request statuses massively.

Removal Requests

The process of request removal is absolutely the same, except that customers need to click the Delete My Account button on the frontend.

The Removal Requests grid (Customers > GDPR > Removal Requests) collects verified removal inquiries and allows you to track and respond to them in a timely manner. The grid contains absolutely the same columns as the Data Access Requests grid. The difference is that the Actions column and the mass-action drop-down are limited by the status management functionality.

Removal Requests grid (truncated)

Removal Requests grid (truncated)

This way, both sections allow you to track data access and data removal requests and process them early and swiftly. But what if your privacy policy changes drastically, and you want to be sure that you use and process the personal data of customers aware of the latest amendments? The Consent Relevance section allows you to be sure that your customers gave their consent in regard to the new terms of your privacy policy.

Consent Relevance

The Consent Relevance grid (Customers > GDPR by Aheadworks > Consent Relevance) made for this very purpose contains the following columns:

  • Name, Email, Web Site - the same columns described above;

  • Latest Consent Date - date and time when the consent was received;

  • Relevant Consent - the status of a consent either relevant or not to the latest privacy policy terms;

  • Actions - allows you to erase the customers who do not agree with the latest policy terms, if necessary.

Consent Relevance grid (truncated)

Consent Relevance grid (truncated)

Moreover, the Reset Consent button above the grid allows you to change the statuses of consents to become not relevant to the latest policy terms.

Imagine the situation when you change the privacy policy terms, so all the previously received consents are not relevant anymore. In this case, you press the Reset Consent button, choose the website for the operation, and, this way, change the statuses of all consents to ‘No’.

From now on, all the consequent consents of existing users will be considered as relevant to the latest version of the policy and will be set as ‘Yes” in the Relevant Consent column. Then, you will be able to track customers with different statuses and delete the ones with no consents, if necessary, by using the Erase Customer action. That’s how it works.

Frontend Functionality

Consent Collecting

On the frontend, all new customers should provide their consent to the privacy policy terms either on registration or checkout pages.

The module doesn’t allow customers to register until they check the “I consent to the…” checkbox as soon as it is mandatory to complete the registration process.

Guest customers also have to confirm their agreement with the policy terms as soon as they proceed to checkout page. In this case, a confirmation popup appears asking customers either to agree with the policy, disagree, or postpone the process.

If a customer agrees, he/she can proceed straight to the checkout. In case of postponement, the customer will be redirected to the website homepage, but in case of rejection, the module notifies him/her that further order processing is impossible until the consent is provided. That way, the module allows only customers with consents to shop and, this way, prevents any personal data acceptance without proper compliance.

In addition to new customers, GDPR also enables you to collect consents from existing customers as well. It can be necessary for the customers who purchased either before the extension installation or if you want to collect consents repeatedly due to privacy policy changes.

Anyway, in case existing сustomers with no consents sign into a Magento store, the module shows them a popup asking to either accept the privacy policy terms or provide their explicit disagreement. Otherwise, they won’t be able to enter personal accounts in your store.

Personal Data Access and Erasure

As we have already mentioned, the extension allows customers to demand access to their personal data stored and processed by store owners and even ask to delete it, if necessary.

The process is very simple. Customers just need to enter the Account Information section in their customer accounts and click either the Delete My Account or Get My Data buttons. As soon as the button is pressed, the module sends verification emails to customers in order to avoid fraud requests.

Data Request Options in Customer Account

Data Request Options in Customer Account

After the request is verified, it appears on the backend and is further processed by Magento admins.


So, the GDPR extension for Magento 2 offers you an effective way and dedicated workflow to collect customer consents to your privacy policy and allows shoppers to access, transfer, copy and delete their personal information stored and processed in your store or any other connected third-party systems and applications.

The module is currently good and ready to be reviewed and purchased in our store. For more information and better idea of the extension, please follow the provided user guide and visit the extension demo stores.