GDPR | User Manual

User Manual - GDPR

Magento 2 GDPR extension allows Magento merchants to collect customer consents on registration, checkout, and other pages. Even more, the module allows providing customers with their right to access, copy, transfer, and erase personal data processed by the store and related third-party extensions. Customers are able to access, copy, and delete personal information in one click from customer accounts, while the verification process makes Magento merchants sure about the eligibility of submitted requests.

Compatibility: Magento Open Source 2.3.X, Magento Commerce 2.3.X

 

 

Installing GDPR

Installing mPDF Library

Before generating customer information in PDF, you need to install the mPDF library executing the following command at the command prompt:

composer require mpdf/mpdf

Command Line Installation

  1. Backup your web directory and store database
  2. Download the GDPR installation package
  3. Upload contents of the GDPR installation package to your store root directory
  4. In SSH console of your server navigate to your store root folder:
cd path_to_the_store_root_folder

run the following command:

php -f bin/magento module:enable Aheadworks_Gdpr

then:

php -f bin/magento setup:upgrade

after:

php -f bin/magento setup:static-content:deploy

     5. Flush store cache; log out from the backend and log in again

Make sure the installation is done from the FTP administrator account. Otherwise, set 775 permissions to the store root directory after the extension is deployed.

Composer Installation

If you are installing an extension from Aheadworks for the first time, you need to add our composer repository to your Magento store:

     1. Login to your ssh console and navigate to your store folder:

cd path_to_the_store_root_folder

Run the following command:

composer config repositories.aheadworks composer https://dist.aheadworks.com/

After the command was executed successfully, you can use the composer to install the products.

To install the extension:

     2. Login to your ssh console and navigate to your store folder:

cd path_to_the_store_root_folder

     3. Run the following command to install the latest version of the extension:

composer require aheadworks/module-GDPR

if you need to install a specific version, run this command:

composer require aheadworks/module-GDPR:<version>

 

Specify the version of the extension in <version>

When prompted, enter Public Key (Username) and Private Key (Password):

Both Public Key (Username) and Private Key (Password) can be found in My Projects and Licenses in your personal account on our site:

     4. Enable the extension:

php -f bin/magento module:enable <Module_Name>

 

Add the product name in <Module_Name>

Next, register the extension:

bin/magento setup:upgrade

Recompile your Magento store if you are in the Production mode:

bin/magento setup:di:compile

To verify that the extension is enabled, run this command:

bin/magento module:status

Clean store cache, by running the following command:

bin/magento cache:clean

Log out and Log in the backend again.

To upgrade the extension:

     5. To update or upgrade an extension:

Download the updated extension file. Take note of the module-name and version. Export the contents to your Magento root.

If a composer package exists for the extension, run one of the following.

Update per module name:

composer update aheadworks/module-GDPR

Updater per version:

composer require aheadworks/module-GDPR:<version>

Run the following commands to upgrade, deploy, and clean the cache.

php bin/magento setup:upgrade --keep-generated
php bin/magento setup:static-content:deploy
php bin/magento cache:clean

 

 

Uninstalling Magento 2 GDPR

Manual Removal

1. Disable the module by executing the following commands:

php bin/magento module:disable Aheadworks_Gdpr
php bin/magento setup:upgrade

2. Remove the extension files from the following folder:

app/code/Aheadworks/Gdpr

Automatic Removal (via Composer)

1. Disable the module by executing the following commands:

php bin/magento module:uninstall Aheadworks_Gdpr

 

 

 

Introduction Magento 2 GDPR

Business Advantages

Employ the GDPR extension to facilitate receipt of customers' consent with the terms of your privacy policy. Ensure that customers have the right to access, copy, transfer, and erase their personal data in your store. This in turn will establish you as an obedient follower of the main GDPR regulations.

The present extension brings forth the following features:

  • The dedicated functionality enables you to comply with most essential GDPR requirements, including the right of customers to access, copy, transfer, and delete their personal data;
  • Customers' consent with your privacy policy is collected on registration, checkout, and other pages;
  • Customers are able to request access to personal data from My Account in one click;
  • The implemented verification technique allows you to reduce fraudulent data requests;
  • The extension allows you to split up customers with and without consents and manage each group individually;
  • The extension API allows you to get and erase data from third-party apps.

What's New?

The latest version (1.1.0) of the extension allows the following:

  • REST API support

  • Automatic processing of requests to delete and receive data with administrator notification

  • Versioning of policy pages (with a ban on deleting and editing in some cases)

  • Binding cms page to consent

 

 

Magento 2 GDPR On Frontend

New Customer Consents

Customers who want to make their first purchase in a store provide their consent either on the Registration or Checkout pages.

To do so, on the Registration page, customers tick the dedicated checkbox.

The following issue was reported on Magento 2.4.1 and 2.3.6:

Given: The Customer creates a new account and inputs an incorrect value to a field on the form. For example, leaves First Name or Last Name empty, or does not give the GDPR consent.

Result: The Create an Account button becomes disabled and cannot be enabled.

SolutionUse the official Magento 2 patch to fix the issue

On the Checkout page, customers provide their consent via the popup, which is displayed automatically on load of the page. The Customer clicks on the I Agree button to accept the privacy policy regulations, or I Disagree to do otherwise.

Customers cannot submit personal information without ticking the check box or clicking on the I Agree button. Customers' data is not recorded to databases until the consent is given.

Both the checkbox and popup also show a link to the privacy policy page.

In case the Customer wants to provide his/her consent at a later time and clicks the 'Ask me later...' link, he/she is taken to the home page of the store to continue shopping.

Integration with One Step Checkout

When the Magento 2 Smart One Step Checkout extension is installed on the store, the Checkout page displays the Privacy Policy consent checkbox instead of the popup. 

 

 

Developer Notes: Consent Popup Integration

Consent Popup Integration

The consent popup works on native Magento checkout pages and checkout pages created by the Smart One Step Checkout extension by Aheadworks by default. Still, you can integrate it with any other checkout application the same way just changing the rote to it in etc/di.xml.

  • The popup for guest customers (by default available for native Magento and Smart One Step Checkout extension checkout pages):
<type name="Aheadworks\Gdpr\Block\Consent\GuestPopup\VisibilityResolver">
<arguments>
<argument name="routes" xsi:type="array">
<item name="native_checkout" xsi:type="string">checkout/index</item>
<item name="aw_osc" xsi:type="string">onestepcheckout/index</item>
</argument>
</arguments>
</type>

 

  • The popup for existing customers (appears on all pages, except for the customer/account/edit one):
<type name="Aheadworks\Gdpr\Block\Consent\CustomerPopup\VisibilityResolver">
<arguments>
<argument name="routes" xsi:type="array">
<item name="all" xsi:type="string"></item>
</argument>
<argument name="deniedRoutes" xsi:type="array">
<item name="customer_account" xsi:type="string">customer/account/edit</item>
</argument>
</arguments>
</type>

 

Existing Customer Consents

Seemingly, existing customers should have already provided their consents, but not necessarily. The customer base may also include shoppers who had registered before the extension was installed. Or, in case the terms of your privacy policy changed drastically, you would possibly like to collect new consents to make sure that all your customers comprehend the amendments clearly. In this case, you can reset previous consent and collect them repeatedly.

Existing customers provide their consent at the moment they enter their accounts in your store. Immediately after signing into the store, they will see the same pop-up asking them to provide the consent.

Accessing and Erasing Data

Except for the necessity to provide their consents, customers have the right to access, copy, transfer and delete their personal information. Customers do that in My Account in the Account Information section. The section contains two buttons: Delete My Account and Get My Data. As soon as the Customer clicks on one of the buttons, a verification email follows to the Customer's mail inbox.  The email prompts the Customer to confirm the request. Confirmed requests appear on the Backend.

 

 

On Backend - Magento 2 GDPR

Extension Settings

To configure the extension, go to Stores > Configuration > Aheadworks Extensions > GDPR. The page features two sections: General and Email Settings.

The following options are available in the General section:

  • Data Protection Policy Page - assign the privacy policy CMS page to be used as the destination of the Privacy Policy link displayed on the Registration page and Consent Confirmation popup
  • Enable automatic processing of data removal and data access requests - set to Yes to allow customers to delete their accounts without the involvement of the Admin, set to No, Admin has to manually send documents via emails
  • Enable consent gathering on Contact Us form - set to Yes to provide the Contact Us form with a checkbox and text "I consent to the collection and processing of my personal data" holding the Privacy Policy link
  • Enable consent gathering on Newsletter subscription form - set to Yes to provide the Newsletter subscription form with a checkbox and text "I consent to the collection and processing of my personal data" holding the Privacy Policy link

When the value of the Data Protection Policy Page (DPP) is changed in Admin > Stores > Configuration > GDPR > "Data Protection Policy Page", go to Customers > Consent Relevance and click on the Reset Consent button to prompt registered customers to give consent to the privacy policy again. Changing the DPP page presumes changes in the privacy policy.

The following options are available in the Email Settings section:

  • Sender - the Store User to be the Sender of the request confirmation emails send to customers
  • Removal Confirmation Email Template - the email template to be used for personal data removal requests
  • Data Access Confirmation Email Template - the email template to be used for personal data access requests
  • Enable admin notifications upon the events - select the requests for notifications to be sent to the Admin
  • Send admin notifications to - specify the Store User to receive the above notifications 
  • Data removal request email template - the template for the emails sent to the Admin on customers submitting data removal requests 
  • Data access request email template - the template for the emails sent to the Admin on customers submitting data access requests 

Privacy Policy CMS pages

To browse and manage the versions of your privacy policy (PP) regulations, go to Customers → GDPR by Aheadworks → Privacy Policy CMS pages. Tracking what PP and which version thereof the Customer agreed to is required by law.  

The grid comes with the following columns:

  • CMS page - the page containing your privacy policy regulations (active link to the Edit [Page Name] page)
  • Version - the version of the privacy policy
  • Store View - the store view to contain the cms page 
  • Created - the date when the page was set up as the privacy policy cms page
  • Actions - click on the View active link to open the Edit [Page Name] page

To set a page as a Privacy Policy page, go to Content → Pages and select/create a page. Make use of the Set up as Privacy Policy page toggle.

If toggle Set up as Privacy Policy page is on, then the Privacy Policy Version text-field appears. The following is important when setting up the version of the PP:

  • the number is unique within a store view (e.g. the same set of rules in different languages is considered to be the same PP version).
  • If the version is not set, the extension does not track it’s uniqueness: there can be multiple PP assigned to the same store view without any version number.
  • the number can consist of letters, numbers, dots, commas, underscores and hyphens.

There can be only one active Privacy Policy page per store view.

On an attempt to set a cms page as a PP page for the given store view, an error is displayed “Can’t save privacy policy page with this version. Please specify another version that is unique for this store view.“ Saving a PP page is not possible when there already exists a version for the same store view.

Same applies to the situation when there is already a page set for a whole website and the Admin wants to set the PP page for a store view within this website. In this case, for a given store view, the Admin needs to specify a new version.

 

Having saved a Privacy Policy CMS page, its heading, version and content could no longer be deleted or edited, unless the page is set as Current in Store config. All other options (meta fields, layout, etc) can be edited.

 

Privacy Policy CMS pages can not be reverted to ordinary CMS pages

The Admin can change Privacy Policy if need be and then track which Privacy Policy version customers agreed to. This eCommerce behaviour is required by the law.

To change the Privacy Policy, the Admin creates a new page and sets it up as the Privacy Policy page with a unique version. Privacy Policy versions can not be changed after saving, thereby every new version requires a new page. Old pages of PP are kept as read-only copies. At times, the Admin needs to reset the consents, if changes to the PP require it.

Data Access Requests

As soon as data access requests are verified by email they appear in the Data Access Requests grid for further processing by the Admin. Go to Customers > GDPR by Aheadworks > Data Access Requests to find the grid. 

The Data Access Requests grid includes the following columns:

  • Customer ID - ID of a customer;
  • Name - customer's name;
  • Email - customer's email;
  • Status - request status. Available options include: Pending, Processing, Completed, Canceled;
  • Created At - date and time of the request submission;
  • Resolved At - resolution date and time;
  • Actions - the column contains an active link, which allows Magento admins to change the status of a request or download customer information in the PDF (human-readable) and XML (machine-readable) file formats.

The above formats, in fact, are intended for different purposes and exercise two different GDPR rights. PDF allows customers to access their personal information, while XML allows customers to make data portable and transfer it to other solutions or applications.

In addition to the Actions column, request statuses can be changed massively using the Actions box.

Developer Notes: Data Export

Export of the Data Stored in Third-party Applications

  • Add the following code lines to the etc/di.xml file:
<type name="Aheadworks\Gdpr\Model\Service\CustomerDataCollector">
<arguments>
<argument name="dataCollectors" xsi:type="array">
<item name="your_module_data" xsi:type="array">
<item name="module" xsi:type="string">Vendor_YourModule</item>
<item name="collector" xsi:type="string">
Aheadworks\Gdpr\Model\Service\CustomerDataCollector\YourModuleDataCollector
</item>
<item name="position" xsi:type="number">150</item>
</item>
</argument>
</arguments>
</type>
<virtualType name="Aheadworks\Gdpr\Model\Service\CustomerDataCollector\YourModuleDataCollector" type="Aheadworks\Gdpr\Model\Service\CustomerDataCollector\DataCollector">
<arguments>
<argument name="title" xsi:type="string">Your Module Information</argument>
<argument name="dataProcessor" xsi:type="string">
Vendor\YourModule\Model\YourModuleDataProcessor
</argument>
</arguments>
</virtualType>
  • And create the data processing Vendor\YourModule\Model\YourModuleDataProcessor.php file as follows:

 

<?php 
namespace Vendor\YourModule\Model;

use Aheadworks\Gdpr\Model\Service\CustomerDataCollector\DataProcessorInterface;
use Magento\Customer\Api\Data\CustomerInterface;

/**
* Class YourModuleDataProcessor
* @package Vendor\YourModule\Model
*/
class YourModuleDataProcessor implements DataProcessorInterface {
/**
* Get your module data
*
* @param CustomerInterface $customer
* @param int|null $storeId
* @return array
*/
public function getData($customer, $storeId)
{
return [
'test' => 'Message',
'items' => [
'item_1' => 'Item 1',
'item_2' => 'Item 2',
'item_3' => 'Item 3',
]
];
}
}

Removal Requests

The same way customers may ask to delete own personal information, still, these requests are collected in the Removal Requests grid located under Customers > GDPR by Aheadworks > Removal Requests. The grid has absolutely the same columns as the previous one. The only difference is that the Actions column in the grid only allows Magento admins to manage request statuses. The same actions can be performed massively from the Actions box above the grid.

Once the customer's data removal request has been approved, his/her personal data is erased from the store. The data includes the customer's ID, Name, and Email.

Consent Relevance

On receipt of a request to delete the data of the Customer, the Admin refers to the Consent Relevance page. The Consent Relevance grid contains a list of all customers, including the guest ones. The grid allows the Admin to anonymize customer data in one click. Additionally, on this page, the Admin can track and manage the consent statuses of the customers. 

The Consent Relevance grid is located in Customers > GDPR by Aheadworks > Consent Relevance. The grid contains the following columns:

  • Customer ID, Name, Email - the ID, name and email of the customer
  • Website - the store-view where the Customer clicked to agree to the privacy policy rules
  • Latest Consent Date - the date and time of the latest consent as signed by the Customer
  • Relevant Consent - the status of the consent considered to be relevant or not. Includes two options: Yes and No
  • Actions - click on the Select selector and apply the Erase Customer action to erase the personal data of the Customer.

The customer whose data is erased gets anonymized. This means that his/her personal data in the grid is now hidden behind asterisks in the ID, Name, and Email columns, correspondingly. However, his/her orders remain recorded in the store's database, though marked as guest-orders. These orders can be stored for a period determined by a local law.

To massively anonymize customer data, in addition to the Active column, the Admin can also use the Actions box above the grid.

Note that in M2 GDPR version 1.1.0 customers' data are not displayed in the Consent Relevance grid in the following cases:

  1. Guest-customers leave their consent either via the Newsletter or Contact Us form.
  2. A customer is registered, but there is no record about his/her consent in the system. As a guest, the registered customer subscribes to the newsletter, or creates a ticket via the Contact Us form, or creates an order and gives his consent. 

The Consent Relevance page also includes the Reset Consent button, which resets all eligible consent statuses to 'No'. This is the case when the Admin may need to collect consents once again. If all the consents are reset, all the customers have to provide their consents once again.

Developer Notes: Data Deleting

Deleting data from Third-party Applications

In case if the data in the third-party application and Magento customer table are connected (Foreign Key), you don't need to do anything at all, as soon as the data is going to be deleted automatically (recommended). Otherwise, you need to add own "eraser" using the etc/di.xml file. The Eraser should use the Aheadworks\Gdpr\Model\Service\CustomerDataEraser\DataEraserInterface interface:

<type name="Aheadworks\Gdpr\Model\Service\CustomerDataEraser">
<arguments>
<argument name="dataErasers" xsi:type="array">
<item name="Vendor_YourModule" xsi:type="string">Vendor\YourModule\Model\YourModuleEraser
</item>
</argument>
</arguments>
</type>

You can also use the following events:

"aw_gdpr_customer_data_delete_before", params: customer_id
"aw_gdpr_guest_data_delete_after", params: customer_id
"aw_gdpr_guest_data_delete_before", params: email, store_ids
"aw_gdpr_guest_data_delete_after", params: email, store_ids

 

Product Page

Tags:
Ask a question

Still Have Questions?

Our customer care team is here for you!

Contact Us