aGDPR

Configuration

After the module has been installed you need to configure it:
1. Enable the extension. (Fig. 1)
2. Add a link to GDPR page to front-end.
3. Set order expiration. GDPR requires to erase personal data as soon as you don’t need them anymore for purposes they were collected. Specify the period in days, after an order has been placed, during which you will need customers’ personal data for purposes related to an order processing (or other purposes in case you are using another legal basis to process personal data). The system rejects requests to data erasure (consent withdrawal) if the specified period of days have not passed since the order has been placed.

Settings tab
Figure 1. Settings tab

4. Enable terms tracking. (Fig. 2)

Consent tab
Figure 2. Consent tab

5. Set GDPR request expiration (optional). (Fig. 3) This setting defines the period during which customer should authorize GDPR request
6. Set GDPR requests handling mode. Choose between ‘Auto’ and ‘Manual’ modes. In ‘Auto’ mode system handles request without your intervention – fulfills or rejects requests depending on settings. In ‘Manual’ mode, after the request has been authorized by the customer, you need to approve it or reject manually from ‘Request > Requests Log’ tab.
7. Configure setting ‘Reject if active’ – whether a request should be rejected if a customer has an unprocessed order or active subscription.
8. Configure setting ‘Anonymize order’ – whether to anonymize personal data in orders related to a customer on GDPR request fulfillment (data erasure, consent withdrawal, data processing restriction).
9. Configure setting ‘Regard order expiration’ – whether to reject a request if a customer has an unexpired order (see ‘Settings > Order Expiration’ setting).

Request settings tab
Figure 3. Request settings tab

10. Configure email templates which are sent in response to GDPR requests at ‘Requests > Email Templates’ tab (optionally) (Fig. 4)

Request templates tab
Figure 4. Request templates tab

11. Enable and configure Cookie Consent Widget (optionally) (Fig. 5)

Cookie Consent Tab
Figure 5. Cookie Consent tab

12. Run GDPR Audit to check if everything is OK (optionally) (Fig. 6)

GDPR Audit tab
Figure 6. GDPR Audit tab

GDPR Requests

In order, customers can exercise their rights granted by GDPR, the extension creates a dedicated front-end page (Fig. 7).

GDPR page
Figure 7. GDPR page

After a customer issues a request an email with authorization code is sent to his or her email address. Following a link from an authorization email, a customer goes to the dedicated confirmation page, where depending on configuration, his or her request is fulfilled or is put into the queue for manual approvement (Fig. 8).
The list of all GDPR requests can be seen at ‘Requests > Requests Log’ tab (admin area). This tab also provides the request manual management feature.

GDPR requests list
Figure 8. GDPR requests list

GDPR Audit Toolkit

GDPR Audit Toolkit scans the system for GDPR infringements and summarizes them in the list (Fig. 9).

GDPR Audit list
Figure 9. GDPR Audit list

The most common infringements are storing personal data after you don’t need it (‘purpose limitation’ principle infringement) and processing data without lawful basis (‘lawfulness’ principle infringement). Each audit record has ‘Action’ section where you have an option to erase/anonymize unlawfully processing data or ignore the record. Also, Toolkit provides you with the ability to make infringement fixes in a bulk with such feature as (Fig. 10):
Remove missing orders – when a customer confirms order the OpenCart creates the order with status ‘Missing Order’ and if the customer does not process this order it hangs in your system. In this case, data processing will be unlawful since you collected personal data solely for order processing purpose. You may run this feature to remove all missing orders older than 1 hour. If customer consented to Account Terms, his or her orders will be left intact since there is another lawful basis for process personal data (consent)
Anonymize expired orders – storing personal data longer than it needed for purposes they were collected – is GDPR infringement (‘storage limitation’ principle). Run this feature to anonymize personal data in such orders. ‘Settings > Order Expiration’ setting affects feature behavior.
Anonymize orders without acceptance – anonymizes all the orders placed without consenting to Checkout Terms

GDPR Audit toolkit
Figure 10. GDPR Audit toolkit

Read about GDPR basics
Buy from OpenCart marketplace