Data Protection and GDPR with Pimcore
GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. The EU’s new General Data Protection Regulation (GDPR) takes effect on May 25, 2018. Why does this eventually affect Pimcore and Pimcore based solutions? Content and customer experience management solutions, such as Pimcore, play an essential role in delivering contextually relevant and personalized digital experiences. Such solutions need to track, store and process visitors' personal and behavioral data and therefore may be affected by this new regulation.
As Pimcore is a framework for delivering personalized experiences and not an out-of-the-box solution, the client, company, agency or software integrator implementing Pimcore must be aware of the GDPR and its consequences. As such, Pimcore does not give any consultation or legal advice, but provides comfortable tools to help to achieve GDPR compliance.
Which data is affected?
The GDPR defines personal data as any information relating to an identified or identifiable person. In short, any data that can help directly or indirectly identify a person. Names, identification numbers, email addresses, location data, IP/MAC addresses or other network identifiers are all examples of personal data that can directly identify a person. Online orders, behavioral data and so on, can indirectly identify a person.
Pimcore provides various tools to stay GDPR compliant. You can find them below.
1. Restriction of access to data
Restriction of data access is achieved with Pimcore’ s extensive permission system. It allows restricting the access, changing and deleting information based on user and role levels. For details have a look at our documentation about users and roles.
Another handy tool - the Permission Analyser - allows analyzing the actual permissions of a Pimcore user for a certain data element.
2. Right of access to data
For searching and exporting data related to a person, Pimcore provides the new GDPR Data Extractor tool, which is available with our latest build (December 5, 2017). Features included:
- Search for data related to a person, based on first name, last name, and e-mail
- Show a list of all data including additional details
- Export all data as JSON
- Delete personal data directly from the result list
For more information concerning configuration see your GDPR Data Extractor Development Docs.
3. Right to rectification & right to erasure
Pimcore supports the paradigm of single-source-publishing and delivering data to various output channels. All information and data are just stored in one single place and is reused in needed channels. Because of this paradigm, rectification of data is made very easy since it only needs to be done in one place. Once updated and published, the information is delegated to all places where it is used and Pimcore takes care of the rest.
Also in terms of erasure of information, Pimcore’ s single-source-publishing plays a vital role. Once a data element (e.g. data object) is deleted, Pimcore automatically cleans up all related data (e.g. versions, etc.) and updates the data in all places where it was used.
- [GDPR] Data extractor exports now also notes & events
- [GDPR] New datatype to store consent of users to marketing direct mailing
- [GDPR] Cookie to disable Targeting Engine Profiling
- [GDPR] Youtube Integration default with no-cookie option
- [GDPR] Backend usage log only stored for 7 days
- [GDPR] Store last login date of user, to make cleanup routines possible