Right to access

GDPR stipulates that a user has the right to request access to, and be informed about, their personal data that is collected by your site. To help your organization get ready to meet these GDPR principles and rights, WebSphere Commerce provides your organization with SQL statements that can be used to retrieve the personal data that is collected about the users.

Accessing site and internal user personal information

When a shopper or other user for your site wants to learn about the data that your site collected about that user, the user can submit a request to your organization's Data Protection Officer (DPO). Your organization is responsible for creating the request submission process that your site and internal users must use to submit data access and erasure requests. WebSphere Commerce does not provide any process for creating or receiving these requests.

After the request is received, your Data Protection Officer can use SQL to retrieve the data that is collected about the user. The Data Protection Officer can then provide a copy of the data to the user that requested the information.

The Data Protection Officer may need to request some personal data from the user to verify the user's identify and to retrieve the user's data from the database. The following identifying information is typically needed to retrieve the user's personal data records:
  • Logon ID (USERS_ID or MEMBER_ID)
With this ID, the SQL for retrieving user personal data can be constructed and used. For more information about the SQL for accessing user data, see SQLs for retrieving user personal data

For more information about the personal data that WebSphere Commerce can collect, see Data collection. To collect some types of data, a user must provide consent and store functions need to be enabled.

Data portability

After your Data Protection Officer retrieves the personal data for a user, a copy of the data should be provided to the user in a commonly used and machine-readable format. Provide that data to the user over a secure method of communication.

As part of the EU GDPR, users of your site have a right to data portability. To try and meet the requirements to support this right for your users, you are responsible for making sure that your site has processes in place to provide a user details about the data that you collect about the user, and any processing of that data.

Your organization is responsible for developing the communication process to provide the retrieved data to users for handling a right to access request. WebSphere Commerce does not provide any functionality for developing this communication process.

For instance, after your Data Protection Officer (DPO) retrieves, corrects, or removes personal data for a user, your organization should generate a report that details the retrieved data or changes. Your organization should provide the report to the user that requested the data or data, the data corrections, or the data removal.