GDPR Toolbox – Data access, deletion, objection & audit log

About the Extension

Legally compliant & complete: All GDPR obligations in one plugin

Kommora GDPR Toolbox is the only all-in-one solution for Shopware 6 that technically implements all six data subject rights of the EU General Data Protection Regulation – including a seamless audit trail for the accountability obligation under Art. 5 (2) GDPR.

Why this plugin?

• Protection from fines. Data protection authorities impose penalties up to €20 million. With Kommora GDPR Toolbox you fulfil all access, deletion and objection duties automatically and always have proof of implementation at hand.
• Two to three plugins in one. Replaces anonymization, data-access and objection plugins at once. Saves up to €27/month compared to individual solutions.
• Audit trail as a unique feature. No other plugin in the Shopware Store documents every GDPR action (who, what, when, for which request) so completely.
• Self-service for customers. Saves your support team time – customers handle data access, objection and account deletion on their own.

Covered GDPR articles

• Art. 15 – Right of access – Readable data export per customer
• Art. 16 – Right to rectification – Request workflow
• Art. 17 – Right to erasure – 3 strategies (anonymize, deactivate, hard delete)
• Art. 20 – Data portability – Structured JSON format
• Art. 21 – Right to object – Marketing, profiling, tracking, newsletter individually opt-outable
• Art. 7 – Proof of consent – History of all opt-ins/outs
• Art. 5 (2) – Accountability – Complete audit trail

Features at a glance

? Customer self-service (storefront)

• New "Privacy & GDPR" menu item in the customer account
• "Request my data" – JSON export with profile, addresses, orders, reviews, wishlist, newsletter, custom fields, consent history
• "Objection" – 4 granular opt-out categories
• "Delete account" – with 3 configurable modes
• Secure download link with expiring token (configurable 1–168 hours)

?️ Admin tools (backend)

• New module Extensions → GDPR Toolbox with request list (status, type, deadline)
• Dedicated "GDPR" tab on every customer detail page
• Manual anonymization, deactivation or hard deletion from the admin
• Customer data export in admin as JSON
• Full audit log per customer

? Anonymization – GoBD compliant

• Name, email, address, phone, birthday, custom fields → placeholders
• Orders retained for 10 years (German tax law § 147 AO / § 257 HGB)
• Optional: automatic anonymization of orders after retention expires (scheduled task)
• Newsletter subscription removed in parallel

? Email notifications (all editable in admin)

• 5 mail templates for every GDPR action, DE + EN
• Confirmation of new request
• Download link for data access
• Account deletion confirmation
• Admin reminder 7 days before 30-day deadline
• Objection confirmation to customer
• Usable in Flow Builder for custom workflows (Slack notifications etc.)

? Audit trail (unique selling point)

• Dedicated entity kommora_dsgvo_log logs every action
• Who (admin/customer/system/API), what, when, source, IP address
• Survives customer deletion – audit entries remain after anonymization
• Configurable retention (default 3 years, minimum 365 days for compliance)

⚙️ Automation (scheduled tasks)

• Daily retention cleanup
• Hourly cleanup of expired download tokens
• 6-hourly deadline reminder (admin mail before 30-day deadline expires)
• Daily order anonymization after 10-year retention expires (optional)

Who is it for?

• B2C and B2B shops that need to prove GDPR compliance
• Shop operators who regularly receive GDPR requests
• Agencies delivering legally compliant configurations to their clients
• Shops with data protection officers who expect documentation
• Merchants who want to minimise warning-letter risks

Legal notice

The General Data Protection Regulation (GDPR / EU 2016/679) obliges controllers to technically implement data subject rights and document fulfilment (Art. 5 (2)).

The plugin implements these obligations technically. It does not replace individual legal advice – please consult your data protection officer or lawyer for specific wording and processes.