A Complete Guide to Using GDPR in Shopware store

The Most Popular Extension Builder for Magento 2

With a big catalog of 224+ extensions for your online store

This article, A Complete Guide to Using GDPR in Shopware store, should provide a concise overview of how personal data is processed in Shopware 6, making it easier to create the necessary documentation. Due to the fact that GDPR implementation differs from every firm, you should always consult legal counsel prior to adopting it in your store to verify that all criteria are completed.

Table of Contents

What is General Data Protection Regulation (GDPR)


The European Union’s general data protection regulation (GDPR) took effect, superseding previous national laws. The GDPR is applicable to all businesses and institutions located in the European Union (EU) or the European Economic Area (EEA) (EEA). Additionally, it concerns personal data transfers outside the EU and EEA.

For instance, the GDPR applies to names, addresses, bank account information, and birthdays. The EU’s unifying law intends to empower individuals with greater control over their personal data and to make it more transparent. Additionally, it seeks to strengthen the protection of such personally identifiable information. This should simplify personal data processing for multinational corporations.

The GDPR protects personal data regardless of the technology used to handle it — it is technology agnostic and applies to both automatic and manual processing, as long as the data is arranged according to predefined criteria (for example alphabetical order). It also makes no difference how the data is maintained - in an IT system, via video surveillance, or on paper – personal data is subject to the GDPR’s data protection regulations in all situations.

What Personal Information is Processed and Stored by Shopware

personal information

Shopware 6 stores a range of data that is either directly related to the user (= personal) or is not related to the user (= anonymized). Because anonymized data is not considered personal data and so does not come under the GDPR, no extra procedures are required.

When Shopware 6 accepts customer input or when the store operator needs to work with this data, personal data is always necessary. This could be a registration or review function on the front end, or it could be the back end processing of orders. Of course, with authorization, personal data can also be obtained via the RestAPI.

Additionally, anonymized data is collected in order to facilitate the backend implementation of article recommendations (“customers also bought”, “customers also looked at”,…) and statistics. Because it’s easy to lose track of Shopware 6’s many functionalities, we’ve included a list of the data that is saved in Shopware.

1. Customer Data

The customer can create a customer account in order to access additional features beyond placing an order. This includes, but is not limited to, the address, as well as other personal information, depending on your choices. It is possible to request both the date of birth and the name of the company.

Here, you should check your store’s registration to receive an overview of the data you acquire from customers. All tables in Shopware 6’s database that hold customer data begin with the abbreviation customer. However, you may examine this information in the admin by opening the appropriate customer under Customers > Overview.

2. Orders

Of course, the checkout process is at the heart of every online store. When placing an order in Shopware, the customer has the choice of creating a customer account or proceeding without one. The customer will provide billing information in any case. All of this information is maintained in a logical arrangement.

Additionally, the products purchased by the consumer in your business are stored, as is the customer’s IP address. Additionally, the referrer - the website from which the consumer arrived at your store - is stored. All pertinent information is available in the administration under Orders > Overview and in the database in the tables denoted by the abbreviation order.

3. IP Addresses

As indicated previously, IP addresses are saved for each order. Additionally, this page contains a list of locations where an IP address is stored: What information is stored in IP addresses and user’s browser

4. Newsletter

Shopware 6, like many other systems, includes a newsletter registration capability. For instance, in this case, the form can be found in the store’s footer or in the customer’s user account. All information entered by the consumer in the frontend is stored in the Shopware Admin under the section Marketing > Newsletter Recipients. The data is stored in the database table newsletter recipient.

5. Forms

Shopware 6 forms send an email with the data submitted by customers to the address specified in the form’s shopping experiences. The standard method requires the format of the address, the name and surname, as well as the email address and telephone number.

6. Reviews

Shopware includes the option to leave a product review on the item detail page. A review may only be submitted by a logged-in client and is thus associated with the customer account. In the backend, under Catalogs > Reviews, you can see, remove, or release the specified reviews.

7. Shopware Admin

The administrator interface is unique in this location. Not only can you browse and create client records here, but you can also manage administration users who are associated with an email address. Thus, the admin not only processes the data of your store’s consumers, but also, to a degree, the data of your staff. Under Settings > User Management, you may set the backend’s user management. Additionally, you can restrict access to specific portions of the backend or grant read-only access.

8. API

Additional systems, such as an ERP, will communicate with the store if they are connected. This can be accomplished using a plugin or the API. Typically, API users are created in the administration.

Lawful Basis for Processing Personal Data under GDPR


Under the following circumstances, Shopware may process Personal Data:

  • Consent: You have consented to the processing of your Personal Data for one or more defined purposes.
  • Performance of a contract: Provision of Personal Data is required for the fulfilment of a contract with you and/or any pre-contractual duties arising therefrom.
  • Legal obligations: Processing Personal Data is so necessary for the company to comply with a legal duty.
  • Vital interests: Processing Personal Data is necessary to protect your vital interests or the vital interests of another natural person.
  • Public interests: Processing Personal Data is necessary for the performance of a task in the public interest or in the exercise of the company’s official authority.
  • Legitimate interests: Processing Personal Data is so necessary for the Company to fulfill its legitimate interests.

In any situation, the company will happily assist in determining the exact legal basis for processing, including whether the supply of Personal Data is a statutory or contractual necessity, or a condition precedent to contracting.

How to Exercise your GDPR Data Protection Rights

Exercise your GDPR Data Protection Rights

The company commits to maintaining the confidentiality of your Personal Data and to ensuring that You have the ability to exercise your Rights.

You have the following Rights under this Privacy Statement and by law if you reside in the European Union:

  • Request access to your Personal Information: The right to inspect, amend, or delete the personal information Shopware has on you. Whenever possible, you can access, amend, or delete your Personal Data directly from the area of Your account settings. If you can not carry out these measures on your own, please contact Shopware. Additionally, this permits you to obtain a copy of the Personal Data they maintain about you.
  • Request correction of the Personal Data that Shopware holds: You may request Shopware correct any inaccurate Personal Data that they may have about you. You have the right to have any information Shopware holds about you updated if it is incomplete or inaccurate.
  • Object to processing of your Personal Data: You have the right to object to the processing of your Personal Data. This right applies where they treat your Personal Data on the basis of a legitimate interest and particular situation compels you to object to processing of your Personal Data. Additionally, you have the right to object if they are processing your Personal Data for the purpose of direct marketing.
  • Request for the deletion of Your Personal Data: You have the right to request them erase or remove Personal Data that is no longer necessary to process.
  • Request the transfer of your Personal Information: Shopware shall provide your Personal Data to you or a third-party you have designated in a structured, commonly used, machine-readable format. Please remember that this right applies only to automated information that you consented to them using or that they utilized to perform a contract with you.
  • Refuse to grant consent: You have the right to revoke your consent to the collection and use of your Personal Data. They may be unable to provide you with access to some specific functionality of the service if you withdraw your consent.

You may contact Shopware to exercise your rights of access, rectification, cancellation, and opposition. Please be aware that they may require verification of your identity prior to responding to such inquiries. If you submit a request, they will make every effort to react as quickly as feasible.

You have the right to lodge a complaint with supervisory authority over their collection and use of your Personal Data. In case you reside in the European Economic Area (EEA), please contact your local data protection authority inside the EEA for additional information.


1. Which personal data is transferred to third parties by Shopware?

Shopware does not transfer information to other parties by default. Naturally, extensions can alter this. For instance, if you integrate PayPal into your store, PayPal will receive data from your store (the shipping address, the purchase total, and the shopping cart). Of course, if you utilize a Shopware extension in your store, there are numerous more service providers that handle data from Shopware. Payment processors, ERP systems, and newsletter service providers are all prominent examples. To learn which data is shared with third parties, please contact the extension’s manufacturer.

2. How prepared is Shopware for the new GDPR?

For now, Shopware has been working with reputable certification groups to verify that the system complies with the GDPR’s standards. During this process, it was discovered that, to the best of our knowledge, Shopware provides shop operators with the features necessary to implement the GDPR-compliant settings.

For example, Shopware includes all required tools in its standard end-user documentation, including the ability to delete personal data from the system, which is a requirement under the new basic data protection rule. A GDPR-specific plugin/update is not planned.


These are all the things you need to know about GDPF, its legal regulations, and your exercising rights in your Shopware store. We hope that this article has given you a throughout understanding about those matters. Do you find this article informative? If you do, don’t forget to stay tuned for more useful instructions and advice in building an online business from AVADA.

Increase sales,
not your workload

Simple, powerful tools to grow your business. Easy to use, quick to master and all at an affordable price.

Get Started
avada marketing automation

Explore Our Products:


Stay in the know

Get special offers on the latest news from Mageplaza.

Earn $10 in reward now!

Earn $10 in reward now!

go up