Child pages
  • GDPR - Magento 2
Skip to end of metadata
Go to start of metadata


Firefox user notice:

Please use a different web browser to view this document.

Sorry for the inconvenience.


Magento 2 GDPR extension allows Magento merchants to collect customer consents on registration, checkout, and other pages. Even more, the module allows providing customers with their right to access, copy, transfer, and erase personal data processed by the store and related third-party extensions. Customers are able to access, copy, and delete personal information in one click from customer accounts, while the verification process makes Magento merchants sure about the eligibility of submitted requests.

Compatibility: Magento Open Source 2.1.X - 2.3.X, Magento Commerce 2.1.X - 2.3.X

Product Page

Thank you for choosing Aheadworks!

Installing GDPR



Installing mPDF Library

Before generating customer information in PDF, you need to install the mPDF library executing the following command at the command prompt:

composer require mpdf/mpdf


Command Line Installation

1. Backup your web directory and store database

2. Download the GDPR installation package

 3. Upload contents of the GDPR installation package to your store root directory

 4. In SSH console of your server navigate to your store root folder:

cd path_to_the_store_root_folder


php -f bin/magento module:enable Aheadworks_Gdpr


php -f bin/magento setup:upgrade


php -f bin/magento setup:static-content:deploy

5. Flush store cache; log out from the backend and log in again


Make sure the installation is done from under the FTP administrator account. Otherwise, make sure to set 775 permissions to the store root directory after the extension is deployed.

Composer Installation

1. Log in to your customer account at and navigate to Account -> Composer access;

2. Configure your store to work with the Aheadworks composer repository:

Add composer repository to composer.json by running:

composer config repositories.aheadworks composer in the Magento installation root.

Use a key pair provided as login and pass. You can optionally save them in the global composer auth file.

 3. You can start using AW composer now.

 For extension names, navigate to Account -> Composer access.

 4. Open the root Magento directory on your server and send Composer the following command:

composer require <component-name>:<version>

Note: Use the previously copied component name and version.

 5. Make sure that Composer finished the installation without errors. Flush store cache, log out and log into the backend again.

Getting Around

Business Advantages

The GDPR extension is beneficial in case you want to arrange a regular and manageable process of receiving customer consents to the terms of your privacy policy. It also ensures customers the right to access, copy, transfer, and erase their personal data and, in this regard, makes you following the main GDPR regulation terms.

What Makes the Extension Different

    • The dedicated functionality enables you to comply with most essential GDPR requirements, including the customers right to access, copy, transfer, and delete their personal data;
    • Customer consents with your privacy policy are collected on registration, checkout, and other pages;
    • Customers are able to request access or deletion of personal data from their customer accounts in one click;
    • The implemented verification allows you to reduce fraudulent data requests;
    • The extension allows you to split up customers with and without consents and manage each group individually;
    • The extension API allows you to get and erase data from third-party apps.

GDPR Frontend Use

New Customer Consents

Those customers who want to make their first purchase in a store provide their consent either on registration or on checkout pages.

The process is simple. On the registration page, they just need to tick a dedicated checkbox, while on checkout pages, they need to provide their consents from the popup displayed by the extension. The procedure is mandatory and won't allow them to continue any longer until they agree with the policy terms. Both the checkbox and popup also show a link to the privacy policy page.

Developer Notes: Consent Popup Integration


Consent Popup Integration

The consent popup works on native Magento checkout pages and checkout pages created by the Smart One Step Checkout extension by Aheadworks by default. Still, you can integrate it with any other checkout application the same way just changing the rote to it in etc/di.xml.


  • The popup for guest customers (by default available for native Magento and Smart One Step Checkout extension checkout pages):
<type name="Aheadworks\Gdpr\Block\Consent\GuestPopup\VisibilityResolver">
            <argument name="routes" xsi:type="array">
                <item name="native_checkout" xsi:type="string">checkout/index</item>
                <item name="aw_osc" xsi:type="string">onestepcheckout/index</item>


  • The popup for existing customers (appears on all pages, except for the customer/account/edit one):
<type name="Aheadworks\Gdpr\Block\Consent\CustomerPopup\VisibilityResolver">
            <argument name="routes" xsi:type="array">
                <item name="all" xsi:type="string"></item>
            <argument name="deniedRoutes" xsi:type="array">
                <item name="customer_account" xsi:type="string">customer/account/edit</item>

In case a customer wants to provide the consent later and clicks the 'Ask me later...' link, he is taken to the home page of the store and can finish browsing, if necessary.

Existing Customer Consents

Seemingly, existing customers should have already provided their consents, but not necessarily. The customer base may also include the shoppers who had registered before the extension installation. Or, in case the terms of your privacy policy changed drastically, you would possibly like to collect new consents to make sure that all your customers comprehend the amendments clearly. In this case, you can reset previous consent and collect them repeatedly.

Existing customers provide their consent at the moment they enter their accounts in your store. Immediately after signing in the store, they will see the same pop-up asking them to provide the consent.

Customer Accounts Functionality

Except for the necessity to provide their consents, customers have the right to access, copy, transfer and delete their personal information. They can exercise it right from their customer accounts in the Account Information section. For the purpose, the section contains two buttons: Delete My Account and Get My Data. As soon as they click one of the mentioned buttons, they will receive a verification email allowing them to confirm the request personally. After that, the submitted requests appear in the backend.


Backend Configuration

Extension Settings

The Configuration page of the extension (Stores > Configuration > Aheadworks Extensions > GDPR) includes two sections: General and Email Settings.

The Data Protection Policy page of the General section allows you to determine a privacy policy CMS page to be used as a destination of the Privacy Policy link displayed on the registration page and consent confirmation popup.

The Email Settings section contains the following configuration options:

  • Sender - a contact to be used as a sender for request confirmation emails;
  • Removal Confirmation Email Template - an email template to be used for personal data removal requests;
  • Data Access Confirmation Email Template - an email template to be used for personal data access requests.

That's it. The configuration is done.

Data Access Requests

As soon as information access requests are verified by email they appear in the Data Access Requests grid for further processing by Magento Admins. The grid is located on the corresponding page (Customers > GDPR by Aheadworks > Data Access Requests) and includes the following columns:

  • Customer ID - ID of a customer;
  • Name - customer's name;
  • Email - customer's email;
  • Status - request status. Available options include: Pending, Processing, Completed, Canceled;
  • Created At - date and time of the request submission;
  • Resolved At - resolution date and time;
  • Actions - the column contains an active link, which allows Magento admins to change the status of a request or download customer information in the PDF (human-readable) and XML (machine-readable) file formats.



The above formats, in fact, are intended for different purposes and exercise two different GDPR rights. PDF allows customers to access their personal information, while XML allows customers to make data portable and transfer it to other solutions or applications.

In addition to the Actions column, request statuses can be changed massively using the Actions box.

Developer Notes: Data Export


Export of the Data Stored in Third-party Applications

  • Add the following code lines to the etc/di.xml file:
<type name="Aheadworks\Gdpr\Model\Service\CustomerDataCollector">
            <argument name="dataCollectors" xsi:type="array">
                <item name="your_module_data" xsi:type="array">
                    <item name="module" xsi:type="string">Vendor_YourModule</item>
                    <item name="collector" xsi:type="string">
                    <item name="position" xsi:type="number">150</item>
<virtualType name="Aheadworks\Gdpr\Model\Service\CustomerDataCollector\YourModuleDataCollector" type="Aheadworks\Gdpr\Model\Service\CustomerDataCollector\DataCollector">
            <argument name="title" xsi:type="string">Your Module Information</argument>
            <argument name="dataProcessor" xsi:type="string">


  • And create the data processing Vendor\YourModule\Model\YourModuleDataProcessor.php file as follows:
namespace Vendor\YourModule\Model;

use Aheadworks\Gdpr\Model\Service\CustomerDataCollector\DataProcessorInterface;
use Magento\Customer\Api\Data\CustomerInterface;

 * Class YourModuleDataProcessor
 * @package Vendor\YourModule\Model
class YourModuleDataProcessor implements DataProcessorInterface
     * Get your module data
     * @param CustomerInterface $customer
     * @param int|null $storeId
     * @return array
    public function getData($customer, $storeId)
        return [
            'test' => 'Message',
            'items' => [
                'item_1' => 'Item 1',
                'item_2' => 'Item 2',
                'item_3' => 'Item 3',

Removal Requests

The same way customers may ask to delete own personal information, still, these requests are collected in the Removal Requests grid located under Customers > GDPR by Aheadworks > Removal Requests. The grid has absolutely the same columns as the previous one. The only difference is that the Actions column in the grid only allows Magento admins to manage request statuses. The same actions can be performed massively from the Actions box above the grid.

Once the customer's data removal request has been approved, his/her personal data is erased from the store. The data includes the customer's ID, Name, and Email.


The grid is related to the right of customers to erase own personal information used by the merchant.

Consent Relevance

As soon as Magento merchants receive requests to delete some personal data, they can do this on the Consent Relevance page. The corresponding grid contains a list of all customers, including guest ones, and allows admins to anonymize customer data in one click. Additionally, on this page, Magento admins are able to track and manage consent statuses of customers. Still, let's start from the beginning.

The Consent Relevance grid is located at Customers > GDPR by Aheadworks > Concent Relevance and contains the following columns:

  • Customer ID, Name, Email - the same columns described previously;
  • Latest Consent Date - the date and time a consent was provided last time;
  • Relevant Consent - the status of a consent considered to be relevant or not. Includes two options: Yes and No;
  • Actions - contang the Select box that allows erasing the personal data of the customer.

The customer whose data is erased gets anonymized. This means that his/her personal data in the grid is now hidden behind asterisks in the ID, Name, and Email columns, correspondingly. However, his/her orders remain recordered in the store's database but marked as the guest orders. These orders can be stored for a period determined by a local law.

You can see a couple anonymized customers in the picture above.

In addition to the Active column, Magento admins can also use the Actions box above the grid to massively anonymize the selected customer data.

The Consent Relevance page also includes the Reset Consent button, which resets all eligible consent statuses to 'No' so you need to collect them once again. If all the consents are reset, all existing customers have to provide their consents once again the way it's explained in the GDPR Frontend Use section of this guide.

Developer Notes: Data Deleting


Deleting data from Third-party Applications

In case if the data in the third-party application and Magento customer table are connected (Foreign Key), you don't need to do anything at all, as soon as the data is going to be deleted automatically (recommended). Otherwise, you need to add own "eraser" using the etc/di.xml file. The Eraser should use the Aheadworks\Gdpr\Model\Service\CustomerDataEraser\DataEraserInterface interface:

<type name="Aheadworks\Gdpr\Model\Service\CustomerDataEraser">
            <argument name="dataErasers" xsi:type="array">
                <item name="Vendor_YourModule" xsi:type="string">Vendor\YourModule\Model\YourModuleEraser


You can also use the following events:

"aw_gdpr_customer_data_delete_before", params: customer_id
"aw_gdpr_guest_data_delete_after", params: customer_id
"aw_gdpr_guest_data_delete_before", params: email, store_ids
"aw_gdpr_guest_data_delete_after", params: email, store_ids

Uninstalling GDPR

Manual Removal

1. Disable the module by executing the following commands:

php bin/magento module:disable Aheadworks_Gdpr
php bin/magento setup:upgrade

2. Remove the extension files from the following folder:


Automatic Removal (via Composer)

1. Disable the module by executing the following commands:

php bin/magento module:uninstall Aheadworks_Gdpr

Product Page

Need Customization?

Magento 2 Custom Development Services by Aheadworks

You can always find the latest version of the software, full documentation, demos, screenshots and reviews at
License agreement:
Contact Us:
Copyright © 2019 aheadWorks Co.

  • No labels