Right to access

GDPR stipulates that a user has the right to request access to, and be informed about, their personal data that is collected by the site. To help our organization get ready to meet these GDPR principles and rights, WebSphere Commerce provides our organization with SQL statements that can be used to retrieve the personal data that is collected about the users.

Accessing site and internal user personal information

When a shopper or other user for the site wants to learn about the data that the site collected about that user, the user can submit a request to our organization's Data Protection Officer (DPO). Your organization is responsible for creating the request submission process that the site and internal users must use to submit data access and erasure requests. WebSphere Commerce does not provide any process for creating or receiving these requests.

After the request is received, your Data Protection Officer can use SQL to retrieve the data that is collected about the user. The Data Protection Officer can then provide a copy of the data to the user that requested the information. The Data Protection Officer may need to request some personal data from the user to verify the user's identify and to retrieve the user's data from the database. The following identifying information is typically needed to retrieve the user's personal data records:

• Logon ID (USERS_ID or MEMBER_ID)

With this ID, the SQL for retrieving user personal data can be constructed and used. For more information about the SQL for accessing user data, see SQLs for retrieving user personal data

For more information about the personal data that WebSphere Commerce can collect, see Data collection. To collect some types of data, a user must provide consent and store functions need to be enabled.

Data portability

After your Data Protection Officer retrieves the personal data for a user, a copy of the data should be provided to the user in a commonly used and machine-readable format. Provide that data to the user over a secure method of communication.

As part of the EU GDPR, users of the site have a right to data portability. To try and meet the requirements to support this right for our users, we are responsible for making sure that the site has processes in place to provide a user details about the data that you collect about the user, and any processing of that data.

Your organization is responsible for developing the communication process to provide the retrieved data to users for handling a right to access request. WebSphere Commerce does not provide any functionality for developing this communication process.

For instance, after your Data Protection Officer (DPO) retrieves, corrects, or removes personal data for a user, our organization should generate a report that details the retrieved data or changes. Your organization should provide the report to the user that requested the data or data, the data corrections, or the data removal.

• SQL statements: Right to access
  Individuals have the right to ask whether your company holds any personal data that pertains to them. You are obligated to reply and to provide that information upon request. The following table lists personal data stored in WebSphere Commerce and shows how to retrieve the data using an SQL query.

• Data collection
  WebSphere Commerce provides various sample store pages, store functions, and other features that the site can customize and use to create your custom store. If the site customizes and uses these templates, the site can be set up to collect personal data about shoppers and other users that browse and shop within your custom store.

Related concepts
General Data Protection Regulation (GDPR) and WebSphere Commerce