Right to be forgotten

Abstract

Guide to deleting Sitecore personal contact, user, customer, session and forms data for users wishing to be forgotten.

Warning

This Privacy Guide provides technical guidance on how your developers can choose to configure your Sitecore product implementation to support you on your data privacy compliance journey. This guide does not provide exhaustive guidance, and should not be construed or used as legal advice about the content, interpretation, or application of any law or regulation. You, the customer, will always be in the best position to assess your own risks, and must seek your own legal counsel to understand the applicability of any law or regulation to your business, including how you process personal data. Your resulting implementation is based entirely on your own configuration choices.

The right to erasure (also known as the right to be forgotten) concerns the data subject’s right to request the deletion of personal data. This topic describes how Sitecore facilitates the ability to remove a data subject’s personal data.

Erasing personal contact data

Within your Sitecore implementation, you can:

  • Use the xConnect Client API to erase data marked [PIISensitive] by calling the ExecuteRightToBeForgotten() method. The ClearSupressionListWhenExecutingRightToBeForgotten handler automatically clears the contact’s past and current email addresses from the suppression list.

  • Execute the right to be forgotten from the Experience Profile interface.

The organization is responsible for the following:

  • Implementing a process or interface that allows data subjects to request deletion of personal data.

  • Ensuring that personal data in custom contact facets is marked [PIISensitive]. Any facet or facet property marked [PIISensitive] is deleted when the right to be forgotten is executed.

Important

Interaction facets cannot be marked [PIISensitive] and are not deleted when the right to be forgotten is executed.

Erasing personal user data

Within your Sitecore implementation, you can:

The organization is responsible for the following:

  • Implementing a process or interface that allows data subjects to request that their data is deleted.

  • Ensuring all user profile properties that contain personal data are identified and cleared.

Erasing personal customer data

Within your Sitecore implementation, you can:

The organization is responsible for the following:

  • Configuring the CustomersRemovePolicy correctly.

  • Implementing a process or interface that allows data subjects to request that their data is deleted.

  • Ensuring all customer profile properties that contain personal data are identified and cleared.

Note

Deleting a customer does not delete the shipping address and email address associated with the order. This data also exists for anonymous orders.

Erasing active session data

If a contact requests to be erased, consider clearing session data and removing cookies to ensure that all connections between the device and the contact are severed:

  • Call Session.Clear()

  • Call Session.Abandon()

  • Remove the SITECORE_GLOBAL_ANALYTICS_COOKIE (although tracking will not resume after the right to be forgotten has been executed, xConnect Client API can be used to link a cookie to a device profile, and then to an anonymized contact record)

Erasing forms submission data

By default, form submission data is stored in the Forms database. If a form submission is linked to an identifier such as a contact identifier or an e-mail address, you can use SQL to clear or delete rows associated with a specific data subject.

Important

If you create a custom submit action that stores personal data in a third party system such as a CRM, you are responsible for ensuring that data subjects can access their data in that system.

With the xDB

If the xDB is enabled, all form submissions that are stored in the default Forms database are indirectly associated with a contact ID. Contact IDs are stored in aggregated forms data in the Reporting database (sample_Sitecore.Analytics), which can be linked to an entry in the forms database (sample_Sitecore.ExperienceForms) as shown in the following example:

USE [sample_Sitecore.Analytics]

GO

SELECT [ContactId],
    fld.FormId,
    fld.FieldId
FROM   [dbo].[Fact_FormMetrics] frm
    JOIN [dbo].[Fact_FormFieldMetrics] fld
        ON frm.FormId = fld.FormId
            AND frm.InteractionId = fld.InteractionId

GO

USE [sample_Sitecore.ExperienceForms]

GO

SELECT [ID],
    [FormEntryID],
    [FieldItemID],
    [FieldName],
    [Value],
    [ValueType]
FROM   [dbo].[FieldData]

GO

Without the xDB

If the xDB is not enabled, form submissions that are stored in the default Forms database are not associated with a contact ID. If you store email addresses or other personal data that can be used to identify a data subject, you should consider how to handle requests for this data to be removed.