Global privacy guide
This Privacy Guide provides technical guidance on how your developers can choose to configure your Sitecore product implementation to support you with data privacy compliance. This guide does not provide exhaustive guidance, and should not be construed or used as legal advice about the content, interpretation, or application of any law or regulation. You, the customer, will always be in the best position to assess your own risks, and must seek your own legal counsel to understand the applicability of any law or regulation to your business, including how you process personal information. Your resulting implementation is based entirely on your own configuration choices.
This guide is aimed at developers and IT professionals. You can use it as a starting point to help you determine the way your organization stores and processes data, and the role Sitecore products play.
We know that privacy and data protection laws are constantly evolving, as are the obligations that your organization might have. This guide is intended to support those efforts and covers:
-
How individuals might be represented in your implementation, how individuals and their personal information can be handled, what data is stored by default, and where it is stored.
-
The Sitecore APIs and configuration options available to you as you look to comply with privacy and individual requests outlined in legislation such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).
When assessing the compliance of your Sitecore implementation with privacy regulations, start with the privacy checklist.
See also:
-
Security guide for information about securing the platform.
-
Architecture and roles for information about how each role stores and handles personal information.
-
Data flows and processes for information about how personal information flows through the platform.
For earlier versions of the platform, see:
-
Technical guidance for GDPR including EXM and Sitecore Commerce (Sitecore 8.2.7 and Sitecore Commerce 8.2.1 Update 3)
Definitions
The following section defines several terms that appear in legal texts such as GDPR and/or CCPA, as they have been interpreted for the purposes of this guide only.
Role |
Definition |
This is... |
---|---|---|
Data Subject or Consumer |
A Data Subject is an individual whose data is being processed and is represented by three entities: the customer, the contact, and the user. A Consumer is a California resident whose personal information is collected or processed. The term individual is used throughout this guide to capture both meanings unless referring to a specific entity. |
The customer |
Personal data or personal information |
Any information that identifies an individual, and might include the following as applicable under relevant laws:
Important Your organization is responsible for deciding what constitutes personal information in the context of your business. |
The data Sitecore is processing |
Processor or Service Provider |
A Processor or Service Provider is an organization that is handling the data on behalf of another, as defined under applicable laws. |
Sitecore |
Processing |
Includes:
Important Your organization is responsible for deciding what constitutes processing in the context of your business. |
How Sitecore uses your data |
Controller or Business |
A Controller, or Business, as defined under applicable laws, is the entity or individual whose data is being handled by Sitecore. |
The Sitecore customer |