GDPR - Download personal data. Purchases are missing

[hjmaier]

Hi,

thank you for implementing all the GDPR Features. 

I noticed that for the new download function, not all data from comerce are added to the xml file. I miss purchases and invoices. Could you add them?

Best regards

Hans-Joachim

[Matt]

Are they personal data though? The export contains stored email addresses, credit cards and customer data in the XML.

I wouldn't consider data such as:

invoice_id: 12345
invoice_total: 12.00

As data required in the export.

[hjmaier]

@Matt I think about adresses. Are they only stored once as a master date? Or are invoice an delivery addresses stored for each invoice/transaction? If yes, this is a personal data. 

Same is with custom fields for transactions. I can request personal data with custom fields. They need to be included in the download as well. 

I did not check custom profile fields. Are they in the XML?

But thank you very much for your efforts regarding GDPR compliance. 

edit:

Additional: I am not sure if the purchase/ invoice itself is considered a personal data. I guess yes, because I can tell which product a specific user had purchased in the past. 

Edited May 29, 2018 by hjmaier

[Matt]

We add all the addresses currently on file in the XML, which I think should cover the PI requirement.

[bfarber]

22 hours ago, hjmaier said:

Additional: I am not sure if the purchase/ invoice itself is considered a personal data. I guess yes, because I can tell which product a specific user had purchased in the past. 

PII covers data that can be used to identify a person - an invoice (absent other data about the person) can't really be used to identify them.