Magento 2
  • Marketplace Innovator
    imagine 2016-2019 partner summit awards
  • Composer packs
  • Magento Silver Technology Partner

GDPR for Magento 2

Current extension version: 1.0.3

The extension that provides merchants with a necessary toolset to comply with some of the most essential GDPR regulations.

  • Dedicated functionality allows you to comply with GDPR, specifically the right to be informed, access, erasure, and data portability rights
  • Data protection policy consents are collected on registration, checkout, and other pages
  • Improved customer accounts allow customers to ask to delete or copy their personal data
  • Customer verification mechanism protects data against fraudulent activity
  • Extension grids segment customers by their statuses and intentions
  • The API provided allows retrieving and deleting data from third-party applications
Triple the benefits! Buy 3 modules and save up to 15%
  • [M2] GDPR $199
    Support period
  • [M2] Help Desk Ultimate $299
    Support period
  • [M2] Smart One Step Checkout $299
    Support period
  • -0%
45-Day Money Back
Free Installation
90-Day Free Support
free lifetime updates
Extension settings | enable store admins to specify  a CMS page with privacy policy terms and configure email settings, including email sender, removal and data access confirmation email templates.

Extension settings

Data Access Requests grid | lists all customer data access requests created from their account pages. Here, store admins can track every particular request, change request statuses, and download the required data in the PDF or XML file formats.

Data Access Requests grid

Removal Requests grid | allows tracking data on customer data removal requests with the possibility to change statuses of the selected ones and deleting personal data of particular customers.

Removal Requests grid

Consent Relevance grid | provides an overview of the collected customer personal data usage consent. From here, store admins can cancel consents of all or individual customers if privacy policy was significantly changed.

Consent Relevance grid

Customer consents | are given in the popup displayed on any web store page.

Customer consents

Guest user consents | are collected on the checkout page via the confirmation popup displayed there.

Guest user consents

New customer consents | are collected on the registration page via the ‘I consent to the…’ checkbox at the bottom of the registration form provided.

New customer consents

Customer data requests | can be made by customers from the ‘Account Information’ section on their account pages.

Customer data requests

Identity verification | link is sent to customers by email when they request their personal data access or removal.

Identity verification


How Magento 2 GDPR works

The Magento 2 GDPR extension allows your customers to exercise the right to access, change, and delete their personal data guaranteed by GDPR. Any consent withdrawals or data access requirements are closely monitored by the provided functionality, which allows you to perform all necessary actions consciously and with no delays.

Use Cases:

Keep customer data legitimate


Be sure that your site has the necessary toolset to comply with GDPR.


The main requirements of GDPR imply the following rights for customers:
  • The storage of personal data and its use have to be approved by customers consciously and unambiguously;
  • The module records consent date and time;
  • Customers are able to access and obtain their data both in human- and machine-readable formats (pdf and xml);
  • Customers can demand data removals if they do not want it to be further used and processed.

Although, the requirements are quite simple it can be difficult to keep big or external databases and services compliant with them, which is the main purpose of the GDPR extension for Magento 2.

It allows you to closely track the status of customers with or without consent, delete personal data of customers; it allows customers to request a copy of the stored data, and ask to delete the information.

First of all, the module ensures that all the customers, including guests, provide their consent either on registration and checkout pages or on dedicated popups following current customers across website pages.

Second, you can track the status of your customers in one place in the backend, export the lists of customers with no consents and follow them by any means.

Third, you can receive and process the requests to obtain and erase personal data from multiple customers.


The described above functionality allow you to quickly arrange personal data according to GDPR, change privacy policy terms following legislation changes, and keep it compliant with any imposed data protection terms.

Make personal data accessible to customers


Provide your customers with the access to their personal data according to the GDPR requirements.


Even several extra tickets submitted to your help desk set an unwanted tension in the support department. So, if you start receiving dozens of personal data access requests a day, it may cause overstrain and totally stop the whole process.

Another thing is if shoppers ask for their personal data directly from their accounts and do not affect the work of your customer service. Then, you can easily filter out all that kind requests, export them in one list, in order to use it in some third-party solutions to follow customers, download the corresponding data, and send it to customers at a time.

Personal data can be delivered in two ways:
  • Right of access - customers can request request a copy of their personal data in PDF;
  • Right of data portability - data can be obtained in the machine readaиду format (XML).

Data access requests are verified by email, so you could weed out malicious requests. Besides, the provided API, makes it possible to take data from some third-party applications involved.


The result is that the customer service is not overloaded with irrelevant inquiries and is able to provide the same high level of services. Meanwhile, you can organize the work of your support department to satisfy requests of your customers within a legitimate timeframe defined by GDPR (30 calendar days).

Right to erasure


Allow customers to delete their information stored in your databases according to the GDPR requirements.


Art. 17 of GDPR is clear about the right to erase someone's personal data wherever it is stored: “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay..”

There are several reasons for the erasure, but the opportunity to withdraw the consent makes this case applicable to almost any situation. So, in order to successfully resolve the issue, you need to collect and process erasure requests effectively, which is the very functionality provided by the GDPR extension.

In order to use the “right to be forgotten” customers can use the Delete My Account button in their accounts. The Removal Requests grid in the backend contains all the submitted delete requests. Magento admins are able to delete the corresponding data right here (except the order information as it's a subject to local legislation) and export the list of requests to be processed in other third-party systems, where the personal information can be additionally stored.

The same as with the right to access and data portability right all the submitted requests are verified by email, while the API allows extracting data from the engaged third-party solutions.


This way, you can erase the personal data requested to be deleted or any other customer information you don’t want to be stored. The whole process takes only several minutes and is not going to be irksome for your staff.

Consent date and time logging


Make your customers understand how their data is used and amend your privacy policy according to the changing legal environment.


The legislation is not something immutable and usually follows the changes of the technology landscape, so you should also adapt to them timely. Imagine that all your customers have actually given you the permission to use their personal data, but now you need to change your privacy policy according to GDPR.

So, now the given consents are not valid anymore and you need to get them again, which is very embarrassing. However, the GDPR extension is able to make the process much faster and simpler.

As soon as you alter the content of your privacy policy CMS page, you can reset the statuses of customers that gave the consent previously in one click with the Save and Reset the Consent option. Now, customers need to agree to the new terms.

The status of customers related to the new policy terms is tracked via the Consent Relevance grid, which also contains the date when the latest consent was provided by customers.


The process of getting compliant with the latest legislation changes becomes much simpler, consciously manageable and trackable.

Magento 2 GDPR Detailed Feature List

Customer Account Area
Customers can ask to access and delete their personal info
Accounts will be deleted together with incomplete orders and abandoned carts
Customer verification by email
Customer Base Management
Track the customers with and without consents
Export the lists of customers with no consents
Erase the customers’ personal data (id, name, and email address)
Monitor customer removal requests
Track the data access requests
Export the requests to remove data and data access requests
Data Protection Policy Consent
Ask customers to provide data protection policy consents on registration pages
Ask guest customers to provide data protection policy consents on checkout pages
Ask existing customers to provide data protection policy consents using dedicated popups
Change Data Protection Policy
Change data protection policy and ask customers to agree with the new terms
Reset the consents provided for the previous data protection policy version
Monitor customer consents to the latest data protection policy version
Need additional functionality
or futher customization of your products?

How Magento 2 GDPR beats competition:

  1. Optimized workflow

    Built upon most common use cases, the backend interface of our extensions echoes clearly the actual administrative workflow.

  2. Quality code

    Constantly seeking ways for improvement, we write clean code, subject to timely refactoring.

  3. Thorough testing

    Effective quality assurance employed, our extensions are customizable, scalable and fully Magento 2 compatible

Tanya Poleshchuk | Head of Customer Care

Any questions?

I’ll be happy to tell you more
about our products!

Let's get in touch!

Tanya Poleshchuk
  • Reviews (4)
  • Customer Questions & Answers (9)

Overall rating

5 of 5 stars

When writing your review, please consider the following guidelines:

  • Review the product only if you've tried or bought the item;
  • Focus on the product and your individual experience using it;
  • Provide details about why you liked or disliked a product;
  • Be constructive and specific with your praise or criticism.

We reserve the right not to post your review if it contains any of the following types of content or violates other guidelines:

  • Obscenities, discriminatory language, or other language not suitable for a public forum;
  • Advertisements, “spam” content, or references to other products, offers, or websites;
  • Email addresses, URLs, phone numbers, physical addresses or other forms of contact information;
  • Critical or spiteful comments on other reviews posted on the page or their authors.

Aheadworks Co. does NOT edit the reviews and posts them as written by the reviewer.

In addition, if you have any questions on the products – the compatibility, the functionality, or anything else – please do not submit them through a product review.

Enjoy writing your review!

How do you rate this product?
1 star 2 stars 3 stars 4 stars 5 stars

All fields are required

Greg Degraffenreid

Jan 16, 2019

Sound one

Full data protection is guaranteed. What else is needed? Buy it and see it yourself. The work of the support department is impeccable as always.

Ruth Coleman

Jan 3, 2019

Retained my customers’ trust

After GDPR came into force, my help desk was overloaded with customers’ questions about how their personal data are used. They needed the guarantee that we would not use any part of the data without their consent. Thanks to this module, I can now provide consent forms on all the required site pages as well as let customers request data access and erasure.

Jali Weckman

Nov 22, 2018

Complete GDPR compliance

The recent GDPR regulations made me worry about the future of my store. I needed to keep the businesses running in a way that would let me comply with all those rules. Luckily, GDPR by Aheadworks saved me from busywork – it handles the personal data of my customers just as required.

Alexander Fischer

Jun 22, 2018

Highly Recommended! A++

The GDPR extension works really well on our webstore and hasn’t had any problems so far. Easy t install and configure. Thanks a lot! Great job AheadWorks!
I am getting the following error:
Fatal error: Uncaught Error: Class 'Mpdf\Mpdf' not found
What can be wrong?
Most likely you do not have mPDF library installed on your server. If it is so, I would suggest that you install it using the following command:
composer require mpdf/mpdf
During the purchase I have to enter our url. Does this extension only work on 1 installation? Because we have a development environment and a production environment.
Our EULA allows using the extensions on a single production and as many dev or staging sites as you need without a need of purchasing an extra license.
Does it support multi-store?
Yes, it does. It is possible to configure the extension separately for different websites.
What is aheadworks policy on supporting its modules? Specifically if a security vulnerability is found will aheadworks create a patch?
Our extensions come with included support period and we are able to provide technical assistance when the support is active.
As for security vulnerabilities and bugs, we are trying our best to fix them free of charge regardless of the support period status.
This extension for Magento 2 supports Saudi riyal currency and Arabic Language?
If your currency and language is natively supported by Magento 2, the extension will also support it.
However, to work with RTL most likely some style adjustments will be required and you will need to translate some options the same way as you did with your Magento.
Does the extension support full page caching?
Since full page cache is a native Magento 2 feature, all our extensions for this platform support it.
I run Magento 1.X. Will my currently installed extensions from aheadWorks work in Magento 2?
Due to a significant difference between Magento 1 and Magento 2 branches, the extensions for M1 will not work in M2.
However, the owners of the extensions by Aheadworks for Magento 1 can get 25% discount on purchase the same extensions by AW for M2
Which URL do I specify on checkout if I've got only a development store at the moment?
You need to enter a final address of the site when it will go live.

If the domain name is still under consideration at the moment of purchase, you can enter an address of your dev environment. In this case, don't forget to contact us when the final domain name has been registered: our support team will change it by your request.
I run Magento 2 on AWS with ELB (Elastic Load Balancers) do I need a license per EC2 instance? They are all behind the same domain.
Such setup is considered to be a single Magento environment, so you need only one license.

Please wait...

added to cart
Go to Checkout Continue Shopping
Continue shopping
View cart & checkout