AEM Commerce - GDPR Readiness aem-commerce-gdpr-readiness

AEM 6.4 has reached the end of extended support and this documentation is no longer updated. For further details, see our technical support periods. Find the supported versions here.
GDPR is used as an example in the sections below, but the details covered are applicable to all data protection and privacy regulations; such as GDPR, CCPA etc.

The European Union’s General Data Protection Regulation on data privacy rights takes effect as of May 2018. For further information see the GDPR page at the Adobe Privacy Center.

See AEM GDPR Readiness for further details.


In our out-of-the-box Commerce integrations, AEM is the experience layer, consuming services and sending data back to the customer commerce platform that runs in a headless mode.

For some commerce platforms, we store profile information ( /home/users) and commerce tokens (to login in the commerce platform) in AEM. For these use cases, please read Handling GDPR Requests for the AEM Platform.


Handling GDPR Requests for AEM Commerce handling-gdpr-requests-for-aem-commerce

For the Salesforces Commerce Cloud integration, AEM Commerce does not store any GDPR relevant information. You should forward the request to the Salesforce Cloud.

For the hybris and IBM WebSphere integrations, there is some data in AEM. You should use the AEM Platform GDPR instructions and consider these questions:

  1. Where is my data stored/used? Cached user profile information such as name, commerce user identifier, token, password, address data, and so on is shown from AEM.
  2. With whom do I share the covered GDPR data? Any update of GDPR relevant data in AEM Commerce does not get stored (except relevant profile information, as mentionned above) but is proxied back to the commerce platform.
  3. How to delete my user data? Delete the user profile in AEM and invoke the user deletion on the commerce platform.
Have a look at the hybris wiki or the Websphere Commerce documentation if required.