Skip to content

Add configurable data retention: auto-anonymization of inactive customers#244

Open
guillaumeArgiles wants to merge 1 commit into
PrestaShop:devfrom
guillaumeArgiles:feature/data-retention-anonymization
Open

Add configurable data retention: auto-anonymization of inactive customers#244
guillaumeArgiles wants to merge 1 commit into
PrestaShop:devfrom
guillaumeArgiles:feature/data-retention-anonymization

Conversation

@guillaumeArgiles

Copy link
Copy Markdown

Description

This PR adds configurable data retention to the official GDPR module: an opt-in job that anonymizes customers who have been inactive beyond a merchant-defined period, to enforce the GDPR storage-limitation principle (art. 5.1.e). Today the module handles data rights on request (access, export, erasure) but never enforces a retention duration, which the CNIL recommends automating.

Disabled by default — nothing is ever anonymized unless a merchant explicitly enables it and sets a period.

What it does

  • DetectionCustomerRepository::findInactiveCustomers(): a customer is "inactive" when the most recent of (last connection, last valid order) is older than the configured period.
  • Two phases in DataRetentionService:
    1. Warn — email the customer (with a re-login link) and start a grace window; logging back in resets the inactivity.
    2. Anonymize — after the grace window, anonymize via the existing CustomerService primitive, so orders/invoices are preserved for legal accounting retention (Code de commerce art. L123-22, LPF art. L102 B) while personal data is anonymized.
  • Scheduling — a console command php bin/console psgdpr:data-retention:run (with a --dry-run preview that sends/changes nothing), plus the actionCronJob hook for the ps_cronjobs module. No public endpoint.
  • Back office — a new "Data retention" tab (enable switch, inactivity period, warning lead time).
  • Emails — bilingual FR/EN warning templates, sent in the customer's language.
  • Audit — every warning and anonymization is recorded in psgdpr_log.

Open question for maintainers

The retention job relies on the existing CustomerService::deleteCustomerDataFromPrestashop() (which uses DeleteCustomerCommand). Could a maintainer confirm the intended behavior of that command on orders and invoices (preserved vs. detached vs. removed)? The feature assumes the active → intermediate-archive → deletion model (anonymize the person, keep legally-required accounting records); I'd like to align on this before considering it final.

Test plan

  1. Install the module, open Configure → Data retention, enable it, set a short inactivity period.
  2. Preview safely: php bin/console psgdpr:data-retention:run --dry-run → reports how many customers would be warned/anonymized, sending and changing nothing.
  3. Run for real: php bin/console psgdpr:data-retention:run → inactive customers receive the warning email; entries appear in psgdpr_log.
  4. After the grace window, a subsequent run anonymizes still-inactive warned customers; orders/invoices remain.

Notes

  • Compatible with PrestaShop 8 and 9; PHP syntax kept compatible down to the module's platform (7.2 lint), PHPStan level 5.
  • No module version bump (left to the release process).

…mers)

Enforce the GDPR storage-limitation principle (art. 5.1.e) by anonymizing
customers inactive beyond a merchant-configured period. Disabled by default.

- CustomerRepository::findInactiveCustomers(): "inactive" = most recent of
  (last connection, last valid order) older than the configured period.
- DataRetentionService: two phases — warn (email + grace window) then
  anonymize via the existing CustomerService primitive, so orders/invoices
  are preserved for legal accounting retention while PII is anonymized.
- Scheduling: console command `psgdpr:data-retention:run` (with `--dry-run`)
  plus the actionCronJob hook (ps_cronjobs). No public endpoint.
- Back-office "Data retention" configuration tab (enable, inactivity period,
  warning lead time).
- Bilingual (FR/EN) warning email templates.
- Audit trail via psgdpr_log (request types: warning, scheduled anonymization).
@ps-jarvis

Copy link
Copy Markdown

Hello @guillaumeArgiles!

This is your first pull request on psgdpr repository of the PrestaShop project.

Thank you, and welcome to this Open Source community!

@github-project-automation github-project-automation Bot moved this to Ready for review in PR Dashboard Jun 21, 2026
@Progi1984

Copy link
Copy Markdown
Member

@guillaumeArgiles Please use the PR table in description.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Ready for review

Development

Successfully merging this pull request may close these issues.

3 participants