GDPR Compliance Suite

Status: ✅ Available (v1.1) Updated: 2026-02-17

Overview

SveltyCMS includes a native GDPR Compliance Suite that automates the most complex requirements of privacy regulation: Right to Erasure (Article 17) and Data Portability (Article 20).

Unlike plugins in other CMSs, this is a core service integrated directly with the Audit Log system, ensuring that even when a user is deleted, the integrity of the content history is preserved (crypto-chained logs) while the identity is anonymized.

User Self-Service

Users can manage their data directly from their Profile Page (/user).

• Download My Data: Triggers an immediate JSON export of profile and logs.
• Delete Account: Triggers a self-service anonymization request.

Administrator Control

Navigate to Config -> System Settings -> Privacy & GDPR for system-wide controls.

1. Data Portability (Export)

System Administrators can generate a full JSON export of all data associated with a specific User ID.

• Input: User ID
• Output: JSON file containing:
  • User Profile (Email, Role, Preferences)
  • Audit Log History (All actions performed by this user)
  • Metadata (Export timestamp)

import { gdprService } from "@src/services/security/gdpr-service";

// Generates a JSON export of all user data
const userData = await gdprService.exportUserData(userId);

2. Right to Erasure (Anonymization)

Permanently remove a user’s Personal Identifiable Information (PII) without breaking content relationships.

• Action: soft-delete
• Process:
  1. User email is replaced with deleted-HASH@anonymized.sveltycms.com.
  2. Username is replaced with ghost-HASH.
  3. Auth credentials are revoked.
  4. Audit Trail: A final log entry records the erasure request.
  5. Content: Posts/Entries remain remaining but authorship is transferred to a system “Ghost User” or anonymized, preserving content integrity while removing PII.
  6. Logs: Audit logs are cryptographically immutable but the actor’s mapping is anonymized.

import { gdprService } from "@src/services/security/gdpr-service";

// Anonymizes user and logs the erasure request
await gdprService.anonymizeUser(userId, "User initiated deletion");

Privacy & Cookies

SveltyCMS includes a native Cookie Consent Plugin (src/plugins/cookie-consent) that provides a headless, accessible banner. It blocks non-essential scripts (Analytics, Marketing) until explicit consent is given, complying with the ePrivacy Directive.

• Necessary: Always enabled (Session/Security).
• Analytics: Optional (Performance tracking).
• Marketing: Optional (Personalization).

Audit Trail

All GDPR requests (Export, Erasure) are strictly logged in the Audit Log to prove compliance to regulators if requested.

Industry Comparison

How SveltyCMS compares to other platforms for GDPR implementation:

CMS	Right to Erasure	Data Portability	Audit Proof
SveltyCMS	✅ Automated Service (Cascading Soft-Delete)	✅ Native JSON Export	✅ Crypto-Chained Logs
WordPress	✅ Native Tools (Requires Admin Email Flow)	✅ Native Export (Email-based)	❌ No Native Audit Log
Payload	⚠️ Custom Hook (Requires Dev Implementation)	❌ No Native Export	❌ No Native Audit Log
Drupal	✅ Modules Available (GDPR Module)	✅ Modules Available	⚠️ Database Logging Only
Strapi	⚠️ Manual / Plugin (Community Plugins)	⚠️ Manual API	💲 Enterprise Only
Contentful	⚠️ Manual API (Scripting required)	⚠️ Manual API	💲 Enterprise Only

Why it matters:

• WordPress relies on email confirmation loops which can be slow.
• Payload is “code-first” which means you have to write the GDPR logic (handlers, endpoints) yourself.
• Drupal has strong module support but requires heavy configuration and maintenance.
• Strapi/Contentful force developers to write custom scripts to find and delete user data across relations.
• SveltyCMS handles this via a single service call (gdprService.anonymizeUser) that automatically handles the “Referential Integrity” of keeping content while removing the user.