GDPR Suite for WHMCS Print

What It Does

GDPR compliance toolkit for WHMCS: data export, deletion requests, consent logging, cookie banner, DPA management, automatic data retention, and full audit trail.

Requirements

• WHMCS 8.x or 9.x
• PHP 7.4+
• Supported templates: Six, Twenty-One, Lagom

Installation

1. Upload gdpr_suite to /modules/addons/
2. Go to System Settings → Addon Modules
3. Activate "GDPR Suite"
4. Enter license key
5. Configure settings

Core Features

Data Export: Clients can export their data as CSV or JSON. Selectable types: profile, invoices, services, domains, tickets, emails, activity, consent, contacts, transactions.

Deletion Requests: Client self-service with optional admin approval workflow. Creates To-Do items for tracking.

Anonymization: GDPR Article 17 compliant. Replaces personal identifiers, redacts ticket content, clears IPs. Invoice records retained for legal requirements.

Consent Logging: Automatic logging on registration/order with IP and user agent tracking.

Audit Trail: Full history of all GDPR actions with configurable retention.

Cookie Consent

Customizable cookie banner with styling options (colors, position, animations). Includes cookie policy page generation.

DPA Management

Third-Party Processors: Register sub-processors, track DPA status, agreement dates, EU transfer compliance. Export registry as CSV.

Client DPA: Require clients to accept your Data Processing Agreement before using services. Version control forces re-acceptance when updated.

Client DPA Setup

1. Enable "Client DPA" in module settings
2. Set DPA version (e.g., "1.0")
3. Go to Client DPA tab and add PDF URLs per language
4. Clients see dashboard warning until they accept
5. Change version number to require re-acceptance from all clients

Supports 26 languages with English fallback. If no PDFs configured, clients see built-in DPA content.

Automatic Data Retention

GDPR Article 5(1)(e) compliance. Automatically anonymizes inactive closed accounts after configured period.

Process:

1. Daily cron identifies closed accounts inactive for X years
2. Warning email sent with scheduled anonymization date
3. If client logs in, anonymization cancelled
4. Otherwise, account anonymized after warning period

Inactivity criteria: Account closed/inactive, no login for configured period, no active services, no recent activity.

Automatic exclusions: Accounts with balance (optional), pending deletion requests, already anonymized.

Manual exclusions: Add clients that should never be auto-anonymized (legal hold, custom invoices, ongoing business relationships).

Admin Area Tabs

Requests: View/filter deletion requests by status. Approve or reject with notes.

Audit Log: Filter by client, action, date range. Actions tracked: data_exported, deletion_request_created, deletion_approved, deletion_rejected, client_anonymized, consent_logged, dpa_accepted.

Consent History: View consent records per client.

Data Export: Export any client's data as CSV or JSON.

Cookie Consent: Configure banner styling and policy page.

Breach Notification: Document breaches, track affected data and remediation.

DPA Management: Register third-party processors, export registry.

Client DPA: Configure PDF URLs, view acceptance stats, export records.

Data Retention: View anonymization queue, manage exclusions, cancel scheduled anonymizations.

Client Area

Clients access via Billing → Data Privacy:

• Export their data (selectable types, CSV/JSON)
• View consent history
• Submit deletion request
• View pending request status
• Accept DPA (if enabled)

Dashboard widget shows DPA warning for clients who haven't accepted.

Module Settings

• Require Admin Approval: Approval needed before processing deletions
• Send Confirmation Email: Notify client when deletion processed
• Auto-Log Consent: Log consent on registration/order
• Create To-Do on Request: Create WHMCS To-Do for new requests
• To-Do Due (Days): Days until To-Do is due (default: 30)
• Audit Log Retention (Days): Days to keep audit logs (0 = forever)
• Enable Client DPA: Require DPA acceptance
• DPA Version: Current version (change to require re-acceptance)
• Auto-Anonymize Inactive Accounts: Enable automatic data retention
• Inactivity Period (Years): Years before auto-anonymization (minimum 1)
• Warning Period (Days): Days before anonymization to send warning
• Exclude Accounts with Balance: Skip accounts with outstanding credit

Anonymization Details

When deletion is approved or auto-triggered:

• Name replaced with "Anonymized User"
• Email replaced with anonymized hash
• Contact records anonymized
• Ticket client content redacted
• Activity log IPs cleared
• Account closed, login disabled
• Invoice records retained (legal requirement)
• Mapping stored for reference

Database Tables

Tables are preserved on deactivation:

• mod_gdpr_deletion_requests - Deletion request queue
• mod_gdpr_consent_log - Consent records
• mod_gdpr_audit_log - Audit trail
• mod_gdpr_anonymized - Anonymized client mappings
• mod_gdpr_cookie_settings - Cookie banner configuration
• mod_gdpr_dpa_records - Third-party processor registry
• mod_gdpr_client_dpa - Client DPA acceptance records
• mod_gdpr_auto_anonymize_queue - Auto-anonymization queue
• mod_gdpr_auto_anonymize_exclusions - Exclusion list

Languages

Included translations: English, Dutch, German, French, Italian, Spanish, Russian.

Client DPA supports 26 languages for PDF documents.

License

Licensed per WHMCS installation.

Purchase: GDPR Suite for WHMCS