GDPR and Blesta

May 25, 2018 | Posted by Paul

General Data Protection Regulation, or more commonly known as GDPR, is a new set of rules designed with the intent of giving EU citizens more control over their personal data. If you aren’t familiar with GDPR, Wikipedia is a good resource.

It’s up to each company to determine how they are impacted by GDPR, and what compliance looks like for them. Our goal is to make compliance as easy as possible as it relates to Blesta. We have made some changes to Blesta to ease some of the burden with compliance. These changes will be included in version 4.3, to be released very soon.

Here’s a list of individual rights as specified by GDPR, and how they are impacted by Blesta. See Individual Rights for a complete list.

The right to be informed

Order forms in Blesta can, if enabled, define the URL to your Terms of Service. This can be set by modifying your order form under Packages > Order Forms, and checking the box labeled “Require Agreement to Terms of Service”, and entering the URL to your Terms of Service. You should include information about how you use the data you collect.

The right of access and rectification

When a client places an order, they are given a user account to Blesta. The client may login to their account at any time and access, view, and correct their personal information, so long as their account status is “Active”.

The right to erasure

Also know as the “Right to be forgotten”. The client delete feature has been changed in Blesta 4.3 to remove many of the restrictions that prevented an account from being deleted, and to increase the amount of data that is deleted so as to satisfy this requirement. Should you receive and accept a request for erasure, using the delete client feature will allow you to fully delete the client and any associated data.


The client should have no open or recurring invoices, and no active services. If they have any of these things, you would probably deny such a request. However, voiding open or recurring invoices, and cancelling active services will then allow you to delete the client.

Items deleted

  • All invoices belonging to this client
  • All services, including service meta data for this client
  • All transactions for this client
  • All contacts (The primary client contact, and all other types) belonging to this client
  • All database logs associated to the client
  • The client’s “Set Packages” for restricted packages
  • The client’s client settings
  • The client’s custom contact fields
  • The client’s notes (staff notes for the client)
  • The client’s payment accounts (CC & ACH)
  • The client’s user account
  • The client’s tickets
  • The client’s orders

Additionally, third-party plugins can make use of the Clients.delete event to delete associated client data when a delete client action is performed. We use it to delete data within the Support Manager and Order plugins.

The right to data portability

Blesta 4.3 adds a new Data Portability Export under Billing > Reports. Should you receive and accept a request for data portability, running this report for a client will generate a JSON file with the client’s data.

Export includes

  • All services
  • All transactions
  • All invoices
  • All tickets
  • All logins including IP address and time of login
  • All contacts (including primary contact/client)
  • All payment accounts (but not cc/ach encrypted data)


GDPR requires clear and affirmative consent for email marketing. Blesta 4.3 adds new settings for consent in marketing, and allows you to control its behavior. You can enable the ability for clients to opt-in under Settings > Company > General > Marketing, and then set the behavior within the order sytem under Packages > Order Forms > Settings. For GDPR compliance, you should select “The option to receive email marketing must be selected by the client”, so that the opt-in box is not pre-checked.

We are wrapping up the final details on this release and look forward to getting version 4.3 to you very soon. If you receive any requests under GDPR, you will have sufficient time to respond to those requests. If you have any suggestions on how we might make GDPR compliance even easier, please submit a feature request, or start a discussion on our forums.