Setting up GDPR/FZ-152 Compliance on 1C-Bitrix
Compliance with FZ-152 "On Personal Data" and GDPR is not a banner "We use cookies" on the homepage. It's a set of technical and organizational measures: data encryption, access logging, consent revocation mechanism, data localization for Russian users.
What is considered personal data in Bitrix context
In a typical Bitrix installation, personal data is stored in several places:
- Table
b_user— email, phone, name, surname, IP addresses in logs - Table
b_sale_order+b_sale_person_type— delivery addresses, phones, customer data - Table
b_crm_contact(ifcrmmodule is active) — contact data from CRM - Feedback forms — data from
b_form_result(formmodule) - Table
b_user_log— user action history
FZ-152 requires that data of Russian citizens be processed primarily on servers in Russia. This means: databases with tables above must be physically located in the Russian Federation. Hosting abroad or CDN caching of user data is a potential violation.
Consent for personal data processing
Technically, consent is recorded as a fact: who gave consent, when, to what, through which form. In Bitrix this is implemented through the main module, class \Bitrix\Main\UserConsent.
Table b_user_consent stores consent records. When registering a user or submitting a form, a record is created with USER_ID (or USER_IP for anonyms), ORIGIN_ID (form/page identifier), DATE_CREATE and IS_ACCEPTED.
\Bitrix\Main\UserConsent\Consent::addByContext(
'registration_form',
['USER_ID' => $userId],
['url' => $currentUrl]
);
Consent must be active (checkbox, not pre-selected by default) and informed (link to privacy policy nearby). Pre-selected checkbox is a violation of both GDPR and FZ-152.
Right to deletion (right to be forgotten)
Under GDPR, a user has the right to request deletion of all their data. In Bitrix, "deleting" a user through CUser::Delete() does not delete related data from b_sale_order, b_crm_contact and forms — only deactivates the account.
Complete deletion requires a custom procedure: find all tables with USER_ID, EMAIL, phone and anonymize or delete data. Anonymization (replacing real data with placeholders) is preferable to complete deletion if data is needed for order statistics.
Implement a request deletion form with email confirmation, and manually or through an agent perform cleanup of confirmed requests. Automatic immediate deletion is dangerous — it allows an attacker to delete another user's data without verification.
Encryption and data protection
FZ-152 requires technical protective measures. Minimum for a web application:
- HTTPS (TLS 1.2+) — mandatory
- Backup encryption — if backups go to external server
- Database access limitation — only from web servers, not from the internet
Bitrix does not encrypt data in the database by default. For fields with especially sensitive data (passport data, if stored) custom encryption implementation with keys stored outside the database is needed.
Admin access log to personal data is maintained through table b_user_log when audit is enabled (/bitrix/admin/settings.php?mid=main&lang=ru). Enable audit on production — without it, you cannot prove who and when viewed customer data.
Cookie policy and localization
In GDPR context, cookies are divided into necessary (session, CSRF tokens) and tracking (analytics, advertising). Necessary ones can be set without consent. For others, consent is needed before setting cookie — not after.
This means: Google Analytics script and Facebook pixel should not load until the user has given consent for analytics cookies. Technically — manage script loading through a condition in JS: if consent_analytics === true in localStorage (or cookie flag), then load GA and pixels.