GDPR Compliance for Odoo: What You Must Know in 2026
GDPR fines are hitting ERP operators harder than ever. Here's your practical guide to making your Odoo instance fully GDPR-compliant.
If your Odoo instance handles data from EU citizens — which it almost certainly does if you have European customers, employees, or suppliers — GDPR isn't optional. And the enforcement landscape in 2026 is very different from 2018.
Fines in 2025 exceeded €4.2 billion globally, and regulators are increasingly targeting data processors — not just data controllers. If you host or manage Odoo instances for clients, you may be directly liable for GDPR compliance failures in your managed systems.
Why Odoo Operators Are at Risk
Most Odoo installations store personally identifiable information across dozens of models: res.partner, hr.employee, account.move, sale.order. Each of these contains names, addresses, emails, phone numbers, and in many cases financial data. Under GDPR, you need a documented legal basis for processing each category of data, proper consent mechanisms, and the ability to respond to data subject access requests (DSARs) within 30 days.
✅ Need evidence for your next compliance audit? NonaGuard generates comprehensive security reports that map directly to SOC 2 and GDPR control requirements.
The 7 Odoo GDPR Essentials
1. Data Mapping
Create a complete inventory of what personal data your Odoo stores, where it lives, who can access it, and what the legal basis for processing is. The ir.model.fields table is your starting point.
# Odoo shell: Find all models that store personal data fields
from odoo import api, SUPERUSER_ID
env = api.Environment(cr, SUPERUSER_ID, {})
personal_fields = ['email', 'phone', 'mobile', 'street', 'vat',
'bank_account', 'identification_id', 'passport_id']
for model_name in env:
model = env[model_name]
matching = [f for f in personal_fields if hasattr(model, f)]
if matching:
count = model.sudo().search_count([])
if count > 0:
print(f"{model_name}: {matching} ({count} records)")
2. Consent Management
Website forms, newsletter signups, and portal registrations need explicit opt-in consent. Odoo's website module supports consent checkboxes — but they're not enabled by default. For full compliance, every form that collects personal data needs:
- A visible opt-in checkbox (not pre-checked)
- A link to your privacy policy
- Granular consent per purpose (marketing vs. service delivery)
- Timestamped consent records in the database
3. Right to Erasure (Right to Be Forgotten)
When a customer requests deletion, you can't just archive the partner record. You need to anonymize or delete associated data across invoices, sale orders, procurement records, and logs — without breaking your accounting audit trail.
# GDPR erasure challenge in Odoo:
# You CANNOT delete accounting records (legal retention requirement).
# Instead, anonymize the personal data while preserving the transaction:
partner = env['res.partner'].browse(partner_id)
# Anonymize personal data
partner.sudo().write({
'name': f'GDPR-ERASED-{partner.id}',
'email': False,
'phone': False,
'mobile': False,
'street': False,
'street2': False,
'city': False,
'zip': False,
'comment': 'Personal data erased per GDPR request',
})
# Remove from mailing lists
env['mailing.contact'].sudo().search([
('email', '=', original_email)
]).unlink()
# Log the erasure request for compliance audit trail
env['mail.message'].sudo().create({
'model': 'res.partner',
'res_id': partner.id,
'body': f'GDPR erasure completed on {fields.Datetime.now()}',
'message_type': 'notification',
})
4. Data Breach Notification
GDPR requires notification within 72 hours of discovering a breach. Do you have an incident response plan? Do you monitor for unauthorized access? Key questions to answer before a breach happens:
- Who is your Data Protection Officer (DPO) or responsible person?
- Which supervisory authority do you report to?
- Do you have a template notification letter for affected individuals?
- Can you identify which records were accessed in a breach (access logging)?
5. Data Processing Agreements
If you use Odoo.sh, third-party hosting, or API integrations that process personal data, you need signed Data Processing Agreements (DPAs) with each vendor. This includes:
- Your hosting provider (Hetzner, AWS, OVH, etc.)
- Email service providers (Mailgun, SendGrid)
- Payment processors (Stripe, Mollie)
- Monitoring tools (including NonaGuard — we provide a DPA on request)
- Backup storage providers
6. Access Controls (Least Privilege)
The principle of least privilege is a GDPR requirement, not just a best practice. Review access groups, remove over-privileged users, and implement record rules that restrict data visibility.
# Check for users with access to sensitive HR data who shouldn't have it:
hr_group = env.ref('hr.group_hr_user')
hr_users = hr_group.users
# List users with HR access who are NOT in the HR department
for user in hr_users:
if user.employee_id and user.employee_id.department_id.name != 'Human Resources':
print(f"WARNING: {user.name} has HR access but is in "
f"{user.employee_id.department_id.name}")
7. Regular Audits
GDPR requires ongoing compliance, not one-time setup. Automated tools like NonaGuard scan for permission gaps, exposed data endpoints, and compliance risks on every audit. Key audit frequencies:
- Weekly: Automated security scans (permissions, access groups, orphaned accounts)
- Monthly: Manual review of data processing register and consent records
- Quarterly: DPA review with all data processors
- Annually: Full GDPR compliance audit with legal review
GDPR Fines: What's at Stake
Penalties for non-compliance are severe:
- Tier 1 violations (technical measures, DPO, records): Up to €10 million or 2% of global annual revenue
- Tier 2 violations (data processing principles, consent, rights): Up to €20 million or 4% of global annual revenue
For SMBs, even a Tier 1 fine can be existential. Prevention through proper configuration and monitoring is orders of magnitude cheaper than remediation after a regulatory investigation.
Start a free compliance scan and identify your GDPR exposure today.
📋 Generate Compliance Evidence
NonaGuard's scan reports serve as continuous evidence of security monitoring, permission auditing, and vulnerability management — exactly what auditors want to see.
