Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
ShionImporter is an open-source data import and migration tool. It is used to move data between systems and databases. As a developer tool rather than a data processor, GDPR obligations arise from the data being migrated, the source and destination systems, and the organisation performing the migration. Particular care is needed when migrating personal data to ensure GDPR principles (minimisation, accuracy, security) are maintained throughout the migration process.
ShionImporter is an open-source data import and migration tool used for transferring data between different systems, databases, and file formats. It provides import workflows, data transformation, and mapping capabilities for moving data from source systems to destination platforms. As a developer tool, ShionImporter itself does not permanently process personal data — it facilitates the movement of data from one system to another.
Data migrations involving personal data are subject to GDPR. The organisation performing the migration is the data controller. Key GDPR obligations during migration include: ensuring the migration has a lawful basis in both source and destination systems, maintaining data accuracy during transformation, applying data minimisation (only migrate necessary fields), securing data in transit with encryption, and documenting the migration in your RoPA.
If a data migration moves personal data from an EU system to a non-EU destination system, GDPR Chapter V transfer requirements apply to the destination, not to ShionImporter itself. The migration tool is merely the mechanism; the transfer obligation is determined by the destination system''s location.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Document the migration in your RoPA. Ensure encryption in transit. Apply data minimisation — only migrate fields needed in the destination. Verify the destination system has appropriate safeguards. For large-scale migrations of sensitive data, consider a DPIA. Test migrations with anonymised data before running with real personal data.
Websites using ShionImporter must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA may be required when ShionImporter is used to migrate large volumes of special category or sensitive personal data, particularly cross-border migrations involving international transfers.
Sample consent text
Data migrations on this platform use ShionImporter. Personal data migrated is handled as described in our privacy policy and data processing agreement.
Third-party domains contacted
github.comnpmjs.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| shion_none | session | Session | ShionImporter sets no cookies — it is a server-side migration tool |
ShionImporter uses cookies for user preferences — inform visitors with a consent banner.
Not as a tool itself. However, using ShionImporter to migrate personal data is subject to GDPR. The organisation performing the migration must ensure all GDPR obligations are met for the data being moved.
Ensure a lawful basis exists in the destination system. Apply data minimisation (only migrate necessary fields). Encrypt data in transit. Verify destination security. Document the migration in your RoPA. Inform data subjects if required by the change in processing.
For large-scale migrations of special category or sensitive personal data, a DPIA is advisable. For routine migrations of standard business data within the same organisation, a full DPIA may not be required but the migration should be documented.
It depends on the destination system. ShionImporter itself does not determine where data ends up. If migrating EU personal data to a non-EU system, GDPR Chapter V transfer requirements apply to the destination.
Use anonymised or synthetic test data for migration testing. Only run migrations with real personal data after testing is complete and the transformation logic is verified. Implement access controls so only authorised personnel can run migrations.
Define a clear post-migration data lifecycle. The source system may retain data for a defined period for rollback purposes, after which it should be deleted or anonymised. Document this retention period and communicate it in your privacy policy if end users are affected.
If the migration changes who controls or processes the data, data subjects may need to be informed. If it is an internal migration with no change in data controller, no separate notification is typically required, but the processing change should be reflected in the privacy policy.
Record in your RoPA: the source and destination systems, categories of personal data migrated, legal basis, encryption measures used, retention schedule for source data, and personnel responsible. Keep documentation for at least 3 years or as required by your supervisory authority.