About customer data requests
GDPR and other data regulations provide rights for individuals (so also for the customers of an online store). There are the following rights that are the most important related to their profile in the store:
The right of access
The right to data portability
The right to rectification
The right to erasure
These rights are covered in the app by the requests section. These requests are made from inside the page you have added the customer data requests widget (we will call it the DSR page from the formal data subject requests).
If you have questions about DSR. you can check a list of FAQs here.
At a glance
Store customers have the right to access their personal data.
This is commonly referred to as subject access.
Store customers can make a subject access request on the page you added to the Data Subject Requests widget.
You have one month to respond to a request.
You cannot charge a fee to deal with a request in most circumstances.
Upon a new access request, you will see the on the Requests page of the app the new record and you will receive an email notification (to the email you have specified in the notification option in the DSR page settings) if you have enabled this option from the DSR page settings of the app.
The app will pre-validate the visitors, and only real customers with orders or personal profiles can send such a request.
Customers can request access to their personal data in 2 ways:
Logged-in customers can reach the DSR page through their account page.
Guest or logged-out customers can reach the DSR page from a link that you can add to your navigation menu. There, they are able to request their personal data with email confirmation.
At a glance
The right to data portability allows store customers to obtain and reuse their personal data for their own purposes across different services.
Store customers can make a request for download their data.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
Doing this enables store customers to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
The right only applies to information a store customer has provided to the store
Upon a new portability request, you will see the on the Requests page of the app the new record and you will receive an email notification (to the email you have specified to the notification option in the DSR page settings) if you have enabled this option from the DSR page settings of the app.
The app will pre-validate the visitors, and only real customers with orders or personal profiles can send such a request.
At a glance
The GDPR includes a right for store customers to have inaccurate personal data rectified, or completed if it is incomplete.
A store customer can make a request for rectification on the DSR page.
You have one calendar month to respond to a request.
This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).
Upon a new rectification request, you will see on the Requests page of the app the new record and you will receive an email notification (to the email you have specified to the notification option in the DSR page settings) if you have enabled this option from the DSR page settings of the app.
The app will pre-validate the visitors, and only real customers with orders or personal profiles can send such a request.
How to handle modification requests?
Locate the personal data and identify all processors and third parties that may also have the personal data. Third parties include marketing or newsletter apps, payment, and shipping providers.
Modify the personal data in your Shopify store on the Customers page.
Modify the personal data in the integrated 3rd party software.
You have 30 days by law to respond to the customer in the email to confirm data modification in your store and all associated third parties
Mark the modification request as done in the app
At a glance
The GDPR introduces a right for store customers to have personal data erased.
The right to erasure is also known as ‘the right to be forgotten.
Store customers can make a request for erasure on the DSR page.
You have one month to respond to a request.
The right is not absolute and only applies in certain circumstances.
This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.
Upon a new erasure request, you will see the on the Requests page of the app the new record and you will receive an email notification (to the email you have specified in the notification option in the DSR page settings) if you have enabled this option from the DSR page settings of the app.
The app will pre-validate the visitors, and only real customers with orders or personal profiles can send such a request.
How to handle deletion requests?
Locate the personal data and identify all processors and third parties that may also have the personal data. Third parties include marketing or newsletter apps, payment, and shipping providers.
Notify all identified third parties that have access to the personal data to completely remove the data from their environments and confirm the erasure
Remove the personal data from your Shopify store as noted by Shopify here
You have 30 days by law to respond to the customer in the email to confirm data erasure from your store and all associated third parties
Mark the deletion request as done in the app
The right of access
The right to data portability
The right to rectification
The right to erasure
These rights are covered in the app by the requests section. These requests are made from inside the page you have added the customer data requests widget (we will call it the DSR page from the formal data subject requests).
If you have questions about DSR. you can check a list of FAQs here.
Right of access
At a glance
Store customers have the right to access their personal data.
This is commonly referred to as subject access.
Store customers can make a subject access request on the page you added to the Data Subject Requests widget.
You have one month to respond to a request.
You cannot charge a fee to deal with a request in most circumstances.
Upon a new access request, you will see the on the Requests page of the app the new record and you will receive an email notification (to the email you have specified in the notification option in the DSR page settings) if you have enabled this option from the DSR page settings of the app.
The app will pre-validate the visitors, and only real customers with orders or personal profiles can send such a request.
Customers can request access to their personal data in 2 ways:
Logged-in customers can reach the DSR page through their account page.
Guest or logged-out customers can reach the DSR page from a link that you can add to your navigation menu. There, they are able to request their personal data with email confirmation.
Right to data portability
At a glance
The right to data portability allows store customers to obtain and reuse their personal data for their own purposes across different services.
Store customers can make a request for download their data.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
Doing this enables store customers to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
The right only applies to information a store customer has provided to the store
Upon a new portability request, you will see the on the Requests page of the app the new record and you will receive an email notification (to the email you have specified to the notification option in the DSR page settings) if you have enabled this option from the DSR page settings of the app.
The app will pre-validate the visitors, and only real customers with orders or personal profiles can send such a request.
Right to rectification
At a glance
The GDPR includes a right for store customers to have inaccurate personal data rectified, or completed if it is incomplete.
A store customer can make a request for rectification on the DSR page.
You have one calendar month to respond to a request.
This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).
Upon a new rectification request, you will see on the Requests page of the app the new record and you will receive an email notification (to the email you have specified to the notification option in the DSR page settings) if you have enabled this option from the DSR page settings of the app.
The app will pre-validate the visitors, and only real customers with orders or personal profiles can send such a request.
How to handle modification requests?
Locate the personal data and identify all processors and third parties that may also have the personal data. Third parties include marketing or newsletter apps, payment, and shipping providers.
Modify the personal data in your Shopify store on the Customers page.
Modify the personal data in the integrated 3rd party software.
You have 30 days by law to respond to the customer in the email to confirm data modification in your store and all associated third parties
Mark the modification request as done in the app
Right to erasure
At a glance
The GDPR introduces a right for store customers to have personal data erased.
The right to erasure is also known as ‘the right to be forgotten.
Store customers can make a request for erasure on the DSR page.
You have one month to respond to a request.
The right is not absolute and only applies in certain circumstances.
This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.
Upon a new erasure request, you will see the on the Requests page of the app the new record and you will receive an email notification (to the email you have specified in the notification option in the DSR page settings) if you have enabled this option from the DSR page settings of the app.
The app will pre-validate the visitors, and only real customers with orders or personal profiles can send such a request.
How to handle deletion requests?
Locate the personal data and identify all processors and third parties that may also have the personal data. Third parties include marketing or newsletter apps, payment, and shipping providers.
Notify all identified third parties that have access to the personal data to completely remove the data from their environments and confirm the erasure
Remove the personal data from your Shopify store as noted by Shopify here
You have 30 days by law to respond to the customer in the email to confirm data erasure from your store and all associated third parties
Mark the deletion request as done in the app
Updated on: 28/03/2024
Thank you!