Articles on: Reports

About customer data requests

Understand how to handle customer data requests in your Shopify store with our detailed guide. Learn best practices for managing and responding to data requests efficiently.

Introduction



GDPR and other data regulations provide rights for individuals (so also for the customers of an online store). There are the following rights that are the most important related to their profile in the store:

The right of access
The right to data portability
The right to rectification
The right to erasure

These rights are covered in the app by the requests section. These requests are made from inside the page you have added the customer data requests widget (we will call it the DSR page from the formal data subject requests).

If you have questions about DSR. you can check a list of FAQs here.

Video tutorial





Adding the Data Subject Request (DSR) page to your store navigation



To ensure accessibility, the DSR page should be linked in visible and easily accessible areas of your online store, such as the footer menu or any other main menu. It should not be hidden.

Add to Footer Menu:

Go to Navigation in the admin panel.
Select the Footer menu.
Add a new menu item named Data Requests and link it to the new page.
Save the menu.

This is an example of how your footer should look like :



Add to Any Menu:

Go to Navigation in the admin panel.
Select the menu where you want to add the DSR page.
Add a new menu item named Data Requests and link it to the new page.
Save the menu.

Right of access



At a glance

Store customers have the right to access their personal data.
This is commonly referred to as subject access.
Store customers can make a subject access request on the page you added to the Data Subject Requests widget.
You have one month to respond to a request.
You cannot charge a fee to deal with a request in most circumstances.

Upon a new access request, you will see the on the Requests page of the app the new record and you will receive an email notification (to the email you have specified in the notification option in the DSR page settings) if you have enabled this option from the DSR page settings of the app.

The app will pre-validate the visitors, and only real customers with orders or personal profiles can send such a request.

Customers can request access to their personal data in 2 ways:

Logged-in customers can reach the DSR page through their account page.
Guest or logged-out customers can reach the DSR page from a link that you can add to your navigation menu. There, they are able to request their personal data with email confirmation.

Right to data portability



At a glance

The right to data portability allows store customers to obtain and reuse their personal data for their own purposes across different services.
Store customers can make a request for download their data.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
Doing this enables store customers to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
The right only applies to information a store customer has provided to the store

Upon a new portability request, you will see the on the Requests page of the app the new record and you will receive an email notification (to the email you have specified to the notification option in the DSR page settings) if you have enabled this option from the DSR page settings of the app.

The app will pre-validate the visitors, and only real customers with orders or personal profiles can send such a request.

Right to rectification



At a glance

The GDPR includes a right for store customers to have inaccurate personal data rectified, or completed if it is incomplete.
A store customer can make a request for rectification on the DSR page.
You have one calendar month to respond to a request.
This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).

Upon a new rectification request, you will see on the Requests page of the app the new record and you will receive an email notification (to the email you have specified to the notification option in the DSR page settings) if you have enabled this option from the DSR page settings of the app.

The app will pre-validate the visitors, and only real customers with orders or personal profiles can send such a request.

How to handle modification requests?

Locate the personal data and identify all processors and third parties that may also have the personal data. Third parties include marketing or newsletter apps, payment, and shipping providers.
Modify the personal data in your Shopify store on the Customers page.
Modify the personal data in the integrated 3rd party software.
You have 30 days by law to respond to the customer in the email to confirm data modification in your store and all associated third parties
Mark the modification request as done in the app

Right to erasure



At a glance

The GDPR introduces a right for store customers to have personal data erased.
The right to erasure is also known as ‘the right to be forgotten.
Store customers can make a request for erasure on the DSR page.
You have one month to respond to a request.
The right is not absolute and only applies in certain circumstances.
This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.

Upon a new erasure request, you will see the on the Requests page of the app the new record and you will receive an email notification (to the email you have specified in the notification option in the DSR page settings) if you have enabled this option from the DSR page settings of the app.

The app will pre-validate the visitors, and only real customers with orders or personal profiles can send such a request.

How to handle deletion requests?

Locate the personal data and identify all processors and third parties that may also have the personal data. Third parties include marketing or newsletter apps, payment, and shipping providers.
Notify all identified third parties that have access to the personal data to completely remove the data from their environments and confirm the erasure
Remove the personal data from your Shopify store as noted by Shopify here
You have 30 days by law to respond to the customer in the email to confirm data erasure from your store and all associated third parties
Mark the deletion request as done in the app

Updated on: 19/12/2024

Was this article helpful?

Share your feedback

Cancel

Thank you!