The General Data Protection Regulation (GDPR) introduces new rules for organizations that offer goods and services to people in the European Union (EU), or that collect and analyze data for EU residents no matter where you or your enterprise are located. Additional details can be found in the GDPR introduction.
Similarly, the California Consumer Privacy Act (CCPA), provides privacy rights and obligations to California consumers, including rights similar to GDPR's Data Subject Rights, such as the right to delete, access, and receive (portability) their personal information.
Helpful definitions for GDPR terms used in this document:
Data Controller (Controller): A legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Personal data and data subject: Any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly.
Processor: A natural or legal person, public authority, agency, or other body, which processes personal data on behalf of the controller. Shopify acts as a processor for the merchant with respect to such customer personal data.
Customer Data: Data produced and stored in the day-to-day operations of running your business.
What is a DSR?
The General Data Protection Regulation (GDPR) gives rights to people (known in the regulation as data subjects) to manage the personal data that has been collected by merchants (known as the data controller or just controller) on their Shopify store (known as the processor).
The GDPR gives data subjects specific rights to their personal data; these rights include obtaining copies of it, requesting changes to it, deleting it, or receiving it in an electronic format so it can be moved to another controller.
California Consumer Privacy Act (CCPA) provides privacy rights and obligations to California consumers, including rights similar to GDPR's Data Subject Rights, such as the right to delete, access, and receive (portability) their personal information.
As a controller, you are obligated to promptly consider each DSR and provide a substantive response either by taking the requested action or by providing an explanation for why the DSR cannot be accommodated by the controller. A controller should consult with its own legal or compliance advisers regarding the proper disposition of any given DSR.
Several processes may be involved in completing a DSR, subject to your organization's GDPR-compliance rules.
Discovery. The process of determining what data is needed to complete a DSR.
Access. Retrieval and potential transmission to the data subject of discovered information.
Rectify. Implement changes or other requested personal data changes.
Export. Providing a "structured, commonly used, machine-readable format" of personal data to the data subject, as provided by the GDPR's "right of data portability."
Delete. Permanent removal of personal data from a Shopify store.
For third-party apps and services accessed through your Shopify store, any data subject requests should be directed to the applicable third party.