What actions will be required to complete a DSR?

DSRs involve six activities: Discovery, Access, Rectification, Export, and Deletion.

What are your data sources?

The main data source on your store is the personal data of your customers which includes their information and their orders. In case you use other apps that track customer information these sources are included.

How will personal data be searched?

Customer data are in the customers and orders lists of your store. In case you use other apps that track customer information you can request them to give you access if you don't have it directly.

In what formats should personal data be made available?

The GDPR 'right of data portability' allows a data subject to request a copy of personal data in a 'structured, commonly used, machine-readable format', and to request that your organization transmit these files to another data controller.

What does the GDPR require and what are my responsibilities as the controller?

As the controller, the GDPR requires you to be able to:

  • Give data subjects a copy of their personal data, together with an explanation of the categories of their data that are being processed, the purposes of that processing, and the categories of third parties to whom their data may be disclosed.

  • Help every individual exercise their right to correct inaccurate personal data, erase data, receive their data in a readable form, and where applicable, fulfill a request to transmit their data to another controller.

What does the GDPR require and what are the responsibilities of Shopify as a processor?

We must implement the appropriate technical and organizational measures to assist you in responding to requests from data subjects exercising their rights as discussed above. Shopify acts as a processor for the merchant with respect to such customer personal data. The one exception is for customers with whom Shopify has a direct existing relationship.

How does GDPR Compliance Center enable you to respond to data subject requests?

Our app offers a number of capabilities to enable you, as a controller, to respond to a data subject's request. It helps you act on personal data responsive to data subject rights requests, allowing you to discover, access, rectify, delete, and export personal data that resides in the controller-managed data stored in your Shopify store.

Did this answer your question?