Requests

The GDPR provides the rights for individuals (so also for the customers of an online store). There are the following rights that are the most important related to their profile in the store:

  1. The right of access
  2. The right to data portability
  3. The right to rectification
  4. The right to erasure

These rights are covered in the app by the requests section. These requests are made from inside the GDPR ePrivacy page that the app is creating and is ready to be used by the store customers either they are registered or not.

Right of access

At a glance

  • Store customers have the right to access their personal data.
  • This is commonly referred to as subject access.
  • Store customers can make a subject access request by the GDPR ePrivacy page.
  • You have one month to respond to a request.
  • You cannot charge a fee to deal with a request in most circumstances.

Upon a new access request, you will see in the Requests page of the app the new record and you will receive an email notification (to the email you have specified to the notification option in the ePrivacy page settings) if you have enabled this option from the ePrivacy page settings of the app.

The app will pre-validate the visitors, and only real customers with orders or personal profile can send such a request.

Customers can request access to their personal data in 2 ways:

  • Logged-in customers can reach the ePrivacy page through their account page.
  • Guest or logged-out customers can reach the ePrivacy page through a footer link, where they are able to request their personal data with email confirmation.

Right to data portability

At a glance

  • The right to data portability allows store customers to obtain and reuse their personal data for their own purposes across different services.
  • Store customers can make a request for erasure by the GDPR ePrivacy page.
  • It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
  • Doing this enables store customers to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
  • The right only applies to information a store customer has provided to the store

Upon a new portability request, you will see in the Requests page of the app the new record and you will receive an email notification (to the email you have specified to the notification option in the ePrivacy page settings) if you have enabled this option from the ePrivacy page settings of the app.

The app will pre-validate the visitors, and only real customers with orders or personal profile can send such a request.

Right to rectification

At a glance

  • The GDPR includes a right for store customers to have inaccurate personal data rectified, or completed if it is incomplete.
  • A store customer can make a request for rectification by the GDPR ePrivacy page.
  • You have one calendar month to respond to a request.
  • In certain circumstances you can refuse a request for rectification.
  • This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).

Upon a new rectification request, you will see in the Requests page of the app the new record and you will receive an email notification (to the email you have specified to the notification option in the ePrivacy page settings) if you have enabled this option from the ePrivacy page settings of the app.

The app will pre-validate the visitors, and only real customers with orders or personal profile can send such a request.

How to handle modification requests?

  • Locate the personal data and identify all processors and third parties that may also have the personal data. Third parties include marketing or newsletter apps, payment and shipping providers.
  • Modify the personal data in your Shopify store at the Customers page.
  • Modify the personal data in the integrated 3rd party software.
  • You have 30 days by law to respond to the customer in email to confirm data modification in your store and all associated third parties
  • Mark the modification request as done in the app

Right to erasure

At a glance

  • The GDPR introduces a right for store customers to have personal data erased.
  • The right to erasure is also known as ‘the right to be forgotten’.
  • Store customers can make a request for erasure by the GDPR ePrivacy page.
  • You have one month to respond to a request.
  • The right is not absolute and only applies in certain circumstances.
  • This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.

Upon a new erasure request, you will see in the Requests page of the app the new record and you will receive an email notification (to the email you have specified to the notification option in the ePrivacy page settings) if you have enabled this option from the ePrivacy page settings of the app.

The app will pre-validate the visitors, and only real customers with orders or personal profile can send such a request.

How to handle deletion requests?

  • Locate the personal data and identify all processors and third parties that may also have the personal data. Third parties include marketing or newsletter apps, payment and shipping providers.
  • Notify all identified third parties that have access to the personal data to completely remove the data from their environments and confirm erasure
  • Remove the personal data from your Shopify store as noted by Shopify HERE
  • You have 30 days by law to respond to the customer in email to confirm data erasure from your store and all associated third parties
  • Mark the deletion request as done in the app