The GDPR expands on an individual's right to access and control their personal data. This Section includes:
- A breakdown of those rights.
- How you can use our platform to address requests for each right.
- What you may need to do independently from Shoplazza if you receive a request for each right.
Understand subject access and portability requests
The GDPR gives individuals the right, in certain circumstances, to request a copy of their personal data being processed by a company.
The GDPR therefore requires that you be able to provide your customers with a copy of their personal data in a format that is:
- Easily readable
This allows customers to use their data with a different service provider. Shoplazza allows you to export most data in CSV or Excel formats right from your admin (for example, order and customer management).
Generally, you should respond to a request within 30 days. Extensions are allowed if the request is exceptionally difficult to fulfill.
Process subject access and portability requests
If you receive an access or portability request, then you must first verify the identity of the requester (so that you do not inadvertently provide someone else your customer’s private personal information).
- From your Shoplazza admin, click Customers.
- Click Export.
A copy of customer's information will be generated in Excel format. You can then provide the information to the customer who made the request.
Article 15 of the GDPR will also require you to provide additional context around how you use the data you are providing, including:
- The purposes for which the customer’s data was processed.
- The third-parties that received this data.
- Any relevant retention periods.
- Where the information was collected from (if not directly from the customer).
- Whether or not the data was used as part of any automated decision-making.
Additionally, you need to be able to ensure:
- The customer’s right to request information be corrected or erased.
- The customer’s right to object to how their information was processed.
- The customer’s right to complain to a regulator.
Think about the following questions:
- Are you able to provide all of the required context around a customer's data if they ask for it? Try to plan for a request in advance by maintaining a map of all of the personal data you (or the service providers you use, like Shoplazza) store about your customers.
- Have you considered other service providers that you might use who may have access to your customers’ personal data? These could include third-party apps, channels, and payment gateways.
- Do you have contact information for all of the third-party services you use that might store your customers’ personal data?
You can provide the required context and third-party service provider information in your privacy notice. For more information about how to respond to access requests, you can read this post by the UK Information Commissioner’s Office.
Process erasure requests
The GDPR gives individuals the right, in certain circumstances, to ask that their personal data be erased, or that a company restrict the processing of their personal data.
"Personal data" means any data that can be used to identify an individual, including but not limited to:
- IP address
- Credit card number.
Personal data does not include information that is purely financial and cannot be linked to an individual, such as:
- How many times a specific product has sold
- How much revenue your store has made
If you receive a request for erasure (sometimes called redaction or deletion), then you should first verify the customer’s identity. You should also make sure there is no reason you need to keep the customer's data (for example,you may legally be obligated in certain jurisdictions to maintain order records for tax or other legal reasons).
After you request an erasure through your admin, Shoplazza will transmit your erasure request to all apps that you have installed at the time you make the request that might have access to that customer’s data.
Once you request an erasure, a 10 day buffer period will begin during which you can cancel the request in case you made the request accidentally. To cancel a pending erasure request, contact Shoplazza Support, and include your store information and the relevant customer ID.
When you request an erasure, Shoplazza will only redact personal information (such as name and address). Your anonymized order information will remain intact in case you need it for accounting or legal purposes. Once the relevant personal data has been erased, we will send you a confirmation email.
By default, Shoplazza will not erase personal data if the customer has made an order in the last 6 months (180 days), in case a chargeback occurs. If a request for erasure is submitted in that time frame, then it will sit pending, and Shoplazza will act on it once the appropriate time has passed. You do not need to submit another request.
Think about the following questions:
- Are you storing any customer data on your own personal computers or in hard copy?
- Are there other third parties, such as channels or payment gateways that you may need to contact to request they erase a customer's personal information?
- Are there any local requirements, such as tax laws, that might require you to retain your customers’ personal information even if they request deletion?
Consider consulting with a local lawyer familiar with data retention requirements to help answer this question.