Store Information | Handling GDPR data access and deletion requests

The General Data Protection Regulation (GDPR) expands individuals’ rights to access, control, and request deletion of their personal data. As a merchant, you must be able to respond to these requests appropriately—both through the Shoplazza admin and, where necessary, independently. This guide outlines how to handle access, portability, and removal requests using Shoplazza's tools and best practices.

Understanding subject access and portability requests

The GDPR allows individuals to request a copy of their personal data in a format that is common, easy to read, and portable, enabling them to transfer their data between service providers. Most customer data, such as orders and contact information, can be exported in CSV or Excel format from your Shoplazza admin.

You are typically required to respond within 30 days. In complex cases, an extension may be permitted.

Responding to access and portability requests

To fulfill a subject access or data portability request, verify the identity of the requester before sharing personal data.

• Log in to your Shoplazza admin and go to Customers.
• Click Export to generate an Excel file containing the customer's data.
• Provide the exported data along with the following required details under Article 15 of the GDPR:
  • Purposes for processing the customer’s data
  • Third parties who receive the data
  • Relevant data retention periods
  • The source of the data (if not collected directly from the customer)
  • Whether the data is used for automated decision-making

Additionally, ensure the customer is informed of their rights:

• The right to request correction or deletion of their data
• The right to object to data processing practices
• The right to file a complaint with a supervisory authority

To prepare for access requests, consider the following:

• Are you able to provide all required contextual information about your customers’ data?
• Do you use other service providers (e.g. apps, sales channels, payment gateways) that store personal data?
• Do you have up-to-date contact information for those third-party providers?

Maintain a data map showing where customer data is stored—both in Shoplazza and across third-party apps, sales channels, or gateways—to ensure accurate and timely responses to access requests.

You can disclose these details in your store’s privacy policy. For more guidance, visit the UK Information Commissioner’s Office overview on data protection and the EU  .

Responding to a removal request

The GDPR gives individuals the right to request deletion of their personal data or to restrict how it is processed. Restriction means limiting the use of data without deleting it, which may apply when certain conditions prevent full removal—such as legal obligations or unresolved issues.

“Personal data” includes any data that can identify an individual, such as:

• Name
• Address
• Email
• IP address
• Credit card number

This does not include anonymized or aggregated data, such as:

• Product sales totals
• Store revenue

Before proceeding with a deletion request, verify the identity of the customer and confirm that no legal or regulatory obligations require you to retain the data (e.g. tax recordkeeping).

• Send an email to global_cs@shoplazza.com and include:
  • Your store information
  • Customer name
  • Verification documents
  • Specific deletion request details

Once the request is submitted:

• Shoplazza will forward the deletion request to all installed apps that may store the customer's data.
• There is a 10-day grace period to cancel the request. Contact Shoplazza Customer Support with your store details and the customer ID to withdraw the request.
• Shoplazza will redact only personal data (e.g., name and email). Order data will remain anonymized to support accounting and legal compliance.
• A confirmation email will be sent once deletion is complete.

Before responding to a deletion request, consider the following:

• Do you store any customer data on personal devices or in physical files?
• Will you need to contact third parties to delete customer data?
• Are there local laws that require data retention even after a deletion request?

If needed, consult a legal advisor familiar with data retention laws in your region to ensure compliance.

Handling customer data requests under the GDPR helps you maintain transparency and meet your legal obligations. Merchants may also need to act outside the Shoplazza admin—such as removing data from spreadsheets or contacting external services—depending on the request. With the tools available in your Shoplazza admin and the right preparation, you’ll be ready to handle access, portability, and deletion requests clearly and confidently.