All terms

Glossary

Data controller

Under GDPR, the entity that decides why and how personal data is processed. For a Shopify store, that's you — Shopify is your processor.

Data controller — under GDPR Article 4(7), the natural or legal person that "alone or jointly with others, determines the purposes and means of the processing of personal data."

For a Shopify store, the merchant is the controller. Shopify and your installed apps are usually processors (they handle data on your behalf, per your instructions).

Why this matters:

  • Customers exercise rights (DSARs, deletion requests) against you, not against Shopify.
  • You're contractually responsible for ensuring your processors are compliant — that's why you need DPAs.
  • Fines under GDPR are usually levied against the controller; the processor is only directly fined for processor-specific violations (security, sub-processor management).
  • If a Shopify app leaks customer data, you're on the hook to your customers; the app is on the hook to you.

See also: GDPR, Data processor.

Related terms