All terms

Glossary

DSAR

Data Subject Access Request — when an EU/UK resident asks you for a copy of, or deletion of, their personal data.

Data Subject Access Request — a request from an individual exercising one of their rights under GDPR (or CCPA's analogous "consumer request"):

  • Access (Article 15) — give me a copy of all data you hold on me.
  • Erasure (Article 17) — delete my data.
  • Rectification (Article 16) — fix incorrect data.
  • Portability (Article 20) — give me my data in a machine-readable format.
  • Objection (Article 21) — stop processing my data.

You have 30 days to respond, extendable by two months for complex cases.

For Shopify stores, the GDPR webhooks (customers/data_request, customers/redact, shop/redact) automate most of the work — Shopify and your apps coordinate the deletion. You're still responsible for:

  • Communicating the response.
  • Providing the data (Shopify doesn't give it to the customer for you on access requests).
  • Handling rectification requests for data Shopify doesn't manage.

Document your DSAR process in a single Notion or Google Doc and you've covered most of the operational risk.

See also: GDPR, Right to be forgotten.

Related terms