Both regulations(*) give their data subjects the right to request a copy of their personal information, if a customer requests a copy of their personal information.
- GDPR Articles 12, 15, 20 | Recitals 59, 63, 64
- CCPA Sections 1798.100, 1798.110, 1798.130, 1798.145 (g)(3)

While preparing for access request, think about these questions:
• Are you able to provide all of the required personal information if a customer asks for it? Try to plan for a request in advance by maintaining a map of all of the personal information you (or the service providers you use, like Shopify) store about your customers.
• Have you considered other service providers that you might use who may have access to your customers’ personal information? These could include third-party apps, channels, and payment gateways.
• Do you have contact information for all of the third-party services you use that might store your customers’ personal information?

Under the GDPR regulations :
- Data subjects’ requests must be complied without “undue delay and in any event within 1 month from the receipt of the request.”
The deadline can be extended an 2 additional months taking into account the complexity and number of requests. In any case, the data subject must be informed of such extension within one month from the receipt of the request.
- The right applies to all the personal data collected and processed about the data subject making the request.
- Data controllers can refuse to act on a request when it is manifestly unfounded, excessive or has a repetitive character

Under the CCPA regulations :
- The deadline to respond to such a right is 45 days of receipt of the consumer’s request.
It could be extended an additional 45 days, but notice should be given to the consumer within the first 45 days.
-The right applies only to personal information collected in the 12 months prior to the request.
- Businesses are not required to provide access to personal information more than twice in 12 months.

How do we help you? If you see a new access request in the dedicated table, you can rest assured that we've already:
Verified the identity of the requester
We do so by verifying that the requester has access to the submitted email address specified while submitting the request, and then ask for a second confirmation before allowing access to the destination page.
Collected IP & browser data about when the request was made & when the requester double confirmed the request in the email, in order to provide more security checks if required later on.
Made available a list of the basic information that shop has associated with the summited email. (first name, last name, email, phone, marketing consent & saved addresses)

Shopify also made it easy for you to request data from third party apps installed through the app store. To do so, it is only a couple of steps away :
In your Shopify admin, navigate to the Customers tab.

Search for the email of the customer as provided in the request.

Click ‘Request customer data’ (Please note that this button is only visible to the Account Owner).

The identifiable personal information Shopify stores about that customer will be sent to the Account Owner’s email.
The request is then sent to third party apps you have currently installed on your store. The third party app developers will independently contact you about this request.
You may then combine that information with any other information you may store about the customer and provide it to the customer.

However, If your business (internally, via any third party app or any connected service provider) has more information linked to the submitted email, you should compile all the data from each data user, and send a report to the email during the applicable legal delay.

(*) This is an interpretation and a quick overview of the texts according to our understanding at the moment of the writing, we'll try to keep this up-to-date as actively as possible. Be sure to double check if required as this is not a legal advice.
Was this article helpful?
Thank you!