GDPR compliance in customer support is more complex than most merchants realise. Here's what you need to know — and what you need to do — if you have any EU customers.
If you have any customers in the EU — which means almost every Shopify store — GDPR applies to how you handle their personal data through your support channels. Most merchants comply with the basic requirements (privacy policy, cookie consent) but miss the support-specific obligations.
GDPR obligations in customer support
- Data access requests: If an EU customer asks to see all data you hold on them, you must respond within 30 days.
- Right to erasure: If a customer asks to be forgotten, you must delete their data from your systems — including support ticket history — within 30 days.
- Data minimisation: You should only retain support email data as long as necessary for the original purpose.
- Processor agreements: If you use third-party support tools that process customer data, you need a Data Processing Agreement (DPA) with each.
- Breach notification: If a data breach affects EU customer data, you must notify the relevant supervisory authority within 72 hours.
ℹ️
Raisolve processes customer support emails on your behalf, which makes us a data processor under GDPR. Our DPA is available at any time — email legal@raisolve.com to request it.
