How to process GDPR webhook customers/data_request

user072319
Shopify Partner
127 0 14

Hello there,

Can anyone please explain how to implement webhook customers/data_request? In customers-data_request documentation its mentioned that

It's your responsibility to provide this data to the store owner directly.

When I clicked REQUEST CUSTOMER DATA from dashboard customer section, I got an email to store owner's email with information like customer, order etc with downloadable csv file links.

So while processing this webhook request what should I do?

Replies 10 (10)
Visely-Team
Shopify Partner
1843 210 487

Do you have a public app that is storing any of the PII information in your database/your servers? If no, there is nothing to be done. If yes, then you most probably already subscribed to some webhooks from this list - https://help.shopify.com/en/api/reference/events/webhook. GDPR web hooks are no different.

 

Once you receive the 'customers/data_request' message you have to send the store owner the information for the requested user and you can either automate this, or do it manually through email.

Sergiu Svinarciuc | CTO @ visely.io
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!
- To learn more about the awesome stuff we do head over to visely.io or our blog
user072319
Shopify Partner
127 0 14

@Visely-Team Yes, I'm storing customer and order details. When I clicked on REQUEST CUSTOMER DATA, I already got an email in the store owner email. So do I need to send the details again? 

Visely-Team
Shopify Partner
1843 210 487

The data you see being sent are Personal Identifiable Information (PII) related to the customer that Shopify stores on its side. Each third party app must send their own records on the customer to the store owner.

Sergiu Svinarciuc | CTO @ visely.io
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!
- To learn more about the awesome stuff we do head over to visely.io or our blog
vadymds
Shopify Partner
3 0 0

Couldn't you describe in what way should I return the requested data?

 

From this article: https://shopify.dev/concepts/trust-and-security/gdpr#customers-redact
`It's your responsibility to provide this data to the store owner directly`

Is it mean I should send an email to the store owner with a prepared response or just return the data in the webhook?

 

Thank you.

Visely-Team
Shopify Partner
1843 210 487

@vadymds you should provide the merchant with all the data you have on record for the customer that requested the data. It's the merchant responsibility to pass that information further. You don't have to send anything in response for the webhook.

Sergiu Svinarciuc | CTO @ visely.io
- Was my reply helpful? Click Like to let me know!
- Was your question answered? Mark it as an Accepted Solution!
- To learn more about the awesome stuff we do head over to visely.io or our blog
vadymds
Shopify Partner
3 0 0

Thank you for your quick response!

I appreciate it!

Have a nice day!

GregSmithRR
Shopify Partner
15 0 6

Would be great if the GDPR webhook docs would just say this. Feels weird to always have to come to the community forums to get clarification. Thanks for the info!

tinyemail
Shopify Partner
8 1 2

We use Shopify API to fetch customers data in our application. When we receive 'customers/data_request' how can we identify merchant email to be notified?, when by oauth flow

we got only accesstoken no other information.

 

Thank you.

Amichay
Shopify Partner
40 1 5

You are able to identify the merchant email by querying the shop endpoint: https://shopify.dev/api/admin-rest/2022-07/resources/shop

bloodyalbatross
Shopify Partner
6 0 1

But how do I query the shop in the webhook? I need a session to access that resource, but I don't have a session inside of the webhook. `

await Shopify.Utils.loadOfflineSession(shop_domain)` returns `undefined`.