The GDPR is a complicated regulation. Therefore, we advise you to consult a lawyer as well to figure out exactly how GDPR applies to you and how you need to prepare for it. The GDPR applies differently to every merchant.

Please note that the following does not constitute formal legal advice and is presented for guidance purposes only.

Collecting Personal Data

A name, an address, an email address, a social media account, or even a digital identifier such as an IP address or a cookie ID is a form of personal data. The processing of European Union individuals’ personal data is protected by the GDPR. Therefore, ask yourself these questions:

Does the GDPR require European personal data to be stored in Europe?

No, the GPDR does not require European personal data to be stored in Europe. It only requires the personal data of European residents stored outside Europe to be adequately protected. Under the existing law, companies are already required to protect those personal data.

Are you collecting personal data from customers within Europe?

If your store uses third-party apps or themes, do they collect and process data in accordance with the GDPR? (For example, LimeSpot collects your data and your customers’ data to provide personalized experiences.)

​Privacy notice

Your privacy notice or privacy policy should include the information provided in the GDPR (specifically, Articles 12 to 14 of the GDPR) to notify the individuals whose personal data is being processed. You must ensure that you have a privacy policy that takes account of all the information you must provide according to the regulations.

​Appointing a Data Protection Officer

Having a Data Protection Officer (DPO) who oversees how your organization collects and processes personal data may be required by the GDPR. This person will conduct data protection impact assessments on how a company collects and processes personal data.

​ Customer consent is needed under the GDPR if you obtain and process the personal data of your customers for purposes such as sending marketing messages to customers, using online advertising or retargeting apps, or if you are tracking customers to offer personalized experiences, as LimeSpot does.

The GDPR says that customer consent must be “freely given, specific, informed and unambiguous.” This means that the consumer needs to be given detailed information about why and how personal information is to be used, and that some kind of proactive action needs to be taken by the customer to show consent. Therefore, please check how your company is obtaining customer consent and make sure to make any necessary changes to ensure compliance with the GDPR.

Consider the following issues:

If you have customers who are under the age of 16 (the age can be lower in certain countries), the GDPR has specific parental consent requirements for the processing of their personal data. You may need to change the way you process customer data – either by obtaining parental consent for customers under the age of 16 or stopping processing their data.

Processing GDPR data requests

The GDPR expands individuals’ rights to access and control their personal data. You might need to update the way you process customer data to respond to personal data requests protected under the GDPR.

Customers’ Access Requests and Portability

The GDPR gives individuals the right, in certain circumstances, to request a copy of their personal data that is being processed by a company. The GDPR requires that you provide your customers with a copy of their personal data in a common, easily readable, and portable format, so that they can use that data with a different service provider. If you need to obtain this information to respond to a request, LimeSpot can provide you with the information that it stores. In addition to the information that LimeSpot stores about your customers, you will also need to think about other service providers that you might use who may have access to your customers’ personal data, such as Shopify and third-party apps.

​Deletion Requests

Under the GDPR, individuals have the right to ask that their personal data be be deleted, or to restrict a company from processing it. You should consider how to delete or restrict the processing of customers’ data in respond to a deletion request. As with customer access requests, LimeSpot will help you delete personal data that it stores on your behalf. However, you should also consider your other third-party apps, such as Shopify, whom you may need to work with in order to fulfill a deletion request.

Data breach notification

Under the GDPR, you are most likely required to notify affected users or specific regulatory bodies within 72 hours once you become aware of a data breach. Putting together a data breach response plan would be beneficial for your business so that you are prepared if such an incident happens.


The GDPR imposes certain requirements on a company that uses third-party vendors and service providers to process the personal data of its users. Consider reviewing the privacy practices of the vendors and service providers that you use, including LimeSpot, to try to make sure that they adequately protect your customers’ personal data.

​Appointing a Data Protection Officer

Having a Data Protection Officer (DPO) who oversees how your organization collects and processes personal data may be required by GDPR. They will help in organizing your company to conduct data protection impact assessments on how the company collects and processes personal data.

Third-party apps

The GDPR requires that you take a number of affirmative steps relating to your and your third-party service providers’ collection and use of personal data. This includes Shopify, but also any third-party apps or themes that you might use in connection with your Shopify store, such as LimeSpot. While we are happy to help you to the extent we can with regards to our data practices, it is up to you to ensure that you are using third-party apps in a way that complies with the GDPR. Compliance needs will vary depending on where you are located, where your customers are located, where the app developer is located, and how you have implemented and installed the app.