E-commerce

AI Chatbot and GDPR requests: filter, inform, and escalate without risk

AI Chatbot and GDPR requests: filter, inform, and escalate without risk

July 1, 2026

"Delete my data now." A customer writes in the chat at 10 PM. The agent is not there. A misconfigured bot confirms the deletion, only affects Shopify, and leaves Klaviyo and Gorgias untouched. Or worse: it treats a GDPR request as a simple newsletter unsubscription.

An AI chatbot for GDPR requests does not replace the DPO or the human DSAR-FLOW process. It detects intent (access, deletion, portability), informs about legal deadlines, collects structured fields, verifies basic identity, and escalates to a full DSAR ticket without executing the deletion on its own.

This guide #384 covers triage, GDPR-BOT flow, responsible AI guardrails, and gdpr_bot KPIs. It is distinct from the DSAR-FLOW agents (#383) (human discovery + deletion execution) and the GDPR chatbot (#142) (general DPA compliance, legal bases): here, the focus is on bot triage and DSAR escalation use cases.

Summary

Why route GDPR requests through an AI chatbot upstream of customer service?

GDPR requests via e-commerce chat often arrive outside of office hours, with vague phrasing and emotional urgency. Without bot triage, three failures recur.

Three dysfunctions without a GDPR bot

  • Unsub/GDPR confusion: deletion wrongly promised for "stop emails"

  • Incomplete ticket: agent follows up 3× due to missing email or unidentified right

  • Legal deadline: late receipt timestamp because the request is drowned in the general chat

The EDPB recalls in 2025 that the one-month deadline for the right of access starts upon receipt of the request (EDPB, right of access 2025). A bot that registers the intake immediately protects this deadline.

Angle #384 vs neighboring articles

DTC Example

Beauty brand, 40% of privacy requests via chat before GDPR-BOT. Incomplete DSAR tickets 62%, median time 26 days. After bot flow: gdpr_bot_triage_complete 91%, median time 13 days, zero auto-delete incidents.

Responsible AI Principle

The bot welcomes, classifies, informs, and escalates. It never deletes multi-system data on its own. Human or DPO validation is mandatory before DF-6 of #383.

How does the GDPR bot differ from the DSAR-FLOW #383 process?

The GDPR triage bot and the DSAR-FLOW agent process complement each other in a sequential pipeline.

#384 bot: upstream (minutes 0-5)

  • Detect gdpr_access, gdpr_erasure, gdpr_portability intents, etc.

  • Clarify unsub (#381) vs erasure Art. 17

  • Inform 30-day deadline, identity verification, scope

  • Collect email, requested right, details

  • Create DSAR-ID ticket + legal timestamp

  • Identity verification Level 1-2: email OTP, recent order

#383 agents: execution (days 1-28)

  • Discovery 14 systems Shopify, Klaviyo, Gorgias

  • Analyze exemptions Art. 17 accounting, litigation

  • Execute ZIP export or partial/total deletion

  • Reply to customer within 30 days using GDPR-* macros

Structured handoff

Pre-filled ticket: DSAR-ID, right_type, identity_level, email, transcript 5 messages, gdpr_clarify_outcome, timestamp_reception. Agent takes over DF-4 discovery without re-questioning the customer.

What the bot does not do

No Shopify API deletes, no full data exports, no Art. 17 exemption refusals, no legal advice. CNIL stresses facilitating rights, not replacing human decisions for complex issues (CNIL, individuals' rights).

Complementarity #381/#382

If intent is resolved as pref_unsub or pref_sms_off: route to PREF-FLOW or UNSUB-FLOW without creating a DSAR. Prevents GDPR over-processing.

Which gdpr_* intents should the chatbot detect?

The GDPR chatbot intent detection combines keywords, NLP, and Shopify session context.

Ten main gdpr_bot intents

  1. gdpr_access: "copy of my data", "what data do you hold"

  2. gdpr_erasure: "delete my data", "right to be forgotten", "erase everything"

  3. gdpr_rectification: "correct my address in your database"

  4. gdpr_portability: "JSON export", "transfer my data"

  5. gdpr_restriction: "stop processing pending dispute"

  6. gdpr_objection: marketing objection (similar to unsub)

  7. gdpr_confusion_unsub: "delete" after promotional email received

  8. gdpr_chatbot_logs: bot conversation access/erasure

  9. gdpr_status_check: "what is the status of my request DSAR-1234"

  10. gdpr_urgent_threat: CNIL threat, lawyer, press

Strong textual signals

  • GDPR, RGPD, CNIL, personal data, privacy request

  • Right to be forgotten, data subject request, DSAR

  • Article 15, 17, 20 (advanced formulations)

Weak signals to clarify

"Delete my account" can be account closure (#guest) or GDPR erasure. The bot asks a bifurcation question before gdpr_erasure.

Conversation tags

gdpr_bot_detected, gdpr_bot_clarified, gdpr_bot_ticket_created, gdpr_bot_handoff_dpo, gdpr_bot_reroute_unsub, gdpr_bot_reroute_pref. Sync Gorgias/Zendesk.

Intent priority

gdpr_urgent_threat > gdpr_erasure > gdpr_access > gdpr_confusion_unsub. Urgent: Slack alert #privacy + handoff 2h SLA.

Which GDPR-BOT conversational flow should you configure?

The GDPR-BOT flow consists of 6 to 8 steps, with branches depending on the detected intent.

Basic sequence (gdpr_erasure or gdpr_access)

  1. GB-1 Transparent welcome: "AI Assistant. To exercise your GDPR rights, I will guide you. Legal deadline: 30 days."

  2. GB-2 Classify right: access, erasure, rectification, portability, other

  3. GB-3 Clarify if ambiguous: marketing unsub vs full erasure (branch #381)

  4. GB-4 Collect email: address associated with the account or orders

  5. GB-5 Identity verification Level 1-2: Email OTP or recent order number

  6. GB-6 Inform scope: erasure can be partial (accounting, litigation)

  7. GB-7 Create DSAR-ID: privacy ticket + equivalent GDPR-ACK acknowledgment

  8. GB-8 Close bot: "DSAR-[ID] case opened. Privacy team responds within 30 days."

gdpr_confusion_unsub Branch

"Do you want to stop promo emails (fast) or exercise a full erasure right (30-day process)?" Quick reply: Promo only → UNSUB-FLOW #381 or PREF-FLOW #382. Erasure → resume GB-4.

gdpr_status_check Branch

Lookup DSAR-ID + email match → status (open, discovery, closed). No data details provided via bot (minimization).

gdpr_urgent_threat Branch

Skip marketing tone. Immediate escalation gdpr_handoff_dpo. Message: "Your request is prioritized. Response within 48 hours."

UX and AI Act

"AI Assistant" badge visible. Mention of rights before collection. Link to privacy policy. Compliant with Article 50 of the AI Act (#142).

Flow Prohibitions

Never "Your data has been deleted" without validated DF-6 #383 execution. Correct message: "Request recorded, processing in progress."

What can and cannot the bot do regarding GDPR rights?

The authorized vs. unauthorized GDPR bot matrix protects both the brand and the customer.

Authorized bot actions

  • Detect and classify intent gdpr_*

  • Explain Art. 12 deadlines (30 days, 2-month extension)

  • Differentiate between unsub, channel preferences, and GDPR erasure

  • Collect structured DSAR intake fields

  • Verify identity Level 1-2 (OTP, order)

  • Create timestamped DSAR-ID ticket in the helpdesk

  • Route unsub/pref to flows #381/#382 if sufficient

  • Provide status of existing DSAR file (without sharing data)

Unauthorized bot actions

  • Delete customer Shopify API

  • Delete Klaviyo profile or purge Gorgias

  • Send full export of personal data

  • Refuse Art. 17 derogation without DPO approval

  • Request systematic passport scans

  • Promise guaranteed 24-hour erasure

  • Provide legal advice on GDPR interpretation

Grey area: simple rectification

Correction of delivery address for an ongoing order: the bot can guide the user to the Shopify account self-service. Rectification of marketing database (Klaviyo profile email): create a DSAR rectification ticket, do not auto-fix without verification.

Chatbot logs in DSAR

gdpr_chatbot_logs: bot informs that sessions will be included in discovery #383. Logs purge post-validated erasure via vendor API, not via customer conversation.

System prompt documentation

Explicit bot instructions: "Never confirm erasure. Always create DSAR-ID. Escalate gdpr_urgent and gdpr_erasure after GB-7." Quarterly review with DPO.

How do you verify identity in the bot without over-collecting?

The GDPR bot identity verification uses the 3 levels #383, limited to Level 1-2 in self-service bot.

Bot Level 1 (status access, intake)

  • Logged-in Shopify customer: pre-filled session email

  • Guest: declared email + confirmation "yes, that is really me"

Bot Level 2 (DSAR creation)

  • 6-digit OTP sent to declared email

  • OR order number + delivery zip code matching Shopify

Level 3 reserved for humans

Total erasure with dispute or identity doubt: bot creates DSAR, tags identity_pending_level3. Agent #383 sends GDPR-ID-01 if necessary. No passport upload in unencrypted chat widget.

CNIL Proportionality

Risk-calibrated verification: DSAR status access = Level 1. Opening erasure file = Level 2 minimum. Avoids sanctioned practices of over-collecting identity (Zunapro, GDPR e-commerce France 2026).

OTP Failure

3 attempts max u2192 agent handoff with tag gdpr_identity_fail. Propose privacy@ alternative email channel.

Deadline Parallelization

Timestamp GB-7 = legal receipt of DSAR even if Level 3 identity is pending. Discovery #383 starts in parallel.

How do I create the DSAR ticket and handoff to process #383?

The DSAR-FLOW bot handoff transforms a conversation into an actionable ops ticket.

Required ticket fields (12)

  1. dsar_id (DSAR-2026-XXXX auto)

  2. timestamp_reception (ISO UTC)

  3. right_type (access, erasure, rectification, portability, other)

  4. requester_email

  5. identity_verified_level (0, 1, 2, pending_3)

  6. channel_source (web_chat, whatsapp, email_forward)

  7. gdpr_clarify_outcome (confirmed_erasure, rerouted_unsub, rerouted_pref)

  8. customer_shopify_id if known

  9. urgency (normal, urgent_threat)

  10. transcript_summary (max 200 chars, no raw dump)

  11. bot_session_id (for gdpr_chatbot_logs)

  12. sla_due_date (calendar D+30)

Webhook flow

GB-7 Bot → Gorgias/Zendesk webhook → gdpr_dsar tag + assign privacy queue → equivalent auto GDPR-ACK-01 email → Slack #privacy if urgent.

Customer bot acknowledgment

"Your [erasure/access] request has been registered under DSAR-[ID] on [date]. Our privacy team will process your request within 30 days. You will receive a confirmation email at [email]."

DSAR registry sync

Secondary webhook to spreadsheet or privacy tool (OneTrust DSAR module) for central registry #383.

Frictionless agent takeover

Agent opens ticket: all GB fields filled, starts DF-4 discovery directly. No "what is your email?" if already Level 2 verified.

Bot status loop

Agent closes DSAR → update custom field dsar_status=closed. Customer gdpr_status_check sees updated status.

What legal rules and responsible AI should be applied to the bot?

The responsible GDPR AI bot complies with GDPR, the AI Act, and CNIL best practices on AI systems.

Transparency obligations

  • AI disclosure under Article 50 of the AI Act (from August 2, 2026)

  • Link to privacy policy and channels for exercising rights

  • No deceptive human simulation for sensitive requests

Minimization of DSAR conversations

Do not request superfluous data (card number, health info). Collect the strict minimum during intake. Bot logs are subject to retention policy #142 (30-90 days).

No automated decision-making under Art. 22

Denial of erasure, accounting exemptions, doubtful identity assessment: always handled by a human/DPO. The bot does not "decide" the fate of the data.

Bot provider DPA

Rights assistance clause under Art. 28. The vendor purges logs upon validated erasure request. No LLM training on DSAR transcripts without a legal basis.

CNIL and AI 2025

The CNIL points out that exercising rights on AI data may involve delays or limitations if model retraining is required (CNIL, rights and AI). The bot informs the client that the request will be processed, with a possible 2-month extension if complex.

FR/EN Multilingual

GDPR-BOT flow in French and English for UK/IE markets. Same safeguards, same auto-delete prohibitions.

Which gdpr_bot KPIs should be measured every month?

The e-commerce GDPR bot KPIs prove effective triage without compliance incidents.

Eight key metrics

  • gdpr_bot_detection_rate: sessions with gdpr_* intent / total chat

  • gdpr_bot_triage_complete: DSAR-ID created with complete fields / gdpr sessions

  • gdpr_bot_reroute_unsub_rate: rerouted #381/#382 vs DSARs created

  • gdpr_bot_identity_l2_rate: successful Level 2 verification / DSARs created

  • gdpr_bot_handoff_urgent_sla: urgent cases contacted within 48 hours

  • gdpr_bot_false_promise_rate: wrongly confirmed deletion messages (target 0%)

  • dsar_median_days_post_bot: total delay post-intake bot

  • gdpr_bot_csat: post-flow GDPR-BOT satisfaction

DTC Benchmark

Targets: triage_complete > 90%, false_promise 0%, reroute_unsub 25-40% (clarify quality), dsar_median_days < 15 post-bot.

Privacy + support dashboard

Volume by right_type, top gdpr_confusion_unsub formulations, urgent handoff count. Cross-reference dsar_sla_30d_rate #383.

Monthly transcripts audit

Review 20 random gcpr_bot sessions: compliance with section 5 prohibitions, quality of GB-6 perimeter info. Privacy bot compliance score.

Agent time ROI

Pre-filled vs empty DSAR tickets: -15 min intake per case. 22 DSARs/quarter × 15 min = 5.5 hours saved + secured legal deadline.

What GDPR bot edge cases and anti-patterns should be avoided?

Eight GDPR bot edge cases require documented GDPR-BOT rules.

1. Customer insists on immediate deletion

Bot repeats: request recorded, legal delay 30 days, no false confirmation. Escalate to gdpr_urgent if threat. Never delete API.

2. Request via WhatsApp

Same GB flow, wa_id in ticket. Identity verification via email OTP (not SMS alone if deletion).

3. Minor or parent third party

Immediate DPO handoff. Bot does not process alone.

4. Mandated attorney

Collect principal email + attorney email. Tag gdpr_third_party. Level 3 Handoff.

5. Double email + chat request

Dedup DSAR-ID by email 24 h. Avoids 2 parallel discoveries. See duplicate tickets.

6. LLM hallucinating deletion

Guardrails: deletion responses only from approved templates GB-7/GB-8. No free generation of "it's done".

7. Customer requests live chat data

gdpr_chatbot_logs: explain inclusion in DSAR access, no real-time export in widget.

8. Post-deletion "my data still exists"

gdpr_still_data: bot creates ticket linked to original DSAR, handoff agent #383 DF-9 reopen.

Anti-patterns

  • Auto-delete Shopify on keyword "delete"

  • Bot alone without human privacy queue

  • No GB-7 timestamp

  • Ignore gdpr_confusion_unsub branch

  • Full transcript in unencrypted ticket

How does Qstomy sort GDPR requests without executing the erasure?

Qstomy implements GDPR-BOT on Shopify: detection, clarification, DSAR intake, and structured handoff to DSAR-FLOW #383.

GDPR-BOT Qstomy Capabilities

  • gdpr_intent_detect: access, erasure, portability, rectification

  • gdpr_clarify_unsub_pref: bifurcation #381/#382 vs DSAR

  • gdpr_otp_verify: Level 2 email verification before DSAR-ID

  • gdpr_dsar_create: pre-filled Gorgias/Zendesk ticket with 12 fields

  • gdpr_scope_inform: partial erasure possible, 30-day delay

  • gdpr_urgent_escalate: Slack #privacy + urgent tag

  • gdpr_no_auto_delete: hard-coded guardrail, zero API delete

Addition to #383

Qstomy = GB-1 to GB-8. #383 Agents = DF-4 to DF-9. Complete DTC privacy pipeline.

Encrypted DTC Scenario

Perfume brand, 28 GDPR requests/quarter including 11 via chat, manual triage before Qstomy.

After GDPR-BOT: gdpr_bot_triage_complete 93%, gdpr_bot_false_promise 0%, gdpr_bot_reroute_unsub 36% (actual unsub), dsar_median_days 12, CNIL complaints 0.

Explore AI support, analytics, and request a demo.

Compliance #142

Qstomy DPA, log retention, AI Act transparency integrated. GDPR-BOT = specific data subject rights layer.

What is the checklist for deploying GDPR-BOT?

GDPR-BOT Checklist (12 steps)

  1. Validate section 5 allowed/prohibited matrix with DPO

  2. Configure 10 gdpr_* intents + section 3 signals

  3. Deploy flow GB-1 to GB-8 + unsub confusion branch

  4. Enable Level 2 OTP and anti-hallucination erasure guardrails

  5. 12-field webhook ticket to privacy queue

  6. Sync DSAR registry #383 + auto-email acknowledgment

  7. gdpr_urgent_threat Slack alert under 5 min

  8. Train agents: take over bot ticket without re-intake

  9. Staging tests: erasure, access, unsub confusion, urgent

  10. Monthly gdpr_bot KPI Dashboard

  11. Audit 20 transcripts/quarter compliance

  12. Semi-annual GDPR system prompt review with DPO

In brief

  • #384 = GDPR bot triage, #383 = DSAR agent execution

  • GDPR-BOT: detect, clarify, inform, escalate

  • Never auto-delete: non-negotiable guardrail

  • GB-7 timestamp: protects 30-day legal deadline

  • KPI false_promise 0%: transcript audit

FAQ

Can the bot delete my Shopify account?
No. It logs the DSAR request and escalates. Erasure executed by agents #383 after discovery.

Difference with #142 GDPR chatbot?
#142 = general bot compliance (DPA, retention, AI Act). #384 = DSAR flow triage and escalation.

Customer just wants to stop emails?
gdpr_confusion_unsub branch → UNSUB #381 or PREF #382. No DSAR if unsub is sufficient.

Request received at 11 PM, when does the deadline start?
At GB-7 DSAR-ID creation, even at night. Email acknowledgment by next business day.

Is a /privacy-request form needed as well?
CNIL recommended. Chat bot = additional channel, same DSAR-FLOW #383 process.

Going further

Test GDPR-BOT staging: simulate "delete my data" then "stop promo emails" and check DSAR vs unsub reroute bifurcation in less than 2 min each.

Share this #384 guide with DPO, support, and bot team: a well-configured GDPR triage secures the legal deadline without ever promising what automation cannot execute.

Enzo

July 1, 2026

Convert over 2,000 customers on average per month with Qstomy.

The world’s 1st Shopify AI dedicated to customer conversion

Empowering 200+ e-commerce merchants

Subscribe to the newsletter and get a personalized e-book!

No-code solution, no technical knowledge required. AI trained on your e-shop and non-intrusive.

*Unsubscribe at any time. We do not send spam.

Subscribe to the newsletter and get a personalized e-book!

No-code solution, no technical knowledge required. AI trained on your e-shop and non-intrusive.

*Unsubscribe at any time. We do not send spam.