E-commerce
July 1, 2026
"Delete my data now." A customer writes in the chat at 10 PM. The agent is not there. A misconfigured bot confirms the deletion, only affects Shopify, and leaves Klaviyo and Gorgias untouched. Or worse: it treats a GDPR request as a simple newsletter unsubscription.
An AI chatbot for GDPR requests does not replace the DPO or the human DSAR-FLOW process. It detects intent (access, deletion, portability), informs about legal deadlines, collects structured fields, verifies basic identity, and escalates to a full DSAR ticket without executing the deletion on its own.
This guide #384 covers triage, GDPR-BOT flow, responsible AI guardrails, and gdpr_bot KPIs. It is distinct from the DSAR-FLOW agents (#383) (human discovery + deletion execution) and the GDPR chatbot (#142) (general DPA compliance, legal bases): here, the focus is on bot triage and DSAR escalation use cases.
Summary
Why route GDPR requests through an AI chatbot upstream of customer service?
GDPR requests via e-commerce chat often arrive outside of office hours, with vague phrasing and emotional urgency. Without bot triage, three failures recur.
Three dysfunctions without a GDPR bot
Unsub/GDPR confusion: deletion wrongly promised for "stop emails"
Incomplete ticket: agent follows up 3× due to missing email or unidentified right
Legal deadline: late receipt timestamp because the request is drowned in the general chat
The EDPB recalls in 2025 that the one-month deadline for the right of access starts upon receipt of the request (EDPB, right of access 2025). A bot that registers the intake immediately protects this deadline.
Angle #384 vs neighboring articles
#383 DSAR-FLOW agents: discovery, deletion, GDPR macros. #384 automates the upstream triage.
#142 GDPR chatbot: DPA, retention, AI Act. #384 = specific DSAR flow.
#381 unsub: marketing off. Handoff if gdpr_confusion_unsub.
#382 preferences: PREF-FLOW channel consent. Distinct from Art. 17.
DTC Example
Beauty brand, 40% of privacy requests via chat before GDPR-BOT. Incomplete DSAR tickets 62%, median time 26 days. After bot flow: gdpr_bot_triage_complete 91%, median time 13 days, zero auto-delete incidents.
Responsible AI Principle
The bot welcomes, classifies, informs, and escalates. It never deletes multi-system data on its own. Human or DPO validation is mandatory before DF-6 of #383.
How does the GDPR bot differ from the DSAR-FLOW #383 process?
The GDPR triage bot and the DSAR-FLOW agent process complement each other in a sequential pipeline.
#384 bot: upstream (minutes 0-5)
Detect gdpr_access, gdpr_erasure, gdpr_portability intents, etc.
Clarify unsub (#381) vs erasure Art. 17
Inform 30-day deadline, identity verification, scope
Collect email, requested right, details
Create DSAR-ID ticket + legal timestamp
Identity verification Level 1-2: email OTP, recent order
#383 agents: execution (days 1-28)
Discovery 14 systems Shopify, Klaviyo, Gorgias
Analyze exemptions Art. 17 accounting, litigation
Execute ZIP export or partial/total deletion
Reply to customer within 30 days using GDPR-* macros
Structured handoff
Pre-filled ticket: DSAR-ID, right_type, identity_level, email, transcript 5 messages, gdpr_clarify_outcome, timestamp_reception. Agent takes over DF-4 discovery without re-questioning the customer.
What the bot does not do
No Shopify API deletes, no full data exports, no Art. 17 exemption refusals, no legal advice. CNIL stresses facilitating rights, not replacing human decisions for complex issues (CNIL, individuals' rights).
Complementarity #381/#382
If intent is resolved as pref_unsub or pref_sms_off: route to PREF-FLOW or UNSUB-FLOW without creating a DSAR. Prevents GDPR over-processing.
Which gdpr_* intents should the chatbot detect?
The GDPR chatbot intent detection combines keywords, NLP, and Shopify session context.
Ten main gdpr_bot intents
gdpr_access: "copy of my data", "what data do you hold"
gdpr_erasure: "delete my data", "right to be forgotten", "erase everything"
gdpr_rectification: "correct my address in your database"
gdpr_portability: "JSON export", "transfer my data"
gdpr_restriction: "stop processing pending dispute"
gdpr_objection: marketing objection (similar to unsub)
gdpr_confusion_unsub: "delete" after promotional email received
gdpr_chatbot_logs: bot conversation access/erasure
gdpr_status_check: "what is the status of my request DSAR-1234"
gdpr_urgent_threat: CNIL threat, lawyer, press
Strong textual signals
GDPR, RGPD, CNIL, personal data, privacy request
Right to be forgotten, data subject request, DSAR
Article 15, 17, 20 (advanced formulations)
Weak signals to clarify
"Delete my account" can be account closure (#guest) or GDPR erasure. The bot asks a bifurcation question before gdpr_erasure.
Conversation tags
gdpr_bot_detected, gdpr_bot_clarified, gdpr_bot_ticket_created, gdpr_bot_handoff_dpo, gdpr_bot_reroute_unsub, gdpr_bot_reroute_pref. Sync Gorgias/Zendesk.
Intent priority
gdpr_urgent_threat > gdpr_erasure > gdpr_access > gdpr_confusion_unsub. Urgent: Slack alert #privacy + handoff 2h SLA.
Which GDPR-BOT conversational flow should you configure?
The GDPR-BOT flow consists of 6 to 8 steps, with branches depending on the detected intent.
Basic sequence (gdpr_erasure or gdpr_access)
GB-1 Transparent welcome: "AI Assistant. To exercise your GDPR rights, I will guide you. Legal deadline: 30 days."
GB-2 Classify right: access, erasure, rectification, portability, other
GB-3 Clarify if ambiguous: marketing unsub vs full erasure (branch #381)
GB-4 Collect email: address associated with the account or orders
GB-5 Identity verification Level 1-2: Email OTP or recent order number
GB-6 Inform scope: erasure can be partial (accounting, litigation)
GB-7 Create DSAR-ID: privacy ticket + equivalent GDPR-ACK acknowledgment
GB-8 Close bot: "DSAR-[ID] case opened. Privacy team responds within 30 days."
gdpr_confusion_unsub Branch
"Do you want to stop promo emails (fast) or exercise a full erasure right (30-day process)?" Quick reply: Promo only → UNSUB-FLOW #381 or PREF-FLOW #382. Erasure → resume GB-4.
gdpr_status_check Branch
Lookup DSAR-ID + email match → status (open, discovery, closed). No data details provided via bot (minimization).
gdpr_urgent_threat Branch
Skip marketing tone. Immediate escalation gdpr_handoff_dpo. Message: "Your request is prioritized. Response within 48 hours."
UX and AI Act
"AI Assistant" badge visible. Mention of rights before collection. Link to privacy policy. Compliant with Article 50 of the AI Act (#142).
Flow Prohibitions
Never "Your data has been deleted" without validated DF-6 #383 execution. Correct message: "Request recorded, processing in progress."
What can and cannot the bot do regarding GDPR rights?
The authorized vs. unauthorized GDPR bot matrix protects both the brand and the customer.
Authorized bot actions
Detect and classify intent gdpr_*
Explain Art. 12 deadlines (30 days, 2-month extension)
Differentiate between unsub, channel preferences, and GDPR erasure
Collect structured DSAR intake fields
Verify identity Level 1-2 (OTP, order)
Create timestamped DSAR-ID ticket in the helpdesk
Route unsub/pref to flows #381/#382 if sufficient
Provide status of existing DSAR file (without sharing data)
Unauthorized bot actions
Delete customer Shopify API
Delete Klaviyo profile or purge Gorgias
Send full export of personal data
Refuse Art. 17 derogation without DPO approval
Request systematic passport scans
Promise guaranteed 24-hour erasure
Provide legal advice on GDPR interpretation
Grey area: simple rectification
Correction of delivery address for an ongoing order: the bot can guide the user to the Shopify account self-service. Rectification of marketing database (Klaviyo profile email): create a DSAR rectification ticket, do not auto-fix without verification.
Chatbot logs in DSAR
gdpr_chatbot_logs: bot informs that sessions will be included in discovery #383. Logs purge post-validated erasure via vendor API, not via customer conversation.
System prompt documentation
Explicit bot instructions: "Never confirm erasure. Always create DSAR-ID. Escalate gdpr_urgent and gdpr_erasure after GB-7." Quarterly review with DPO.
How do you verify identity in the bot without over-collecting?
The GDPR bot identity verification uses the 3 levels #383, limited to Level 1-2 in self-service bot.
Bot Level 1 (status access, intake)
Logged-in Shopify customer: pre-filled session email
Guest: declared email + confirmation "yes, that is really me"
Bot Level 2 (DSAR creation)
6-digit OTP sent to declared email
OR order number + delivery zip code matching Shopify
Level 3 reserved for humans
Total erasure with dispute or identity doubt: bot creates DSAR, tags identity_pending_level3. Agent #383 sends GDPR-ID-01 if necessary. No passport upload in unencrypted chat widget.
CNIL Proportionality
Risk-calibrated verification: DSAR status access = Level 1. Opening erasure file = Level 2 minimum. Avoids sanctioned practices of over-collecting identity (Zunapro, GDPR e-commerce France 2026).
OTP Failure
3 attempts max u2192 agent handoff with tag gdpr_identity_fail. Propose privacy@ alternative email channel.
Deadline Parallelization
Timestamp GB-7 = legal receipt of DSAR even if Level 3 identity is pending. Discovery #383 starts in parallel.
How do I create the DSAR ticket and handoff to process #383?
The DSAR-FLOW bot handoff transforms a conversation into an actionable ops ticket.
Required ticket fields (12)
dsar_id (DSAR-2026-XXXX auto)
timestamp_reception (ISO UTC)
right_type (access, erasure, rectification, portability, other)
requester_email
identity_verified_level (0, 1, 2, pending_3)
channel_source (web_chat, whatsapp, email_forward)
gdpr_clarify_outcome (confirmed_erasure, rerouted_unsub, rerouted_pref)
customer_shopify_id if known
urgency (normal, urgent_threat)
transcript_summary (max 200 chars, no raw dump)
bot_session_id (for gdpr_chatbot_logs)
sla_due_date (calendar D+30)
Webhook flow
GB-7 Bot → Gorgias/Zendesk webhook → gdpr_dsar tag + assign privacy queue → equivalent auto GDPR-ACK-01 email → Slack #privacy if urgent.
Customer bot acknowledgment
"Your [erasure/access] request has been registered under DSAR-[ID] on [date]. Our privacy team will process your request within 30 days. You will receive a confirmation email at [email]."
DSAR registry sync
Secondary webhook to spreadsheet or privacy tool (OneTrust DSAR module) for central registry #383.
Frictionless agent takeover
Agent opens ticket: all GB fields filled, starts DF-4 discovery directly. No "what is your email?" if already Level 2 verified.
Bot status loop
Agent closes DSAR → update custom field dsar_status=closed. Customer gdpr_status_check sees updated status.
What legal rules and responsible AI should be applied to the bot?
The responsible GDPR AI bot complies with GDPR, the AI Act, and CNIL best practices on AI systems.
Transparency obligations
AI disclosure under Article 50 of the AI Act (from August 2, 2026)
Link to privacy policy and channels for exercising rights
No deceptive human simulation for sensitive requests
Minimization of DSAR conversations
Do not request superfluous data (card number, health info). Collect the strict minimum during intake. Bot logs are subject to retention policy #142 (30-90 days).
No automated decision-making under Art. 22
Denial of erasure, accounting exemptions, doubtful identity assessment: always handled by a human/DPO. The bot does not "decide" the fate of the data.
Bot provider DPA
Rights assistance clause under Art. 28. The vendor purges logs upon validated erasure request. No LLM training on DSAR transcripts without a legal basis.
CNIL and AI 2025
The CNIL points out that exercising rights on AI data may involve delays or limitations if model retraining is required (CNIL, rights and AI). The bot informs the client that the request will be processed, with a possible 2-month extension if complex.
FR/EN Multilingual
GDPR-BOT flow in French and English for UK/IE markets. Same safeguards, same auto-delete prohibitions.
Which gdpr_bot KPIs should be measured every month?
The e-commerce GDPR bot KPIs prove effective triage without compliance incidents.
Eight key metrics
gdpr_bot_detection_rate: sessions with gdpr_* intent / total chat
gdpr_bot_triage_complete: DSAR-ID created with complete fields / gdpr sessions
gdpr_bot_reroute_unsub_rate: rerouted #381/#382 vs DSARs created
gdpr_bot_identity_l2_rate: successful Level 2 verification / DSARs created
gdpr_bot_handoff_urgent_sla: urgent cases contacted within 48 hours
gdpr_bot_false_promise_rate: wrongly confirmed deletion messages (target 0%)
dsar_median_days_post_bot: total delay post-intake bot
gdpr_bot_csat: post-flow GDPR-BOT satisfaction
DTC Benchmark
Targets: triage_complete > 90%, false_promise 0%, reroute_unsub 25-40% (clarify quality), dsar_median_days < 15 post-bot.
Privacy + support dashboard
Volume by right_type, top gdpr_confusion_unsub formulations, urgent handoff count. Cross-reference dsar_sla_30d_rate #383.
Monthly transcripts audit
Review 20 random gcpr_bot sessions: compliance with section 5 prohibitions, quality of GB-6 perimeter info. Privacy bot compliance score.
Agent time ROI
Pre-filled vs empty DSAR tickets: -15 min intake per case. 22 DSARs/quarter × 15 min = 5.5 hours saved + secured legal deadline.
What GDPR bot edge cases and anti-patterns should be avoided?
Eight GDPR bot edge cases require documented GDPR-BOT rules.
1. Customer insists on immediate deletion
Bot repeats: request recorded, legal delay 30 days, no false confirmation. Escalate to gdpr_urgent if threat. Never delete API.
2. Request via WhatsApp
Same GB flow, wa_id in ticket. Identity verification via email OTP (not SMS alone if deletion).
3. Minor or parent third party
Immediate DPO handoff. Bot does not process alone.
4. Mandated attorney
Collect principal email + attorney email. Tag gdpr_third_party. Level 3 Handoff.
5. Double email + chat request
Dedup DSAR-ID by email 24 h. Avoids 2 parallel discoveries. See duplicate tickets.
6. LLM hallucinating deletion
Guardrails: deletion responses only from approved templates GB-7/GB-8. No free generation of "it's done".
7. Customer requests live chat data
gdpr_chatbot_logs: explain inclusion in DSAR access, no real-time export in widget.
8. Post-deletion "my data still exists"
gdpr_still_data: bot creates ticket linked to original DSAR, handoff agent #383 DF-9 reopen.
Anti-patterns
Auto-delete Shopify on keyword "delete"
Bot alone without human privacy queue
No GB-7 timestamp
Ignore gdpr_confusion_unsub branch
Full transcript in unencrypted ticket
How does Qstomy sort GDPR requests without executing the erasure?
Qstomy implements GDPR-BOT on Shopify: detection, clarification, DSAR intake, and structured handoff to DSAR-FLOW #383.
GDPR-BOT Qstomy Capabilities
gdpr_intent_detect: access, erasure, portability, rectification
gdpr_clarify_unsub_pref: bifurcation #381/#382 vs DSAR
gdpr_otp_verify: Level 2 email verification before DSAR-ID
gdpr_dsar_create: pre-filled Gorgias/Zendesk ticket with 12 fields
gdpr_scope_inform: partial erasure possible, 30-day delay
gdpr_urgent_escalate: Slack #privacy + urgent tag
gdpr_no_auto_delete: hard-coded guardrail, zero API delete
Addition to #383
Qstomy = GB-1 to GB-8. #383 Agents = DF-4 to DF-9. Complete DTC privacy pipeline.
Encrypted DTC Scenario
Perfume brand, 28 GDPR requests/quarter including 11 via chat, manual triage before Qstomy.
After GDPR-BOT: gdpr_bot_triage_complete 93%, gdpr_bot_false_promise 0%, gdpr_bot_reroute_unsub 36% (actual unsub), dsar_median_days 12, CNIL complaints 0.
Explore AI support, analytics, and request a demo.
Compliance #142
Qstomy DPA, log retention, AI Act transparency integrated. GDPR-BOT = specific data subject rights layer.
What is the checklist for deploying GDPR-BOT?
GDPR-BOT Checklist (12 steps)
Validate section 5 allowed/prohibited matrix with DPO
Configure 10 gdpr_* intents + section 3 signals
Deploy flow GB-1 to GB-8 + unsub confusion branch
Enable Level 2 OTP and anti-hallucination erasure guardrails
12-field webhook ticket to privacy queue
Sync DSAR registry #383 + auto-email acknowledgment
gdpr_urgent_threat Slack alert under 5 min
Train agents: take over bot ticket without re-intake
Staging tests: erasure, access, unsub confusion, urgent
Monthly gdpr_bot KPI Dashboard
Audit 20 transcripts/quarter compliance
Semi-annual GDPR system prompt review with DPO
In brief
#384 = GDPR bot triage, #383 = DSAR agent execution
GDPR-BOT: detect, clarify, inform, escalate
Never auto-delete: non-negotiable guardrail
GB-7 timestamp: protects 30-day legal deadline
KPI false_promise 0%: transcript audit
FAQ
Can the bot delete my Shopify account?
No. It logs the DSAR request and escalates. Erasure executed by agents #383 after discovery.
Difference with #142 GDPR chatbot?
#142 = general bot compliance (DPA, retention, AI Act). #384 = DSAR flow triage and escalation.
Customer just wants to stop emails?
gdpr_confusion_unsub branch → UNSUB #381 or PREF #382. No DSAR if unsub is sufficient.
Request received at 11 PM, when does the deadline start?
At GB-7 DSAR-ID creation, even at night. Email acknowledgment by next business day.
Is a /privacy-request form needed as well?
CNIL recommended. Chat bot = additional channel, same DSAR-FLOW #383 process.
Going further
Test GDPR-BOT staging: simulate "delete my data" then "stop promo emails" and check DSAR vs unsub reroute bifurcation in less than 2 min each.
Share this #384 guide with DPO, support, and bot team: a well-configured GDPR triage secures the legal deadline without ever promising what automation cannot execute.

Enzo
July 1, 2026





