For GDPR, I'm reviewing all the ways that records are created in our systems and how we request and record consent to processing. I've come up with an edge case that I can't figure out! If someone emails support@[my company's domain], it creates a support case, and if the person is not in Salesforce, it will automatically create a Contact. We use Salesforce Communities as our support platform, but this is similar in Zendesk, etc.
There's no way to check if the person is in the EU and if so to obtain consent to processing before we actually process them! The majority of these people are trial or paid users, so are covered under their organization's MSA, but it's possible for someone who is not a user to contact support this way and have a Contact created. What do we do in this case!?!
Without seeing the process, a couple of high-level suggestions:
Worst case scenario, checking with a legal resource should help!
After adding the language prior to sending the email to support, once the contact is created, send them an email with the details on how they can access their data, opt-out or access you preference center, exercise their right to modification and removal of data. No Marketing promotion in this email, just plain informations and links.