For GDPR, I'm reviewing all the ways that records are created in our systems and how we request and record consent to processing. I've come up with an edge case that I can't figure out! If someone emails support@[my company's domain], it creates a support case, and if the person is not in Salesforce, it will automatically create a Contact. We use Salesforce Communities as our support platform, but this is similar in Zendesk, etc.
There's no way to check if the person is in the EU and if so to obtain consent to processing before we actually process them! The majority of these people are trial or paid users, so are covered under their organization's MSA, but it's possible for someone who is not a user to contact support this way and have a Contact created. What do we do in this case!?!