Data Processing Terms
Posted on: 23 April 2018
Effective Date: 25 May 2018
These Data Processing Terms govern the processing by Square of: (1) your customers’ personal data and (2) your employees’ personal data. Effective upon the earlier of your clicking “Accept” to the General Terms of Service (the ‘General Terms’) or your use of any of the Services (as defined in the General Terms), you accept and agree to be bound by these Data Processing Terms. If you are using the Services on behalf of a business, you agree that you are accepting these Data Processing Terms and have authority to enter into these Data Processing Terms, on behalf of that business.
For purposes of these Data Processing Terms, ‘data controller’, ‘data processor’, ‘processing’ and ‘appropriate technical and organisational measures’ shall be interpreted in accordance with the applicable Data Protection Legislation (as defined in Section 1 of these Data Processing Terms) of a relevant jurisdiction. All other defined terms have the same meaning as those found in the General Terms, unless otherwise defined herein.
Application of Data Protection Legislation and Your Authorisations
1. Square’s Role
Square Europe, Square International and their affiliates are subject to European Directive 2002/58/EC (the ‘e-Privacy Directive’) and the General Data Protection Regulation (EU) 2016/679 (‘GDPR’, and together with the e-Privacy Directive and any legislation and/or regulation implementing or made pursuant to, or which amends, replaces, re-enacts or consolidates GDPR and/or the e-Privacy Directive, and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction, including, where applicable, the guidance and codes of practice issued by supervisory authorities, ‘Data Protection Legislation’), because, in the course of providing you Services, they access information (‘Personal Data’) relating to identified or identifiable natural persons (‘Data Subjects’). For purposes of these Data Processing Terms, an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
When Square accesses the Personal Data of your Data Subjects in the course of providing you Services, Square and its affiliates are data processors under the applicable Data Protection Legislation of relevant jurisdiction.
2. Description of Square’s Processing in the Context of the Services
Nature and purpose of processing. Square will process your Data Subjects’ Personal Data in order to carry out the Services.
Categories of Data Subjects. The Personal Data we may process relates to the following categories of Data Subjects:
Other prospective Square Sellers
Complainants, correspondents and enquirers
Advisers, consultants and other professional experts
Types of Personal Data. The Personal Data we process comprises the categories of data described in our Privacy Notice and our Privacy Notice for Users Who Do Not Apply or Sign Up for a Square Account or Other Services.
Term of Square’s processing. Square will process your Data Subjects’ Personal Data during the term of the General Terms.
3. Your Authorisations
You accept and agree that Square Companies are processors when Square accesses Personal Data pertaining to your Data Subjects in the course of providing the Services.
You authorise Square to use sub-processors, provided that:
- Square provides the names of all sub-processors to you on request;
- Square signs a written agreement with each sub-proessor that imposes obligations on that sub-processor that are no less stringent than those required of Square under the Data Protection Legislation or these Data Processing Terms;
- Square is not be relieved of any of its obligations under these Data Processing Terms by engaging sub-processors; and
- where Square intends to add or replace a sub-processor, it will provide you the opportunity to object to such changes.
You appoint Square as your agent to sign Standard Contractual Clauses for the transfer of Personal Data to data processors established in third countries adopted by the European Commission decision of 5 February 2010, published under document number C(2010) 593 2010/87/EU (the ‘Standard Contractual Clauses’) between you and sub-processors established in third countries that process personal data on your behalf. For a copy of Square’s Standard Contractual Clauses, please contact Square Support.
The obligations contained in this Section 3 will not be applicable when Square acts as a data controller.
Personal Data Processing
4. Square’s Obligations as a Processor
When Square processes Personal Data in the course of providing the Services, Square will:
- Process Personal Data only in accordance with your authorisations set forth in these Data Processing Terms and as strictly necessary to perform the Services. If Square is required to process the Personal Data for any other purpose by Applicable Law, Square will inform the Data Subject of this requirement first, unless such Applicable Law prohibits doing so on important grounds of public interest; or
- Assist you, taking into account the nature of the processing:
- by taking appropriate technical and organisational measures and, in so far as is possible, in fulfilling your obligations to respond to requests from Data Subjects exercising their rights;
- in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR, taking into account the information available to Square; and
- by making available to you all information which you reasonably request to allow you to demonstrate that the obligations set out in Article 28 of GDPR relating to the appointment of processors have been met.
- Implement and maintain appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the Personal Data and having regard to the nature of the Personal Data which is to be protected;
- Except as provided in these Data Processing Terms, the General Terms or any other Additional Terms, not give access to or transfer any Personal Data to any third party without your prior written consent;
- Ensure that personnel required to access the Personal Data are subject to a binding duty of confidentiality in respect of such Personal Data;
- Ensure that none of Square's personnel publish, disclose or divulge any of the Personal Data to any third party unless you direct Square to do so in writing;
- At the end of the Services, upon your request, securely destroy or return such Personal Data to you, and delete existing copies unless Applicable Laws require storage of such Personal Data; and
- Allow you or an independent auditor appointed by you to conduct audits or inspections during the term of these Data Processing Terms. The purposes of an audit pursuant to this paragraph include verifying that Square is processing Personal Data in accordance with Square's obligations under these Data Processing Terms.
The obligations contained in this Section 4 will not be applicable when Square acts as a data controller.
5. Square’s Response to Suspected and Actual Security Breaches
In the event of any suspected destruction, loss, alteration, or disclosure of, or access to the Personal Data that the Data Processor processes or is responsible for processing in the course of providing the Services, whether accidental, unauthorised or unlawful (each such event, a ‘Security Breach’), Square will take action to investigate the suspected Security Breach and to identify, prevent and mitigate the effects of the suspected Security Breach and to remedy the Security Breach. Square will notify you of any Security Breach without undue delay.
In the event of any conflict or inconsistency between the provisions of these Data Processing Terms, the General Terms or any other Additional Terms, these Data Processing Terms shall prevail in relation to the subject matter of the Data Protection Legislation.