Home

Comply with GDPR requirements for your business

In this article
Who is this article for?
  • Account owners and team members who process personal data of individuals in the European Economic Area (EEA).
  • Account owners with customers or employees in the EEA.

    • About the General Data Protection Regulation (GDPR)

    The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to businesses processing personal data of individuals in the European Economic Area (EEA) that went into effect on May 15, 2018. It establishes rules for how businesses must handle and protect personal data while giving individuals greater control over their information.

    Square is committed to the protection of our sellers’ data and privacy rights and strives to help our sellers remain compliant with their own GDPR obligations.

    Before you begin

    • If you’re doing business online with, or collecting any kind of personal data online from, individuals located in the United Kingdom or European Union (EU), you’ll likely need to comply with the GDPR and the ePrivacy Directive. Learn more about GDPR and cookie consent.

    • The GDPR is only applicable to Square merchants who handle the data of EU residents. If your business operates outside of the EU, you’re likely not required to perform any actions regarding GDPR unless you provide services or ship products to customers in the EU, regardless of whether a payment of the customers is required.

    • The GDPR doesn’t apply to the data of businesses or other legal entities, but will apply to the data that businesses or legal entities hold that relates to individuals, such as when businesses hold information about their employees or their customers.

    • Square cannot provide legal advice to confirm with certainty whether GDPR applies to your business. Consider consulting an attorney or GDPR regulatory authority with questions regarding your business obligations.

    The information provided herein is for general informational purposes only and does not constitute legal advice. It has not been prepared with your specific circumstances in mind and therefore may not be suitable for use in your business. By relying on the information contained in this article, you assume all risk and liability that may result. Consult a legal expert regarding your obligations under any data privacy law to receive guidance tailored to your specific needs.

    Review information covered under GDPR

    Under GDPR, personal data is any information that identifies an EU resident individual or pieces of information that, when taken together, can identify that person. This could be someone’s name, phone number, email address, information about a physical trait or where they work. Virtually any piece of information connected to an individual that helps identify them is considered personal data. We recommend that you familiarize yourself with what personal data you may have, or collect, related to your customers and employees.

    GDPR also designates certain types of personal data as special categories, which require greater protection due to their sensitive nature. This includes personal data that reveals the following:

    • Racial or ethnic origin

    • Political opinions

    • Religious or philosophical beliefs

    • Trade union membership

    • Genetic data

    • Biometric data

    • Health data

    • Data concerning an individual’s sex life or sexual orientation

    Personal data under GDPR includes any information about an identified or identifiable individual that you may collect directly or indirectly through your website. Personal data that may be transmitted indirectly includes information like a user’s IP address or the information stored in a browser cookie.

    Understand the rights of your site visitors 

    The GDPR allows individuals in the EU greater control over their personal data, and grants them a number of rights with regard to how that data is processed, stored and accessed. The list below covers the situations that you, as a website owner, are most likely to see. You should also carefully review the full list of GDPR data subject rights.

    If a user approaches you with a request to avail themselves of any of the rights mentioned above, you have 30 days to do so. You can get support at Square if you need assistance.

    The right to be forgotten

    A person can request to be “forgotten,” which is to have all of their personal data removed from your possession. If you’re asked to do this, you’ll need to remove any personal data you have collected from the requester. You’ll also need to contact any third parties that process personal data on your behalf. To ensure that any personal data in Square’s possession can be removed in a timely manner, you can relay any request to be forgotten.

    Learn how to edit, merge or delete customer profiles.

    Data portability

    Under the GDPR, an individual located in the EU may request that you send them any personal data in your possession. In this case, you need to provide the requester with any personal data that you have in a commonly used, machine-readable format. You also need to contact Square to obtain any personal data stored on our end.

    Access

    Any data subject can ask the controller of their information to confirm how and where their personal data is being stored and processed. The data subject also has a right to know how that data is shared with third parties.

    Rectification

    The data subject shall have the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning the subject.

    Ensure your online site is GDPR compliant 

    Apart from promptly responding to requests from EU data subjects as described above, below are some suggestions you can and should do to help ensure GDPR compliance.

    Add a Privacy Policy to your website

    If you already have one, you should review the terms to make sure it complies with the expanded requirements under GDPR. Additional resources are below:

    Alert visitors to the use of cookies on your website

    You can use a cookie notification banner to easily add this alert to your site. Learn how to add a cookie banner to your online store.

    Inform your visitors and get their consent

    Whenever you need to collect data from a user, make sure to clearly state why you need it, what you plan to use the data for, whether it may be shared and with whom, and the lawful basis on which you are relying to collect such data.

    For example, if you have a newsletter or mailing list, make sure that the purpose of your sign-up form is very obvious so customers know what they’re signing up for.

    Evaluate third-party apps and vendors for compliance

    If you’re using any third-party services to gather or process customer data, you need to check with those companies to verify they are GDPR compliant and will assist you with users’ data removal and portability requests.

    Related articles

    In this article

    Still need help?

    Contact us
    Get help from our support team
    Ask the community
    Get answers from Square sellers