The team at Square has been working hard to get ready for the May 25th implementation of the GDPR (the new General Data Protection Regulation standardising EU data privacy and protection laws). At Square, we are committed to the protection of our sellers’ data and privacy rights, and strive to help our sellers remain compliant with their own GDPR obligations.
What is the GDPR?
GDPR is the acronym given to the General Data Protection Regulation, a EU law updating and standardising data privacy laws across the EU.
When Does it Come into Effect?
The GDPR comes into effect on May 25, 2018.
What Information Does the GDPR Apply to?
The GDPR applies to the processing of personal data of EU residents. It does not apply to the data of businesses or other legal entities, but will apply to the data that businesses or legal entities hold that relates to individuals i.e., when business hold information about their employees or their customers.
Who Has to Comply With the GDPR?
Any EU business that handles EU residents’ personal data must comply with the GDPR and any other businesses located outside the EU that offer goods or services to EU residents.
What Is Personal Data?
Personal data is any information that identifies a EU-resident individual or pieces of information that, when taken together, can identify that person. This could mean someone’s name, their phone number or email address. It could be information about a physical trait or about where the person works. It can mean almost any pieces of information connected to an individual. You should familiarise yourself with what personal data you may have related to your customers and employees.
The GDPR also designates certain types of personal data as special categories which require greater protection due to their sensitive nature. The following are personal data revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning an individual’s sex life or sexual orientation.
What Is Processing Under the GDPR?
The GDPR defines processing of personal data very broadly and lists out examples, including collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
As the definition of processing is so broad, it is difficult to imagine any uses of personal data by a business that are wholly or partly by automated means that would not be brought within the remit of the GDPR.
How Do I Know if the Processing of Personal Data Is GDPR Compliant?
The GDPR requires data controllers to process personal data lawfully, fairly and in a transparent manner. The GDPR sets out six legal bases on which a data controller may process personal data of an individual:
- Consent (not simply by default or implied but must be sought from an individual and be freely given by them);
- Fulfilling a contractual obligation;
- Complying with a legal obligation;
- Protecting a data subject’s vital interests;
- Performing a task in the public interest; and
- Legitimate interests of the data controller or a third party (when balanced against the rights and interests of an individual).
What Are Data Controllers and Data Processors?
The GDPR outlines the responsibilities of data controllers and data processors.
Data controllers and data processors have to follow different rules under the GDPR when dealing with personal data.
The data controller is the key decision maker as to what happens with the personal data it has in its possession. A data controller decides why and how personal data of another is managed.
A data processor processes or manages personal data on behalf of a data controller and follows a data controller’s instructions when doing so. The only purpose for which a data processor can process the personal data is for providing a service to a data controller. After the end of the service provision, the data processor is obliged to delete or return the personal data to a data controller. A data processor does not take any decisions on its own about the personal data it has in its possession.
Will the GDPR Still Apply in the UK After Brexit?
The UK is bringing a legislation that follows the main terms of the GDPR, which will remain in effect after Brexit. This will align the UK’s data protection laws to the rest of the EU, meaning there will be no major differences between local UK data protection laws and the GDPR before or after the Brexit process has been completed. Where we refer to EU residents in these FAQs, this includes UK residents.
What are the Penalties for Not Complying With the GDPR?
The maximum fines that can be levied under the GDPR have been catching headlines as they are significant at 4% of global revenue or 20 million euro (whichever is higher). There are several other fines and penalties that can be imposed for GDPR non-compliance.
The GDPR expressly encourages regulators to take account of the specific needs of micro, small and medium-sized enterprises when they apply the Regulation and we’ll learn over time if penalties will be calibrated with this guidance in mind.
What Information Are Square Sellers, Their Customers or Their Employees Able to Request Under the GDPR?
The GDPR refers to EU residents as data subjects and sets out what kinds of requests individuals can make to businesses about their personal data. These requests are often referred to as data subject requests.
Under the GDPR, EU-resident individuals are entitled to request the following from businesses that manage their personal data:
- If they hold any personal data about them and if yes, what information about them is being held;
- to have any inaccuracies in the data corrected;
- to have information erased;
- to object to direct marketing or to the processing of their personal data;
- to restrict the processing of their information, including automated decision-making (i.e., a decision made solely by automated means without any human intervention) or profiling (i.e., automated processing of personal data to evaluate certain things about an individual); and
- data portability (to have data produced in a machine readable and interoperable form or sent to another party at the request of the individual).
Is Square a Data Controller or a Data Processor?
Square is a data controller of all its sellers’ personal data. Square sets out what seller data it holds, how it protects seller data, why it holds seller data and what it does with seller data in our privacy notice.
Square is a data processor of the data of customers who transact business with Square sellers and Square is a data processor of the data of the employees of Square sellers.
Are Square Sellers Data Controllers or Data Processors?
Square sellers are data controllers of all their own customers’ and employees’ personal data. This means that Square sellers are responsible for understanding their responsibilities as data controllers under the GDPR.
What Are Square’s Obligations Under the GDPR?
Square is committed to safeguarding the data we manage and protecting privacy rights under the GDPR.
Visit Square’s privacy notice which fully explains how Square uses and protects your data and includes our enhanced privacy standards under the GDPR.
We will be providing tools to our sellers to help them comply with the GDPR when dealing with their own customers or employees.
You can find Square’s privacy notice that applies to Sellers on our website. Your customers and employees can find the [privacy notice that applies to them] (https://squareup.com/legal/privacy-no-account) on our website as well.
I’m a Square Seller, How Do I Make a Data Request to Square Under the GDPR?
If you are a Square seller, you have the ability to access much of your personal data directly via your online Square Dashboard.
More information on the tools that Square will provide to assist our sellers can be found here.
I’m a Square Seller, What Do I Do if My Customer or Employee Makes a Data Request Under the GDPR?
For more information, please see our article directed towards Square sellers.
I Am a Customer of a Square Seller, How Do I Make a Data Request Under the GDPR?
If you are a customer of a business that uses Square, that business is the data controller of your personal data. Please make any personal data requests that you have directly to the relevant Square seller. You can ask a Square seller to supply you with the information you need by visiting the Square seller’s website or store, or calling the Square seller at their listed phone number. Learn more about how to make a data request in our Support Centre.
I’m an Employee of a Square Seller, How Do I Make a Data Request Under the GDPR?
If you are an employee of a business that uses Square, that business is the data controller of your personal data. Please make any personal data requests that you have directly to the relevant Square seller who is your employer. Learn more about how to make a data request in our Support Centre.
How Can I Prepare My Business for the GDPR?
The Information Commissioner’s Office is the UK’s independent authority which oversees the data privacy rights of individuals.
It has a helpline for small businesses to find out more about the GDPR, and has prepared checklists and information booklets:
These FAQs are intended to offer helpful guidance, and should not be interpreted as legal advice. You should consult a legal expert regarding your obligations under the GDPR to provide guidance tailored to your specific circumstances.