GDPR for Sellers on How to Handle a Data Request From Your Customers or Employees
Square is committed to protecting our customers’ privacy rights under the GDPR and to helping our sellers comply with GDPR requests from their own customers or employees. While we cannot give you legal advice*, we’ve created these support centre articles to help you understand how you can use Square’s tools to meet your GDPR compliance obligations.
What is The GDPR and How Does it Impact My Business?
For a quick overview of what the GDPR is all about and how it may apply to you, please visit our GDPR FAQs.
From 25 May, under the GDPR, persons who reside in the EU are entitled (subject to certain limits) to request the following from businesses who manage their personal data:
If they hold any personal data about them and, if yes, what information about them is being held;
To have any inaccuracies in the data corrected;
To have information erased;
To object to direct marketing or to processing of their personal data;
To restrict the processing of their information, including automated decision-making (i.e., a decision made solely by automated means without any human intervention) or profiling (i.e., automated processing of personal data to evaluate certain things about an individual); and
Data portability (to have data produced in a machine readable and interoperable form or sent to another company at the request of the individual).
As a business owner, you are the data controller of your customers’ and employees’ personal data (more information about this can be found in our GDPR FAQs of your customers’ and employees’ personal data.
Personal data means any information that identifies an EU-resident individual or pieces of information that, when taken together, can identify that person. This could mean someone’s name, their phone number or email address. It could be information about a physical trait or about where the person works. It can mean almost any piece of information connected to an individual that identifies them either by itself or together with other pieces of data you have on them. You should familiarise yourself with what personal data you may have related to your customers and employees.
The GDPR identifies certain types of personal data as 'special categories' which require greater protection due to their sensitive nature. These are personal data revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning an individual’s sex life or sexual orientation. If you collect this data about your customers or employees, please familiarise yourself with the GDPR’s stricter requirements (and sometimes prohibition) for processing this data.
Steps to Consider if You Get Data Requests From Your Customers or Employees
1. Confirm Their Identity
An important first step is to confirm the identity of the person making the request. You can ask for evidence of identity to make sure that you are dealing with the correct person and that this is the person who is entitled to receive the information requested.
2. Comply with the Request Within 30 Days
Once you have received a data request, you can let your customer or employee know that you are dealing with their request while working towards providing all relevant information and concluding the request within the required timeline set out in the GDPR. Typically you will be required to respond fully to a data request within one month, although some exceptions apply.
If you are unclear about the request being made or it appears to be too broad, you can get in touch with your customer or employee for more clarity to help you with your search and the task at hand.
A. How can I Comply?
When a customer or employee asks you about what data you hold about them, there is specific information that you must provide when responding:
The categories of their personal data you process (e.g. employee salary, employee home address, customer home or delivery address, product preferences, names, email addresses, location data, tax ID numbers, DOB information, etc.);
The purposes for which you process it (e.g. employee payroll, customer sales of products or services, loyalty programmes etc.);
To whom you disclose their data (e.g. payroll provider; HMRC; Square, which processes it on your behalf; etc.);
The source of the data (e.g. pay slips, employment contract, online order, computer login info, CCTV, mailing lists, etc.);
The existence of other rights (rectification/correction, deletion/erasure, restriction of processing and object to such processing), which may be also exercised by the customer or employee;
How long the data is retained by you; and
If automated decision making (i.e., a decision made solely by automated means without any human intervention) or profiling (i.e., automated processing of personal data to evaluate certain things about an individual) applies to the personal data held by your business, you may need to give meaningful information about how these decisions are made as well as the significance and the envisaged consequences of such processing for the customer or employee.
The GDPR asks that you remind data subjects (in this scenario, your customers and employees) of their rights under the GDPR when you respond to their GDPR request. For example, you should make them aware that if they feel their data protection rights are being infringed upon, that they can make a complaint directly to the relevant data protection authority.
B. Tools and Tips
Square is committed to ensuring that you have the tools you need to comply with your obligations under the GDPR. If you receive a data request under GDPR from one of your Square customers, you can use our GDPR Dashboard Tool to fulfil your customer’s requests and download a report to document your compliance.
In addition to fulfilling any request yourself using Square’s GDPR Dashboard tool, make sure you also consider any app integrations you have authorised or built using your Square account:
Have you authorised any third party apps through the Square app marketplace to access customer data within your Square account? If so, make sure that you also promptly notify the privacy team at any third party app that may have received your customer’s data of your customer’s data request.
Are you using a personal access token to access Square’s API tools, or Oauth to access another seller’s Square account data? If so, make sure that you also use the DeleteCustomer endpoint to remove your customer’s data from your app integration.
Finally, in some instances, you may need to process your customer’s request outside Square’s systems. For example, if you use a third-party provider to send marketing emails on your behalf, and your customer informs you that she objects to direct marketing, you’ll need to ensure that you pass any objection to your third-party provider by promptly notifying them.
C. Transfer the Information Securely to the Requester
You should send out any information requested securely, or give it to your buyer in person when they are at your shop. View our Support Centre article for more information on secure transfers. You should also transfer it with a form of delivery receipt so that you have proof of receipt by your customer or employee.
3. No Charge
You cannot charge your customers or employees for the handling of personal data requests under the GDPR unless those requests are manifestly unfounded or excessive, such as if you get repeated requests from the same person when you’ve already complied with their first request(s).
4. Track Your Compliance
It is a good idea to track when these requests come in so that you can respond to them within the required timeframe. It is also a good idea to keep a record of the request and the search carried out so that if you are ever questioned about the request in the future, you will be better prepared to demonstrate your business’ compliance under the GDPR.
As noted above, Square has developed tools to help you deal with these requests and download a record that you’ve complied with them, with most of the information you need available directly from your online Square dashboard.
5. Other Tips
The GDPR reminds all of us who handle the personal data of EU-residents to manage that data properly and to take measures to keep it secure.
As a business, you should keep yourself informed about your responsibilities under the GDPR and make your employees and suppliers equally aware. In addition to this being good business practice, this will help you avoid running afoul of the GDPR.
The maximum fines that can be levied under the GDPR are 4% of global revenue or 20 million euros (whichever is higher). There are several other fines and penalties that can be imposed by data protection authorities for GDPR non-compliance.
For more information, please read our GDPR FAQs.
You can also visit the website of the Information Commissioner’s Office, the UK’s independent authority which oversees the data protection rights of individuals, where you can find helpful information about UK businesses’ obligations under the GDPR, how to manage the personal data that you store and how to deal with data requests.
The website contains prepared checklists and information booklets, and has a helpline for small businesses to find out more about the GDPR.
*This article is intended to offer helpful guidance, and should not be interpreted as legal advice. You should consult a legal expert regarding your obligations under the GDPR to provide guidance tailored to your specific circumstances.