GDPR for Sellers on Using the Buyer Request Portal
Square is committed to protecting our customers’ privacy rights under the GDPR and to helping our sellers comply with GDPR requests from their own customers. While we cannot give you legal advice*, we’ve created Support Centre articles to help you understand how you can use Square’s tools to meet your GDPR compliance obligations.
Square has developed a GDPR Buyer Request Portal to assist you when you get GDPR requests from your customers. As you are probably aware, the GDPR grants various rights to EU residents including the ability to make certain requests from data controllers who handle their personal data (which may be subject to some limitations and exceptions).
As a Square seller, you are the data controller of your customers’ personal data. For more information on what the various GDPR terms mean, please visit Square’s GDPR FAQ.
Where is Square’s GDPR Buyer Request Portal?
To access your self-serve GDPR Buyer Request Portal:
Log in to your Square Dashboard and go to Account & Settings;
Under the Business tab, from the options provided, select GDPR.
This will bring you to your GDPR Buyer Request Portal which enables you to handle GDPR requests received from your customers and has links to some articles which should help you to figure out what these types of requests are all about.
How do I use Square’s GDPR Buyer Request Portal?
Make sure you have verified the identity of your customer making the request.
Click the Fulfil Buyer Request box.
The various types of GDPR requests that can be made by your customers (e.g. access, correction (rectification), deletion (right to be forgotten), objection to profiling, portability and restriction of processing) are set out in the Request Type section. Select the type of GDPR request from the list in the Request Type section, matching it with the request you have received from your customer.
In the Customer section, you can search for the customer who has made the GDPR request using their name or email address. Scroll through the alphabetical list and select the customer.
Once you have the Request Type and Customer sections populated click on Continue.
After clicking Continue, what happens next depends on the Request Type you selected:
-
If you selected Access, you will be brought to the Access Request window and will receive a message to say that you have successfully downloaded all data for the customer in question. Click Download Customer Information to get access to a machine readable and interoperable copy that you can provide to your customer which sets out all the data that you as a Square seller hold about that customer.
If you are not handing over the downloaded document to your customer in person, remember when sending personal data to be sure to use a secure method to protect the integrity of the personal data. Here’s an article [include link] with some tips on how to send personal data safely.
-
If you selected Correction (Rectification), you will be brought to the Correction Request window. Here you are able to edit and correct several fields of data relating to your customer (e.g. name, email address, phone number, etc.). When you are finished with the updates, click on Save.
You will then receive a message in the Correction Request window to let you know that the edits to your customer’s personal data have been successfully made and reminding you that you can download a record of this action on the main page of your GDPR Buyer Request Portal.
-
If you selected Delete (Right to be Forgotten), you will be brought to the Deletion Request window. Here you will see that there is an advance notification to remind you of the consequences of processing your customer’s deletion request. You might want to confirm with your customer that this is indeed what they want, as once you hit Delete all the customer’s personal data will be removed from your Directory.
If you wish to proceed with the deletion, click Delete.
You will then receive a message in the Deletion Request window to let you know that your customer’s profile and all personal data have been successfully deleted from your directory, and reminding you that you can download a record of this action on the main page of your GDPR Buyer Request Portal.
-
If you selected Objection to Profiling, you will be brought to the Objection to Profiling Request window. Here you will see that there is an advance notification to remind you of the consequences of processing your customer’s Objection to Profiling request. You might want to confirm with your customer that this is indeed what they want, as once you hit Delete, all the customer’s personal data will be removed from their profile in your Customer Directory.
If you wish to proceed with the deletion, click Delete.
You will then receive a message in the Objection to Profiling Request window to let you know that your customer’s profile and all personal data have been successfully deleted from your Customer Directory/profile, and reminding you that you can download a record of this action on the main page of your GDPR Buyer Request Portal.
-
If you selected Portability, you will be brought to the Portability Request window and will receive a message to say that you have successfully downloaded all data for the customer in question. Click Download Customer Information to get access to a machine readable and interoperable copy that you can provide to your customer which sets out all the data that you as a Square seller hold about that customer.
If you are not handing over the downloaded document to your customer in person, remember when sending personal data to be sure to use a secure method to protect the integrity of the personal data. Here’s an article [include link] with some tips on how to send personal data safely.
-
If you selected Restriction of Processing, you will be brought to the Restriction of Processing Request window. Here you will see that there is an advance notification to remind you of the consequences of processing your customer’s Restriction of Processing request. You might want to confirm with your customer that this is indeed what they want, as once you hit Delete in order to comply with the Restriction of Processing Request, all the customer’s personal data will be removed from their profile in your Customer Directory and will be permanently restricted (in this case deleted).
If you wish to proceed with the deletion, click Delete.
You will then receive a message in the Restriction of Processing Request window to let you know that your customer’s request to have the processing of their data restricted has been successful by permanently deleting their data from your Customer Directory and reminding you that you can download a record of this action on the main page of your GDPR Buyer Request Portal.
What if I need proof that I actioned a customer request?
All customer requests fulfilled by you using the GDPR Buyer Request Portal are automatically logged and available for future reference by clicking on Download Your Report on the main GDPR Buyer Request Portal page.
What if I store my customer’s data outside Square or with other parties?
If you use other software providers besides Square or team up with any third-party providers to help run your business, make sure that you check all software and contact all third-party providers that may hold your customers’ data so that your customers’ GDPR requests are completed fully and that any actions that you or your third-party providers need to take outside Square are carried out.
How can I prepare my business for the GDPR?
The Information Commissioner’s Office is the UK’s independent authority which oversees the data privacy rights of individuals.
It has a helpline for small businesses to find out more about the GDPR and has prepared checklists and information booklets:
*This article is intended to offer helpful guidance, and should not be interpreted as legal advice. You should consult a legal expert regarding your obligations under the GDPR to provide guidance tailored to your specific circumstances.