GDPR FAQs
At Square, we are committed to the protection of our sellers’ data and privacy rights, and strive to help our sellers remain compliant with their own GDPR obligations.
GDPR is the acronym given to the General Data Protection Regulation, an EU law updating and standardising data privacy laws across the EU.
The GDPR applies to the processing of personal data of EU residents. It does not apply to the data of businesses or other legal entities, but will apply to the data that businesses or legal entities hold that relates to individuals i.e. when businesses hold information about their employees or their customers.
Any EU business that handles EU residents’ personal data must comply with the GDPR and any other businesses located outside the EU that offer goods or services to EU residents.
Personal data is any information that identifies a EU-resident individual or pieces of information that, when taken together, can identify that person. This could mean someone’s name, their phone number or email address. It could be information about a physical trait or about where the person works. It can mean almost any pieces of information connected to an individual. You should familiarise yourself with what personal data you may have related to your customers and employees.
The GDPR also designates certain types of personal data as special categories which require greater protection due to their sensitive nature. The following are personal data revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning an individual’s sex life or sexual orientation.
The GDPR defines processing of personal data very broadly and lists examples, including: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
As the definition of processing is so broad, it is difficult to imagine any uses of personal data by a business that are wholly or partly by automated means that would not be brought within the remit of the GDPR.
The GDPR requires data controllers to process personal data lawfully, fairly and in a transparent manner. The GDPR sets out six legal bases on which a data controller may process the personal data of an individual:
- Consent (not simply by default or implied but must be sought from an individual and be freely given by them);
- Fulfilling a contractual obligation;
- Complying with a legal obligation;
- Protecting a data subject’s vital interests;
- Performing a task in the public interest; and
- Legitimate interests of the data controller or a third party (when balanced against the rights and interests of an individual).
The GDPR outlines the responsibilities of data controllers and data processors.
Data controllers and data processors have to follow different rules under the GDPR when dealing with personal data.
The data controller is the key decision-maker as to what happens with the personal data it has in its possession. A data controller decides why and how the personal data of another is managed.
A data processor processes or manages personal data on behalf of a data controller and follows a data controller’s instructions when doing so. The only purpose for which a data processor can process the personal data is for providing a service to a data controller. After the end of the service provision, the data processor is obliged to delete or return the personal data to a data controller. A data processor does not take any decisions on its own about the personal data it has in its possession.
The maximum fines that can be levied under the GDPR have been hitting headlines as they are significant at 4% of global revenue or 20 million euros (whichever is higher). There are several other fines and penalties that can be imposed for GDPR non-compliance.
The GDPR expressly encourages regulators to take account of the specific needs of micro, small and medium-sized enterprises when they apply the Regulation, and we’ll learn over time if penalties will be calibrated with this guidance in mind.
The GDPR refers to EU residents as data subjects and sets out what kinds of requests individuals can make to businesses about their personal data. These requests are often referred to as data subject requests.
Under the GDPR, EU-resident individuals are entitled to request the following from businesses that manage their personal data:
- If they hold any personal data about them and, if yes, what information about them is being held;
- to have any inaccuracies in the data corrected;
- to have information erased;
- to object to direct marketing or to the processing of their personal data;
- to restrict the processing of their information, including automated decision-making (i.e. a decision made solely by automated means without any human intervention) or profiling (i.e. automated processing of personal data to evaluate certain things about an individual); and
- data portability (to have data produced in a machine readable and interoperable form or sent to another party at the request of the individual).
Square is a data controller of all its sellers’ personal data. Square sets out what seller data it holds, how it protects seller data, why it holds seller data and what it does with seller data in our
Privacy Policy.
Square is a data processor of the data of customers who transact business with Square sellers and Square is a data processor of the data of the employees of Square sellers.
Square sellers are data controllers of all their own customers’ and employees’ personal data. This means that Square sellers are responsible for understanding their responsibilities as data controllers under the GDPR.
Square is committed to safeguarding the data we manage and protecting privacy rights under the GDPR.
Visit Square’s Privacy Policy which fully explains how Square uses and protects your data, and includes our enhanced privacy standards under the GDPR.
We will be providing tools to our sellers to help them comply with the GDPR when dealing with their own customers or employees.
You can find Square’s Privacy Policy that applies to Sellers on our website.
If you are a Square seller, you have the ability to access much of your personal data directly via your online Square Dashboard.
More information on the tools that Square will provide to assist our sellers can be found here.
For more information, please see our article directed towards
Square sellers.
If you are a customer of a business that uses Square, that business is the data controller of your personal data. Please make any personal data requests that you have directly to the relevant Square seller. You can ask a Square seller to supply you with the information you need by visiting the Square seller’s website or shop, or calling the Square seller on their listed phone number. Learn more about how to make a data request in our Support Centre.
If you are an employee of a business that uses Square, that business is the data controller of your personal data. Please make any personal data requests that you have directly to the relevant Square seller who is your employer. Learn more about how to make a data request in our Support Centre.
These FAQs are intended to offer helpful guidance, and should not be interpreted as legal advice. You should consult a legal expert regarding your obligations under the GDPR to provide guidance tailored to your specific circumstances.