The team at Square has been working hard to implement the GDPR (the new General Data Protection Regulation standardizing EU data privacy and protection laws). At Square, we are committed to the protection of our sellers’ data and privacy rights, and strive to help our sellers remain compliant with their own GDPR obligations.
What is the GDPR?
GDPR is the acronym given to the General Data Protection Regulation, a EU law updating and standardizing data privacy laws across the EU.
When Did it Come into Effect?
The GDPR came into effect on May 25, 2018.
What Information Does the GDPR Apply to?
The GDPR applies to the processing of personal data of EU residents. It does not apply to the data of businesses or other legal entities, but will apply to the information that businesses or legal entities hold and which relates to individuals i.e., when a business holds information about their employees or their customers.
The GDPR is only applicable to Square merchants who handle the data of EU residents. If your business operates outside of the EU, you are likely not required to perform any actions regarding GDPR, unless you provide services or ship products to customers in the EU, regardless of whether a payment of the customers is required.
Who Has to Comply With the GDPR?
Generally, any EU business that processes personal data must comply with the GDPR, as well as any other businesses located outside the EU that offer goods or services to EU residents in the EU.
Please note: We cannot provide legal advice to confirm with certainty whether the GDPR applies to you. You may want to consider consulting with an attorney and/or a GDPR regulatory authority should you have additional questions on whether your business has obligations under GDPR.
What Is Personal Data?
Under GDPR, personal data is any information that identifies a EU-resident individual or pieces of information that, when taken together, can identify that person. This could mean someone’s name, their phone number or email address. It could be information about a physical trait or about where the person works. It can mean almost any pieces of information connected to an individual. You should familiarize yourself with what personal data you may have related to your customers and employees.
The GDPR also designates certain types of personal data as special categories which require greater protection due to their sensitive nature. This includes personal data revealing the following: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or data concerning an individual’s sex life or sexual orientation.
These FAQ’s are intended to offer helpful guidance, and should not be interpreted as legal advice. You should consult a legal expert regarding your obligations under the GDPR to provide guidance tailored to your specific circumstances.