System updates

We’re experiencing issues that may affect your Square services. We’ll continue to update our status page with more information.

Back to Home

General Data Protection Regulation (GDPR) and Square Online

If you’re doing business online with, or collecting any kind of personal data online from, individuals located in the United Kingdom (UK) and/or European Union (EU), you'll likely need to comply with the General Data Protection Regulation (GDPR) and the ePrivacy Directive. Learn more about GDPR and cookie consent for the EU.

To help, we’ve included resources in this article for you to use.

What is GDPR?

GDPR is the acronym given to the General Data Protection Regulation, an EU law that standardizes data privacy laws across the EU.

When did GDPR go into effect?

GDPR went into effect on May 25, 2018.

What information does GDPR apply to?

GDPR applies to the processing of personal data of EU residents. It does not apply to the data of businesses or other legal entities, but will apply to the information that businesses or legal entities hold and which relates to individuals (i.e. when a business holds information about their employees or their customers).

GDPR is only applicable to Square merchants who handle the data of EU residents. If your business operates outside of the EU, you’re likely not required to perform any actions regarding GDPR unless you provide services or ship products to customers in the EU (regardless of whether a payment of the customers is required).

What is considered personal data?

Under GDPR, personal data is any information that identifies an EU resident individual or pieces of information that, when taken together, can identify that person. This could mean someone’s name, their phone number, or email address. It could also be information about a physical trait or about where the person works. Virtually any piece of information connected to an individual that helps identify them is considered personal data. We recommend you familiarize yourself with what personal data you may have, or collect, related to your customers and employees.

GDPR also designates certain types of personal data as special categories which require greater protection due to their sensitive nature. This includes personal data revealing the following:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data
  • health data
  • data concerning an individual’s sex life or sexual orientation

In terms of your website, personal data under GDPR includes any information about an identified, or identifiable, individual that you may collect directly or indirectly through your website. Some examples of personal data you might obtain directly are a person’s name, address, email address, or username (such as through a contact form). Personal data that may be transmitted indirectly includes information like a user’s IP address or the information stored in a browser cookie.

Who has to comply with GDPR?

Generally, any EU business that processes personal data must comply with GDPR, as well as any other businesses located outside the EU that offer goods or services to EU residents in the EU.

Note: We cannot provide legal advice to confirm with certainty whether GDPR applies to you. Consider consulting an attorney and/or GDPR regulatory authority with questions regarding your business obligations under GDPR.

What rights do my site visitors have?

GDPR allows individuals in the EU greater control over their personal data, and grants them a number of rights with regard to how that data is processed, stored, and accessed. The list below covers the situations that you, as a website owner, are most likely to see. You should also carefully review the full list of GDPR data subject rights.

  • The right to be forgotten: A person can request to be “forgotten”; that is, to have all of their personal data removed from your possession. If you’re asked to do this, you’ll need to remove any personal data you have collected from the requester. You’ll also need to contact any third parties that process personal data on your behalf. To ensure that any personal data in Square’s possession can be removed in a timely manner, you can relay any request to be “forgotten” through our Support Center.
  • Data portability: Under GDPR, an individual located in the EU may request that you send them any personal data in your possession. In this case, you would need to provide the requester with any personal data that you have in a commonly-used, machine-readable format. You would also need to contact Square to obtain any personal data stored on our end.
  • Access: Any data subject can ask the controller of their information to confirm how and where their personal data is being stored and processed. The data subject also has a right to know how that data is shared with third parties.
  • Rectification: The data subject shall have the right to obtain from the controller, without undue delay, the rectification of inaccurate personal data concerning the subject.

Note: If a user approaches you with a request to avail themselves of any of the rights mentioned above, you’ll have 30 days to do so. You may contact Square Support if you need assistance.

How can my Square Online site be GDPR compliant?

Apart from promptly responding to requests from EU data subjects as described above, there are things you can and should do to help ensure compliance. Here are some suggestions to get you started:

  • Add a Privacy Policy to your website. If you already have one, you should review the terms to make sure it complies with the expanded requirements under GDPR.
  • Alert visitors to the use of cookies on your website. You can use a cookie notification banner to easily add this alert to your site. Learn more about adding a cookie banner to Square Online with Cookiebot and adding a cookie banner to Square Online with third-party code.
  • Inform your visitors and get their consent. Whenever you need to collect data from a user, make sure to clearly state, among other things, why you need it, what you plan to use the data for, whether it may be shared and with whom, and the lawful basis on which you are relying to collect such data. For example, if you have a newsletter or mailing list, make sure that the purpose of your sign up form is very obvious so they know what they are signing up for.
  • Evaluate third-party apps and vendors for compliance. If you are using any third-party services to gather or process customer data, you’ll need to check with those companies to verify they are GDPR compliant and will assist you with, among other things, users’ data removal and portability requests.

Disclaimer: The information provided herein is for general informational purposes only and does not constitute legal advice. It has not been prepared with your specific circumstances in mind and therefore may not be suitable for use in your business. By relying on the information contained in this article, you assume all risk and liability that may result. Consult a legal expert regarding your obligations under any data privacy law to receive guidance tailored to your specific needs.

Can't find what you need?