Since May 25th, 2018, all businesses processing with personal data from EU citizens must follow the General Data Protection Regulation (GDPR).
The main goals of the GDPR is to give people more rights and transparency over their personal data and to create a single legal environment in all European countries.
A strong data privacy and security is a high priority for us. We engage ourselves to meet all GDPR requirements, and we want to help retailers with their own compliance efforts.
To be compliance with the European regulation, we recommend you to consult documentations from the supervisory regulator of your country of from any other UE countries:
If you collect your customers data into your POS account, you are considered as a data controller.
You are required to inform your customers about their rights (right of access, right to rectification, right to be forgotten, right of portability, right to object).
You must ensure that you collect and proceed data with transparency. Only personal data that is necessary could be collected for a limited period. Personal data can only be processed for a specific purpose on a lawful ground.
You must ensure your compliance with the GDPR (accountability principle). A data protection officer can be appointed to monitor all data processing activities.
Here are some tips to comply with the GDPR :
– You must obtain your customer consent for any use of his personal data (ex : subscription to a mailing list, marketing operations like a loyalty program…). You can create some specific customer tags (more information) to ensure that you customer has given his agreement.
– You cannot store illegal, or sensible data that are no necessary for your activity. You should train your employees, like prompting them to never register any slanderous comments in customer forms or sale notes.
– You must anonymize your customer data upon his request related to his right to be forgotten, by modifying all data in his customer form that can identify him.
– If you are exporting your customer data to process them apart from your account, you should check that you always comply with the GDPR, as well as any third party operator you could sub-contract.
– If you identify any data break, you must immediately notify the relevant supervisory regulator of your country. Ex : one of your employees is exporting your customer database without permission, someone unsolicited has succeeded to enter your account…The access to your customer data must be limited to only authorized persons. You can manage rights and restrictions in the Settings of you account.
– You should archive regularly your customers, in order to stop marketing activities after a period of inactivity from your customer.
Information in this article could be incomplete and should not be relied upon as legal advice. You should contact legal professionals or the relevant supervisory regulator in your country to find out how the GDPR applies to you.