What is the GDPR?
We are working hard to prepare for the EU’s General Data Protection Regulation (“GDPR”), which comes into effect on 25 May 2018.
The GDPR applies to all companies handling the personal data of Europeans, and brings the most significant changes to data protection law in more than two decades. It introduces strict rules on how companies like Zettle collect, hold and transmit or otherwise use personal data.
The GDPR aims to meet the requirements of the digital age, and give the control of personal data back to individuals. We are taking every reasonable step to make this happen. Read more about how we work with ensuring GDPR-compliance in the following.
What does the GDPR mean for me?
In short, the GDPR means that you:
- Have enforced rights to erasure, objection and correction when it comes to your data.
Want to learn more about the GDPR?
The EU Commission has a lot of valuable information. Please read more here.
Our commitment to the GDPR
We are committed to complying with applicable data protection laws
Keeping your information safe and secure is among our highest priorities at Zettle.
As a Swedish E-money Institution – duly licensed to issue electronic money and provide payment services under the Swedish Electronic Money Act (2011:755) and the Swedish Payment Services Act (2010:751), and being registered with, and supervised by, the Swedish Financial Supervisory Authority and operating on a cross-border basis in Europe – we take our compliance responsibilities, including data protection, very seriously.
Zettle has a data protection and privacy program in place, which is designed to identify and mitigate risk to the safety of personal data, and be compliant with the GDPR.
Zettle also has appropriate policies and procedures in place to ensure compliance, and monitor emerging legislative changes.
Zettle’s business is subject to a range of internal company policies, such as our Data Protection Policy and Information Security Policy, that document and outline Zettle’s approach and control environment in terms of the processing of personal data.
The GDPR Readiness Project
As part of our work toward GDPR-compliance, we have established the GDPR Readiness Project, a comprehensive initiative to evaluate the GDPR against Zettle’s current processes, policies and standards, and comply with the GDPR.
Zettle is actively working on its GDPR strategy, and has a project team mobilised and focusing on our strategy and implementation of GDPR.
As part of the preparations for the GDPR, we have introduced:
Process for Data Subject Rights. Data subjects are the individuals whom the personal data relates to. Zettle has established training and procedures on how to recognise and respond to requests for personal data (for example subject access requests). This includes but is not limited to procedures relating to appropriate identity checks to ensure that data is provided and shared in a secure way, and training on how to respond to requests for data portability (i.e. transfer of data), and the correction and erasure of personal data.
GDPR training program. Zettle is introducing a comprehensive GDPR training program, aimed at all employees and other workers, to ensure they understand the basics of data protection, to create awareness about the nature and importance of personal data, to educate them to recognise and respond to data subject access requests and learn how to report data breaches.
Incident Reporting Policy and Process. Zettle has established an incident reporting policy and supplementary procedures, supported by relevant teams, to enable the consistent evaluation and internal escalation (as required) of incidents, including those which may involve personal data.
Legal basis for processing.We are reviewing all of our activities related to personal data processing in order to identify the legal basis for processing, and ensure that each basis is appropriate to the processing activity it relates to. We also maintain a record of all these processing activities to ensure we meet our obligations under Article 30 of the GDPR.
Retention processes.Zettle has implemented appropriate processes when it comes to the personal data we retain, to ensure we meet the ‘data minimisation’ and ‘storage limitation’ principles of the GDPR, and that any personal data is stored, archived and destroyed or anonymised in a compliant manner.
Data Location.We aim to always store your personal data on servers within the EU. Where a transfer of personal data to another location outside of the European Economic Area (‘EEA’) is needed, we always ensure that such transfer is lawful and that your personal data is safeguarded with the same level of protection as within the EEA.
International Transfers. We have implemented procedures and safeguarding measures to ensure that your personal data is kept safe, regardless of where it is processed. We are continuously monitoring how international data transfers are regulated in a safe manner and we are committed to having a lawful basis for data transfers in compliance with applicable data protection laws.
Security.We take the privacy and security of individuals and their personal data very seriously, and take every reasonable measure and precaution to protect and secure the personal data we process. We have information security policies and procedures in place to protect personal data from unauthorised access, alteration, disclosure or destruction.
Third-Party Risk Management. We want to make sure that any third parties we work with are as committed to privacy as we are. We have procedures to carry out due diligence checks on all of our third parties to assess and verify that they have appropriate security measures in place to protect your personal data, and ensure that they are able to enforce all data subject rights, where applicable.