What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a regulation in EU law regarding the privacy and protection of personal data for people within the European Economic Area. Implemented on May 25th, 2018, the goal of this regulation is to grant EU citizens and residents greater control over their personal data and to set up a regulatory framework, or more simply, a single set of rules for data protection for all businesses operating within the EU.

This is great news for every EU citizen! The 99 articles in the GDPR serve to hold organisations responsible for obtaining the individuals’ consent from whom they gather information. Additionally, these individuals should now be able to easily access the information organisations collect about them.

How does this affect how SumUp uses the data I supply?

Since our inception, SumUp has taken the protection of merchant data very seriously. Therefore, the GDPR does not change the measure of care we take with your data, but rather furthers the transparency between our company and you, our merchant, and requires that we obtain your specific consent for the transferring and processing of your data.

SumUp guarantees to collect, store and process your information in compliance with SumUp’s Privacy Policy and all relevant data protection legislation. This means that we will only use your data when needed to provide you with our service.

While SumUp may share your data with trusted third parties (acting on our behalf to provide you with our services), SumUp will ensure that these third parties maintain the highest possible standard for data protection and are in line with any applicable data protection legislation via contractual agreements and specific guidelines provided to them. All SumUp merchant data is held securely within the European Union.

In addition to adhering to the GDPR, SumUp is certified as compliant under the Payment Card Industry Data Security Standard (PCI-DSS). This means that SumUp takes extra care with the processing of cardholders’ data as well as ensuring that our hardware and software provide optimal security. This certification establishes our company’s ability to uphold the highest security standards available, so merchants can feel safe partnering with SumUp.

SumUp allows a merchant to request the details regarding the personal information SumUp retains about them by emailing a request to DPO@sumup.com.

What if I want SumUp to delete some or all of my personal data?

You can request the deletion of some or most of your personal data by emailing us at DPO@sumup.com. We say “most” because SumUp is required by virtue of other legal requirements to maintain some information for periods of time. For example, all transactional data has to be maintained per Anti-Money Laundering rules 5 years after the relationship between SumUp and the merchant has ended.

Should you desire to withdraw your consent to the processing or the sharing of your personal data, please know that we will not be able to provide you with our services. Per the GDPR, we cannot legally provide you with our services without your consent. Additionally, on an operational level, SumUp requires your consent as we rely on numerous third parties to provide you with our services. For example, your consent allows banking partners to provide the payment services between you and your customers as well as your own payment settlements.

Additionally, you can withdraw your consent to receive supplementary marketing communications at any time, and this will not affect the service we provide to you.

We can assure you that we will continue to only send relevant and (we believe) interesting merchant-related updates, tips and offers that will enhance your business.

Do I need a Data Processing Agreement (DPA) between SumUp and my business?

No, there is no need for merchants to sign a DPA with SumUp. This data processing agreement is only required between data controllers and data processors, and in this case, to allow the protected sharing of your data to provide the service to you. As you, the merchant, are the data subject and SumUp is the data controller, there is no need for a DPA between either party. The Privacy Policy you agree to as a merchant is our (SumUp’s and the merchant’s) legally binding contract which satisfies all data protection laws.

Note that SumUp has put into place DPA’s with all of the third-party data processors with whom we may share your data in order to provide you with our services.


Need more info? Please send a message to the SumUp Support Team or contact the Data Protection Officer at any time.

Email:  DPO@sumup.com

Post: Data Protection Officer, SumUp Payments Limited, 16-20 Shorts Gardens, London WC2H 9US, UK