What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a regulation in EU law regarding the privacy and protection of personal data for people within the European Economic Area. Implemented on May 25th, 2018, the goal of this regulation is to grant EU residents greater control over their personal data and to set up a regulatory framework, or more simply, a single set of rules for data protection for all businesses operating within the EU.

This is great news for every EU resident! The 99 articles in the GDPR serve to hold organisations responsible for obtaining the individuals’ consent from whom they gather information. Additionally, these individuals should now be able to easily access the information organisations collect about them.

How does this affect how SumUp uses the data I supply?

Since our inception, SumUp has taken the protection of merchant data very seriously. Therefore, the GDPR does not change the measure of care we take with your data, but rather furthers the transparency between our company and you, our merchant, and requires that we obtain your specific consent for the transferring and processing of your data.

SumUp guarantees to collect, store and process your information in compliance with SumUp’s Privacy Policy and the GDPR. This means that we will only use your data when needed to provide you with our service and analytics.

While SumUp may share your data with trusted third parties operating outside of the European Economic Area (acting on our behalf to provide you with our services), SumUp will ensure that these third parties maintain the highest possible standard for data protection and are in line with any applicable data protection legislation. All SumUp merchant data is held within the European Union.

In addition to adhering to the GDPR, SumUp is certified as compliant under the Payment Card Industry Data Security Standard (PCI-DSS). This means that SumUp takes extra care with the processing of cardholders’ data as well as ensuring that our hardware and software provide optimal security. This certification establishes our company’s ability to uphold the highest security standards available, so merchants can feel safe partnering with SumUp.

In adherence to the GDPR, SumUp allows a merchant to request a complete list of the personal information SumUp retains about the merchant by emailing a request to DPO@sumup.com.

What if I want SumUp to delete some or all of my personal data?

You can request the deletion of some or most of your personal data by emailing us at DPO@sumup.com. We say “most” because SumUp is required by Anti-Money Laundering regulations to maintain all transactional data collected for a minimum of 5 years after the partnership between SumUp and the merchant has ended.

Should you desire to withdraw your consent to the processing or the sharing of your personal data, please know that we will not be able to provide you with our services.

Additionally, you can withdraw your consent to receive supplementary (albeit informative) marketing information at any time, and this will not affect the service we provide to you.

Will the regulation also affect me, although I live outside of the EU?

The GDPR only relates to data subjects within the EU and the sharing of their data. This means that organisations outside the EU must comply with the GDPR if they are processing data about citizens within the EU. As many countries are implementing similar measures to the GDPR, we are therefore, treating all customers equally by implementing our GDPR requirements and protections for our merchants.


Need more info?
Please send a message to the SumUp Support Team or contact the Data Protection Officer at any time.

Email:  DPO@sumup.com

Post: Data Protection Officer, SumUp Payments Limited, 32 - 34 Great Marlborough St, W1F 7JB, London, United Kingdom

Was this article helpful?

Didn't find what you were looking for?

Contact Us

Articles in this section