Complying with privacy laws

Privacy laws are designed to protect and empower the privacy of citizens and to reshape the way organizations across the region approach data privacy.

• Europe's General Data Protection Regulation (GDPR) took effect on May 25, 2018
• The California Consumer Privacy Act (CCPA) took effect on Jan 1, 2020

You can read helpful answers to the essential FAQs. As a Lightspeed OnSite merchant, the 6 privacy requests you need to comply with are the following:

Customers:

• Exporting customer data
• Deleting customer data
• Modifying customer data

Employees

• Exporting employee data
• Deleting employee data
• Modifying employee data

We recommend that our merchants do their due diligence to confirm the identity of their employees and customers before completing their privacy requests. We also recommend identifying any potential reason why you might need to keep some of the personal data that your customer or employee is requesting to delete (e.g. for tax, regulatory or payment processing (chargeback) reasons).

If you have Lightspeed eCom connected to your OnSite inventory, you'll also need to perform actions in eCom. Read Required privacy actions for more information.

Similarly, merchants that have integrated their accounts with one of our partners need to contact them directly to learn what personal data they have and how to complete privacy requests on their end.

NOTE: All of our Lightspeed products support the above privacy requests. For instructions specific to your Lightspeed product, please see their respective privacy Help articles:

• Lightspeed eCom
• Lightspeed Restaurant
• Lightspeed Retail

Privacy FAQ

1. What are privacy laws?

   Privacy laws aim to give citizens more control over personal data by regulating how businesses use this data. These regulations govern the viewing, storing, changing, transferring and even deleting of personal data. Personal data is defined as any information related to a natural person (or "data subject") that can be used to directly or indirectly identify them. This includes information such as names, addresses, email addresses and phone numbers.

   For more information on privacy laws and Lightspeed's efforts to comply with them:

   Lightspeed's privacy policy

   GDPR related

   • https://www.lightspeedhq.co.uk/gdpr/
   • https://www.lightspeedhq.co.uk/blog/2018/05/implementation-gdpr-25th-may/

   CCPA related

   • https://www.lightspeedhq.com/blog/california-consumer-privacy-act/

2. Who is affected by privacy laws?

   There are currently two privacy laws:

   • GDPR - Merchants that process or control personal data for residents of the European Union (EU).
     
   • CCPA - Merchants that do business in California who meet at least one of these minimum thresholds:
     • Exceed a gross revenue of $25 million, 
     • Collect or sell personal information of 50,000 consumers
     • Receive 50% or more of it's annual revenue from selling personal information.

3. What are Data Processing Agreements (DPAs) and why do I need to sign them?

   As Lightspeed is helping merchants in the processing of personal data, we are required by law to enter into a Data Processing Agreement (DPA) with our merchants affected by privacy laws. You can request to receive a form during the same process as submitting a privacy request to Support. 

   Signing the DPA is fully to your benefit as it creates specific rights for you in relation to Lightspeed’s processing activities. Also, it clearly describes all the obligations that Lightspeed has towards you. Once you've signed the DPA, it is effective immediately and is legally binding. If you haven't received the DPA from us yet, it's important that you request the DPA by submitting a privacy request to Support. This will ensure that you're compliant with privacy laws and avoid fines from the privacy authorities.

   It's also important to note that upon your permission, Lightspeed shares the personal data that you control in your OnSite account with partners that you've selected to integrate with. This allows our partners to pull the data they need to build their integrations and Lightspeed to offer the best business solution to you as a merchant. Because of the data-sharing nature of our partner integrations, if you're a merchant affected by privacy laws and you have integrated your OnSite account, you'll also need to enter into a DPA with our partners. For more information, please contact our integration partners directly.

4. In which scenarios would I need to submit a privacy request to Lightspeed Support?

   Read Submitting a privacy request to Support.

5. As a Lightspeed OnSite merchant, what do I need to do in the event of a data breach?

   Under privacy laws, a data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed."

   If the data breach relates to data Lightspeed is processing on behalf of you as a processor, we will always notify you within 36 hours after discovery. It is then your responsibility as a Lightspeed OnSite merchant to make an assessment whether or not you should be notifying the supervisory authorities, your customers and your employees.

   If you've determined that the data breach is likely to result in a high risk to the rights and freedoms of your customers and/or employees, you'll need to:

   1. Notify the supervisory authorities within 72 hours after discovery.
   2. Notify the affected customers and/or employees ("data subjects") as soon as possible and include the following information:
   • a description of the nature of the breach.
   • the name and contact details of your data protection officer or other contact point;
   • a description of the likely consequences of the breach.
   • a description of the measures that you've taken or have proposed to take to address the breach, including, where appropriate, measures to mitigate its possible adverse effects
   3. Keep a record of all the data breaches that have occurred, regardless of whether you're obliged to notify the authorities, your customer or your employees.

   If any of the following conditions are met however, communications to each individual customer and/or employee wouldn't be required:

   • You've implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.
   • You've taken subsequent measures which ensure that the high risk to the rights and freedoms of your customers and/or employees is no longer likely to materialize.
   • Communicating to your customers and/or employees would involve disproportionate effort. In such a case, you'll be required to send a public communication or similar measure whereby they'll be informed in an equally effective manner.

   For more information on data breach notification requirements:

   • GDPR
   • CCPA

6. What are some additional resources that can guide me as a merchant affected by privacy laws?

   Outside of complying with the a privacy laws as a Lightspeed OnSite merchant, it's easy to get overwhelmed with the amount of privacy information that's circulating and its requirements. To point you in the right direction and help you get started, below you'll find some additional resources that aim to guide merchants affected by privacy laws.

   • Guide to the GDPR
   • Guide to documenting your processing activities under the GDPR
   • Guide to the CCPA