Hi. How can we help?

Retail POS (X-Series) and the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a wide-sweeping data protection law that sets a high bar for global privacy rights and compliance. The GDPR will likely apply to you if your company is based in the EU or if you have customers or contacts in the EU.

The purpose of this guide is to give you details on Lightspeed's approach to GDPR and to provide you with an overview of the requirements to help you with your compliance.

This guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professional advisers to determine exactly how the GDPR may apply to your organisation.

  Are you a Retail POS retailer in the EU, or do you have customers in the EU?

We’ve prepared a Data Processing Addendum (DPA), which will help your store be compliant with GDPR.

If your store is based in the EU, or you have customers based in the EU, you should sign our Data Processing Agreement if you have not already done so. It allows the lawful transfer of EU personal data to Retail POS, under GDPR regulations.

Sign our DPA here!

After clicking the link above and entering your name and email address, instructions on how to complete this addendum will appear. You should keep a copy of the Data Processing Agreement for your personal records.

What has Retail POS done to help you comply with GDPR?

We’re supportivet the strong data privacy and security principles that the GDPR emphasises. We’ve done a lot of work as part of our GDPR readiness project, this includes:

  • Reviews and updates to our internal data processes, procedures, data systems and documentation.
  • Continued investment in our security infrastructure.
  • Reviews and updates to our third party vendor contracts.

  We’ve updated our Terms of Use and Privacy Policy

We know it’s not the kind of news that gets you out of bed in the morning, but we’ve updated our Terms of Use and Privacy Policy. Generally, the changes ensure we meet the GDPR’s high standard of data privacy principles, and that the handling of data by Retail POS and Retail POS retailers is made clearer.

If you have customers in the EU and collect their data in Retail POS, under the new GDPR, you're considered a 'data controller'. The GDPR gives people the right to access, correct, delete and restrict how their data is used, and as a data controller you are required to allow people to exercise these rights. These include:

  • The ‘right to object’ - Your customers may object to the use of their data for profiling or direct marketing activities.

  • The ‘right to restrict processing’ - Customers may request the suppression of their personal data, which means that you may store the data but not use it.

Outlined below are upcoming and existing tools to help you honour these data requests from your users or customers in Retail POS.

Tools to help you comply with the GDPR:

We are continuing to build tools to help our retailers comply with the GDPR. This page will be updated with new tools and features as they become available.

Deletion Request Support for Users and Customers:

We’re making sure delete means delete, helping you to honor requests related to the ‘right to be forgotten’ from users and customers. This will ensure that personal data relating to a user’s or customer’s identifier is fully deleted from Retail POS upon request. For any content (i.e. sales, reports, etc.) previously associated with a deleted user’s identifier, “Anonymous User” or “Anonymous Customer” will show instead.

Automatic Suppression:

To help you comply with the ‘right to object’ or ‘right to restrict’ related requests, any user’s identifier associated with a Delete action will automatically be placed on a suppression list. For any user’s identifier on the suppression list, we will block all incoming personal data pertaining to that user Id from being tracked by Retail POS and sent to integrations.

Existing tools to help you comply with GDPR

Below are the tools readily available in Retail POS to assist your compliance with the GDPR which cover the right to access, data portability, rectification and consent. These include:

Data Exporting Tools:

To honor the ‘right to access’ (individuals have the right to access their data) and ‘right to data portability’ (individuals are able to obtain and reuse their personal data) that EU residents now have the rights to under the new GDPR, Retail POS allows you to export customer lists and sales ledgers in a CSV format. Check out our Help Centre for exporting options available in Retail POS. You can also set-up a Personal Token which interacts with Retail POS’s comprehensive API (See: https://docs.vendhq.com/) to retrieve personal data associated with a data subject supporting the access and portability rights.

Ability to Rectify User or Customer Data:

Under the GDPR, individuals have the ‘right to rectification’ which means that any personal data they deem inaccurate or incomplete, individuals have a right to correct it. Retail POS lets you rectify all data associated with data subjects. You can do this inside the app under the navigation items ‘Users’ and ‘Customers’ respectively.

Customer Consent to Receiving Marketing Materials:

In Retail POS, it’s possible to capture customer consent to receive marketing or promotional materials from you. Before adding a customer to your database, there’s a toggle to opt them in or out of marketing communications based on the customer’s stated preference. Additionally, when you add a customer to your Loyalty program, they’ll need to tick a checkbox when they receive their Loyalty signup email, in order to capture their consent.

Reduced Risk of Data Destruction:

Under the right to restoration of a data subject, to reduce the risk of accidental destruction of data or malicious destruction of data, it’s now possible to disable users temporarily, rather than permanently deleting them in Retail POS. Users are unable to log in to Retail POS while their account is disabled. When their account is re-enabled, they’ll be able to log in with their original account details and begin selling as normal.

Two-factor Authentication security:

Two-factor authentication adds an extra layer of security to your admin user accounts in Retail POS. Using two-factor authentication helps to reduce the risk of unauthorized access to data. For more information on two-factor authentication in Retail POS, refer to our Two-factor authentication (2FA) in Retail POS (X-Series) guide.

Overview of GDPR

What is GDPR?

At its core, GDPR is a set of rules designed to give citizens more control over their data. It aims to simplify the regulatory environment for businesses so both citizens and businesses can fully benefit from the digital economy.

Who does GDPR apply to?

The “extra-territorial” application of GDPR applies to all organizations that process the personal data of EU residents or monitor individuals' behaviors conducted within the EU, regardless of the entity's location.

“Personal data” is broadly defined and means any information relating to an identified or identifiable natural person ('data subject'). Personal data can be a name, address, bank details, email address, posts on social media, or even an IP address or a cookie ID.

Sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection. You should not store data of this nature within your Retail POS account.

Regardless of whether or not you believe your business will be impacted by GDPR, GDPR and its underlying principles may still be important to you. European law tends to set the trend for international privacy regulation, and greater privacy awareness now may increase your competitive advantage in the future.

Controller vs Processor

GDPR outlines different requirements for Controllers (entities who determine the purposes and means of the processing of personal data) and Processors (entities who process personal data as directed by a Controller).

Controllers retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); although GDPR does place some direct responsibilities on the processor too. Therefore it is important to work out whether you are acting as a controller or a processor, and, as such, to understand your obligations.

In most circumstances, in the context of Lightspeed services, our customers are acting as the controller. Our customers, for example, decide what information is uploaded to their Retail POS account. Lightspeed is acting as a processor by performing services for our customers using Retail POS.

Some of the key points to note in respect of GDPR include:

Data protection by design and default

Under the “privacy by design” requirement of GDPR, you will need to design compliant policies, procedures and systems at the outset of product development. The “privacy by default” principle will require that, by default, only personal data that is necessary for a specific purpose is to be processed.

Lawfulness of processing

You will need to ensure that all processing of data is based on a lawful ground for processing. These are consent, performance of a contract, legal obligation, protection of vital interests, tasks carried out in the public interest, or legitimate interest balanced against the fundamental rights of data subjects.

Customer consent

Under GDPR, you might need to obtain consent to process the personal data of your customers or change how you currently obtain that consent. In particular, GDPR says that consent must be "freely given, specific, informed and unambiguous." You will need to review existing consent mechanisms, to ensure they present genuine and granular choice.


GDPR includes specific parental-consent requirements when processing the personal data of users under the age of 16 (or lower depending on the country). You should consider whether parent consent is required and whether you need to change how you process customer data to either obtain parental consent or stop processing the date of customers under the age of 16.

Personal data breach notification

Data breaches must be notified to the relevant supervisory regulator as soon as possible, and in any event within 72 hours of the breach being identified. GDPR states that breaches that are unlikely to result in risks to individuals do not require reporting.

Data Protection Officer

Processors processing a significant volume of data, or processing ‘sensitive’ data, may be required to appoint a data protection officer (DPO). DPOs will be responsible for monitoring the data processing activities of the business and ensuring compliance with GDPR. It is expected that certain businesses may voluntarily appoint a DPO to help demonstrate adoption of best practice procedures and strengthen any defence to a regulatory investigation.

Enhanced rights for data subjects

EU citizens have several important rights under GDPR, including the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability.


Non-compliance with GDPR can result in very high financial penalties. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).


Retailers should take steps to protect their businesses from hackers and fraudsters. Click here for action steps you can immediately implement in your business.

Further reading on GDPR

Need more information? Below are links to some helpful GDPR resources:



Was this article helpful?

1 out of 2 found this helpful