Overview of the General Data Protection Regulation and how it may impact your business

Toast is committed to ensuring that individuals that provide personal information(referred to as “personal data” for the purposes of this GDPR guidance note) to Toast and our customers trust that their information is being adequately protected and managed in line with their expectations and in accordance with the applicable data privacy legislation. Part of this commitment means that our customers have the appropriate information and tools on hand to understand their obligations and how Toast can support certain aspects of these obligations.

In this article:

General Data Protection Regulation (GDPR) overview
Individual rights under the GDPR
- Individual rights overview
- Individual rights considerations under the GDPR

General Data Protection (GDPR) overview

What is the GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that applies to the personal data of individuals located in the European Union (EU) or European Economic Area (EEA). The GDPR applies a single data protection law that is binding throughout each EU member state.

What is personal data under the GDPR?

The GDPR uses a very broad definition of personal data. It means any information that directly or indirectly relates to an individual. This can be a name, a phone number, an email address, or a unique identifier like a transaction ID. When in doubt, if the information identifies or can identify an individual, it is likely to be considered personal data under the GDPR.

Does the GDPR affect my business?

There are two different roles that can apply to businesses under the GDPR and affect the way that they manage their operations with respect to data protection: being a Data Controller or being a Data Processor (as such terms are defined under the GDPR).

Customers are most likely considered to be a Data Controller for the personal data they collect from restaurant guests through Toast devices and services to use for their own purposes. Data Controllers have specific, defined obligations under the GDPR, including notice requirements and responding to individual rights requests. In certain cases, Toast will help customers provide notice within their restaurants regarding the use of Toast’s products and services, and Toast may assist customers in responding to individual rights requests.

Individual rights under the GDPR

Individual rights overview

The GDPR provides a number of individual rights that your customers or employees may be able to exercise depending on the applicability of the GDPR to your business. The most common rights requests that you may receive while using Toast products and services include:

Right of Access: Individuals may request to receive some or all of their personal data from a Data Controller, including information related to the purposes of processing and the categories of personal data involved.
Right to Deletion (also known as the “Right to be Forgotten”): Individuals may request to have some or all of their personal data erased from a Data Controller’s databases with certain exceptions.
Right to Rectification/Correction: Individuals may request that the Data Controller correct inaccurate personal data.

This is a high-level summary of the individual rights under the GDPR. There are additional requirements in relation to each right as well as many exceptions where these rights may not be able to be invoked depending on the specific circumstances.

Please consult with your independent legal counsel to determine the applicability of the GDPR to your business and the applicability of the above rights to determine if you need to comply with an individual’s request.

Individual rights considerations under the GDPR

Below are some considerations when you receive an individual rights request from one of your customers or employees:

Identity verification: Data Controllers must verify the identities of individuals submitting individual rights requests before providing the individuals’ personal data back to them. GDPR sets a higher bar for identity verification for access requests than for deletion requests. Data Controllers should use all reasonable measures to verify identity for access requests. Delivery of personal data to the wrong person can be considered a breach of the security of personal data under the GDPR, which could require notification to the applicable Supervisory Authority and/or the data subject(s).
Applicability determination: once an individual’s identity has been verified, the Data Controller should determine whether the individual's rights request is valid under the GDPR or if an exception applies.
Timelines and communication: Data Controllers must respond to an individual making an individual rights request without undue delay and in any event within one month (including weekends) of the receipt of the request. Data Controllers may extend this response period under certain circumstances, but doing so is likely to be a rare occurrence.
Rights fulfillment: Data Controllers must keep a record of their fulfillment of rights requests under the GDPR accountability principle. These records should be accurate and up-to-date. If a Data Controller chooses to not fulfill an individual rights request, the Data Controller must inform the individual directly of its reasons for not fulfilling the request and do so within one month of the receipt of the individual’s request at the latest.

In certain cases, Toast may be able to support our customers with individual rights fulfillment. Toast has prepared additional guidance outlining where Toast is able to assist during this process. Check out our article How Toast can support your General Data Protection Regulation compliance efforts for more information.