What is the GDPR?

The General Data Protection Regulation, or GDPR, is a legal framework that aims to protect the privacy of EU citizens while providing a unified regulatory environment for international organizations. It provides a framework for ensuring the security of personal data as well as a process for addressing breaches should they occur. It also enumerates rights granted to EU citizens concerning their personal data and specifies what data is legally allowed to be collected.
Any organization that collects the personal data of EU citizens is required to comply with this regulation regardless of where the organization is located or where the data is processed.
The GDPR becomes law on May 25, 2018.

How does the GDPR affect Kiosk and our clients?

Kiosk is committed to full GDPR compliance. We began GDPR preparation in 2017 and have reviewed and – where necessary – updated all of our internal processes, procedures, systems and documentation to meet requirements.
When considering the GDPR it is important to understand roles and responsibilities. In the majority of our client relationships, Kiosk is a ‘data processor’ and clients are ‘data controllers’. Members of the public using services provided by Kiosk on behalf of our clients are ‘data subjects’. We encourage you to check with your organization’s legal counsel to determine whether you are a ‘controller’, a ‘processor’, or both and to understand the full scope of your compliance obligations.
The GDPR grants rights to data subjects with regard to their personal data, including, but not limited to, the right to access their data, right to rectify incorrect data, right to be forgotten, right to restrict processing, right to data portability, right to object to processing, right to know of the existence of automated decision-making, and notification of the execution of any of the above. Requests from data subjects must be responded to within 72 hours.
The GDPR places focus on ensuring consumer consent is obtained in a transparent and unambiguous manner which may require a change in practice where data collection and usage currently relies on assumed consent. Consent must be obtained from users, subscribers and contacts for every usage of their personal data, unless you can rely on a separate legal basis.
The full text of the GDPR can be read here.

What’s the difference between a ‘data processor’ and a ‘data controller’?

A controller is the organization that determines the purposes and means of processing personal data. A controller also determines the specific personal data that is collected from a data subject for processing.
A processor is the organization that processes the data on behalf of the controller.
Controllers retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); however, the GDPR does place some direct responsibilities on the processor as well.
Processors must receive approval from the controller should they wish to work with a third-party processor. Kiosk has reviewed the policies of our third-party processors to confirm their commitment to GDPR compliance. Our third-party processors are listed at the foot of this page.

How is ‘personal data’ defined?

The GDPR defines personal data as “any information related to an identified or identifiable natural person” including – but not limited to – names, mailing addresses, telephone numbers, IP addresses, behavioural data, location data, biometric data, genetic data, financial data and social identity data.

What is ‘processing’?

The GDPR states that processing is “any operation or set thereof performed on personal data or a set thereof, automated or otherwise, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”.
Kiosk interprets this as “anything we can do with personal data”, and as soon as we receive personal data we consider ourselves a processor.

What happens if you don’t comply?

Non-compliance with the GDPR can result in enormous financial penalties. Sanctions for non-compliance can be as high as 20 Million Euros or 4% of global annual turnover, whichever is higher.

Data Protection Officer

Kiosk has nominated Alan Raistrick as its Data Protection Officer (DPO). The DPO can be contacted at

Execution of data subject rights

If you are a citizen of the European Union and wish to exercise the rights granted you by the GDPR, please submit your request to

Third-party processors

Kiosk uses third-party processor to provide business functions such as business analytics and data storage. Prior to engaging any third-party processor, Kiosk performs due diligence to evaluate their compliance with industry standard data security policies and the GDPR. This page will be updated if and when we add or remove third-party processors.

Entity Name Processing Activities Location
Amazon Web Services, Inc. Cloud Servers and Data Storage United States and Republic of Ireland
Google LLC Analytics and Cloud Storage United States
MailChimp Email Marketing United States



For GDPR inquiries, please contact