"GDPR" General Data Protection Regulation

GDPR Statement and FAQs

Deluxe Corporation has been a trusted custodian of sensitive data throughout its over 100-year existence.

As our Small Busines webhosting, email marketing and logo design customers and business partners are likely aware, the General Data Protection Regulation (GDPR), is an important EU privacy law that will impact businesses around the world targeting their products and services towards EU customers– regardless of whether the businesses in question have an established presence in the EU. The GDPR is enforceable on May 25, 2018 and regulates how organizations use and treat the personal data of individuals residing in the EU. Ultimately, the GDPR gives individuals residing in the EU (“data subjects”) certain additional rights over how their personal data is collected, processed, retained and transferred.

The Privacy Compliance team at Deluxe is responsible for GDPR compliance initiatives across the GDPR impacted products/services and works on an on-going basis with a team of stakeholders across Deluxe to continue to assess and advance GDPR compliance. Some of the Frequently Asked Questions we have been receiving from our customers and business partners include the following:

Q: Does Deluxe transfer personal data outside the European Union?

A: In general, EU personal data is transferred outside the EU. Deluxe meets its GDPR data transfer obligations in two ways: (1) Deluxe has executed intracompany data transfer agreements following model clauses; and (2) Deluxe adheres to the EU – US Privacy Shield framework. More information on the Privacy Shield Framework can be found here: https://www.privacyshield.gov/welcome. Our EU US Privacy Shield Policy can be found here: https://www.deluxe.com/policy/privacy-shield

In some limited circumstances, EU personal data remains in the EU either through a data center or in the case of Deluxe HR files, through the use of EU based services.

Q: Does Deluxe keep records of its data processing activities?

A: Deluxe keeps records of its data processing activities and has completed data inventory audits and mapping of required services and products. As acquisitions occur, an analysis is conducted on any new acquisition and a plan is formed to meet GDPR requirements.

Q: Does Deluxe require its Sub-Processors (Vendors) to comply with the GDPR?

A: Sub-Processors processing EU personal data on behalf of Deluxe have been identified and are required to sign a GDPR-compliant Controller-Processor Terms Addendum.

Q: Does Deluxe have the ability to delete customer data upon request?

A: When Deluxe acts as a Data Processor (meaning, solely processing the data in connection with your directions), Deluxe abides by the direction provided from you, the Data Controller (meaning, the organization controlling the purpose and means of the data collection and processing) provided there are no legitimate interests requiring Deluxe to maintain the personal data.

When Deluxe acts as a Data Controller, Deluxe deletes data in accordance with GDPR requirements provided there are no legitimate interests requiring Deluxe to maintain the personal data.

It is important that all customers and business partners understand that the GDPR also places obligations directly upon them when they use our webhosting, email marketing, and logo services in connection with their businesses either located in the EU or directed at EU residents.

Each customer and business partner are responsible for ensuring their own compliance with the GDPR, just as they are responsible for compliance with all the laws that apply to them today. Accordingly, you should seek appropriate legal guidance to understand your specific obligations under the GDPR.

Contact PrivacyProgramOffice@deluxe.com with any questions.

Additional Resources:

http://ec.europa.eu/justice/smedataprotect/index_en.htm