If you experience any difficulty in accessing our content, please contact us at 866.332.6127 or email us at Visit our Website Accessibility Policy for more info.

background image

GDPR Statement and FAQs

Deluxe Corporation has been a trusted custodian of sensitive data throughout its over 100-year existence.

The General Data Protection Regulation (GDPR), is an important EU privacy law that impacts businesses around the world targeting their products and services towards EU customers– regardless of whether the businesses in question have an established presence in the EU. The GDPR regulates how organizations use and treat the personal data of individuals residing in the EU. Ultimately, the GDPR gives individuals residing in the EU (“data subjects”) certain additional rights over how their personal data is collected, processed, retained and transferred.

The Privacy Compliance team at Deluxe is responsible for GDPR compliance initiatives across the GDPR impacted products/services and works on an on-going basis with a team of stakeholders across Deluxe to continue to assess and advance GDPR compliance. Some of the Frequently Asked Questions we have been receiving from our customers and business partners include the following:


Deluxe transfer personal data

Does Deluxe transfer personal data outside the European Union?

In general, EU personal data is transferred outside the EU. Deluxe meets its GDPR data transfer obligations through intracompany data transfer agreements following model clauses; and in some circumstances, EU personal data remains in the EU either through a data center or in the case of Deluxe HR files, through the use of EU based services.

Deluxe keep records

Does Deluxe keep records of its data processing activities?

Deluxe keeps records of its data processing activities and has completed data inventory audits and mapping of required services and products. As acquisitions occur, an analysis is conducted on any new acquisition and a plan is formed to meet GDPR requirements.

Deluxe Sub-Processors (Vendors)

Does Deluxe require its Sub-Processors (Vendors) to comply with the GDPR?

Sub-Processors processing EU personal data on behalf of Deluxe have been identified and are required to sign a GDPR-compliant Controller-Processor Terms Addendum.

Deluxe delete customer data

Does Deluxe have the ability to delete customer data upon request?

When Deluxe acts as a Data Processor (meaning, solely processing the data in connection with your directions), Deluxe abides by the direction provided from you, the Data Controller (meaning, the organization controlling the purpose and means of the data collection and processing) provided there are no legitimate interests requiring Deluxe to maintain the personal data.

When Deluxe acts as a Data Controller, Deluxe deletes data in accordance with GDPR requirements provided there are no legitimate interests requiring Deluxe to maintain the personal data.

It is important that all customers and business partners understand that the GDPR also places obligations directly upon them when they use our webhosting, email marketing, and logo services in connection with their businesses either located in the EU or directed at EU residents.

Each customer and business partner are responsible for ensuring their own compliance with the GDPR, just as they are responsible for compliance with all the laws that apply to them today. Accordingly, you should seek appropriate legal guidance to understand your specific obligations under the GDPR.

Contact PrivacyProgramOffice@deluxe.com with any questions.

Additional Resources: