QuickBooks GDPR Centre
The EU General Data Protection Regulation (GDPR) governs the processing of people’s personal data in the European Union.
Intuit's policy is to comply with applicable local laws on our business related use of personal data.
In addition, we apply our own Data Stewardship Principles. These are guided by the essential value that the data entrusted to us belongs to our customers and their end users.
Frequently asked questions
What is Intuit doing about GDPR?
Intuit complies with applicable local laws on our business related use of personal data. This ensures that we meet the applicable standards set out in such laws.
In addition, we apply our own Data Stewardship Principles. These are guided by the essential value that the data entrusted to us belongs to our customers and their end users. Our values and approach to privacy and data protection have enabled us to successfully serve small businesses, accountants and bookkeepers for many years. And we believe our implementation of GDPR allows us to continue to earn our customers’ trust.
What do I need to do to be GDPR compliant?
Every business is unique, and your GDPR compliance obligations will depend on many factors, including how you choose to collect, use, and share data about your employees and customers. You need to do an evaluation based upon your unique circumstances. To help you assess whether our Services are right for you, we recommend you review the following:
- Our Terms of Service and Data Processing Agreement sets out how we’ll handle any personal information you trust us with (these Terms will be updated soon as part of our GDPR Readiness program);
- Our technical and organizational security measures; and
- How you may take actions in our products to fulfill individual rights requests you may receive.
Is Intuit a controller or a processor?
With the exception of our Payroll and our employee time-tracking (TSheets) services, Intuit acts as an independent controller of the personal information placed in our products and services.
The GDPR distinguishes between the roles of a 'controller' and a 'processor' – each having different compliance roles and responsibilities. The GDPR defines a controller as an entity that determines the "purposes and means" of the data processing – or, in layman's terms, "how and why" data is processed. A processor, on the other hand, is defined as the entity that "processes personal data on behalf of the controller".
At Intuit, our mission is to "Power Prosperity Around the World" by focusing the power of many, to drive the prosperity of one. This means that we use the data from each customer to derive insights, benefits and improve the services for all of our customers. To do this, we rely on technologies – like machine learning algorithms – that help us develop new products and services to meet our customers' needs.
One example is our business expense classification tools – by analyzing how customers often classify certain expenses (as business or personal) we can make suggestions that to make your classification more efficient.
These technologies necessarily collect, process and store customer data in ways and for purposes that we determine, and to provide these features and improvements to you, we must necessarily process this data as a controller. Acknowledging our status as a controller simply reflects the factual reality of our data processing practices. As a controller, we have more, not fewer, obligations under the GDPR – so you can rest assured we'll process it in accordance with our Data Stewardship Principles and take the protection of your data very seriously.
If you are currently using our payroll or TSheets services in the EU, we will be offering new data processing terms to satisfy your compliance obligations with regard to our processing of the personal data that we process on your behalf. Please look for an update to our terms in the near future.
Will you sign my company’s Data Processing Agreement?
While we do not execute outside agreements, we do have specific terms that are reflective of the role that Intuit plays as either a controller or processor:
- If you are a QuickBooks customer, our Terms of Service set out our commitments to protect personal data when we provide these services to you. For these services, by virtue of being a controller, we are also directly subject to compliance with data protection laws such as the GDPR.
- If you are a Payroll or TSheets customer, we have additional terms in our Data Processing Agreement that apply. The Data Processing Agreement sets out your instructions to us and governs how we will process any personal information in connection with these services.
Where is my data located when I use your services?
Our main data storage locations are in the USA. However, as a global company, data are accessed from various locations by our global teams and our trusted partners.
The GDPR does not preclude EU personal data being stored (or otherwise processed) in the USA, as long as there is a data transfer mechanism in place approved by the European Commission. One such approved data transfer mechanism is the EU-US Privacy Shield regime. Intuit is a certified member of the Privacy Shield scheme. https://www.privacyshield.gov/participant?id=a2zt0000000GnRuAAK&status=Active
We certify to the EU-US Privacy Shield scheme for our use of personal data in the USA, and we apply guidelines and practices to protect all personal information, including the E.U.U.S. Privacy Shield Principles. To learn about the Privacy Shield principles, please visit www.Privacyshield.gov.
When it comes to our trusted service providers, our practice is to put contractual terms in place to ensure they follow our instructions and have appropriate security in place to protect the personal data we trust them with.
I am an accountant. What is the protection for my clients?
The security of our products remains a top priority. We safeguard your information using measures such as:
- Implementing access controls;
- installing anti-virus software on our servers;
- performing internal risk assessments and compliance audits;
- regularly testing our security controls, including external audits;
- performing background checks on employees upon hiring;
- providing security and privacy training to our employees.
Ultimately, no technology platform is without its risks and it is up to you to assess the adequacy of our security in relation to your particular use of services.
For more information about our approach to information security, please visit our Security Center at https://security.intuit.com/index.php
Do you have an appointed Data Protection Officer?
We do not have a 'data protection officer', but we do have a dedicated team of privacy and security professionals who perform the duties that a Data Protection Officer would perform, if we were required to appoint one.
Don’t I have to keep my customers’ invoices for 7 years?
As a general rule of thumb, 7 years is the standard retention period for invoices and other documents retained for financial record keeping purposes. However, the legal requirements differ from country-to-country and may vary across different types of records. To determine your business’s retention obligations, you should consult a local expert or legal counsel.