QuickBooks GDPR Centre

Intuit complies with applicable local laws relating to our use of personal information. This ensures that we meet the applicable standards set out in such laws.

Per the FAQ's published by the UK Information Commissioner's Office, "The GDPR has been incorporated into UK data protection law as the UK GDPR – so in practice there is little change to the core data protection principles, rights and obligations found in the UK GDPR." Intuit's Global Privacy Statement governs Intuit's processing of personal information collected by or through our products and services. Intuit remains committed to complying with applicable data protection laws and regulations and continues to monitor and adapt to changes as needed.

In addition, we apply our own Data Stewardship Principles. These are guided by the essential value that the data entrusted to us belongs to our customers and their end users. Our values and approach to privacy and data protection have enabled us to successfully serve small businesses, accountants and bookkeepers for many years. And we believe our implementation of GDPR allows us to continue to earn our customers’ trust.

Every business is unique, and your GDPR compliance obligations will depend on many factors, including how you choose to collect, use, and share data about your employees and customers. You need to do an evaluation based upon your unique circumstances. To help you assess whether our Services are right for you, we recommend you review the following:

• Our Terms of Service and Data Processing Agreement sets out how we’ll handle any personal information you trust us with (these Terms will be updated soon as part of our GDPR Readiness program);
• Our technical and organizational security measures; and
• How you may take actions in our products to fulfill individual rights requests you may receive.

With the exception of our Payroll and our employee time-tracking (QuickBooks Time) services, Intuit acts as an independent controller of the personal information placed in our products and services.

The GDPR distinguishes between the roles of a 'controller' and a 'processor' – each having different compliance roles and responsibilities. The GDPR defines a controller as an entity that determines the "purposes and means" of the data processing – or, in layman's terms, "how and why" data is processed. A processor, on the other hand, is defined as the entity that "processes personal data on behalf of the controller".

At Intuit, our mission is to "Power Prosperity Around the World" by focusing the power of many, to drive the prosperity of one. This means that we use the data from each customer to derive insights, benefits and improve the services for all of our customers. To do this, we rely on technologies – like machine learning algorithms – that help us develop new products and services to meet our customers' needs.

One example is our business expense classification tools – by analyzing how customers often classify certain expenses (as business or personal) we can make suggestions that to make your classification more efficient.

These technologies necessarily collect, process and store customer data in ways and for purposes that we determine, and to provide these features and improvements to you, we must necessarily process this data as a controller. Acknowledging our status as a controller simply reflects the factual reality of our data processing practices. As a controller, we have more, not fewer, obligations under the GDPR – so you can rest assured we'll process it in accordance with our Data Stewardship Principles and take the protection of your data very seriously.

If you are currently using our payroll or TSheets services in the EU, we will be offering new data processing terms to satisfy your compliance obligations with regard to our processing of the personal data that we process on your behalf. Please look for an update to our terms in the near future.

While we do not execute outside agreements, we have terms that are reflective of the role that Intuit plays as either a controller or processor::

• If you are a QuickBooks customer, our Terms of Service set out our commitments to protect personal data when we provide these services to you. For these services, by virtue of being a controller, we are also directly subject to compliance with data protection laws such as the GDPR.
• If you are a Payroll or TSheets customer, we have additional terms in our Data Processing Agreement that apply. The Data Processing Agreement sets out your instructions to us and governs how we will process any personal information in connection with these services.
• If you are a customer based in a European Union country (excluding France), the European Union Standard Contractual Clauses have been incorporated into the applicable Terms of Service.

Intuit reserves the right to store and process your personal information in the United States and in any other country where Intuit or its affiliates, subsidiaries, or service providers operate facilities in accordance with and as permitted by applicable laws and regulations. Some of these countries may have data protection laws that are different from the laws of your country (and, in some cases, may not be as protective).

When we transfer, store or process personal information outside of your jurisdiction, we take appropriate safeguards to require that your personal information remain protected in accordance with this Privacy Statement and applicable law. We may use contracts or the European Commission approved Standard Contractual Clauses to help ensure your information is protected.

While Intuit is no longer able to rely upon the EU-U.S. and Swiss-U.S. Privacy Shield Framework as a valid mechanism to transfer European personal information to the United States, Intuit continues to comply with the obligations under the EU-U.S. and Swiss-U.S. Privacy Shield which demonstrates a serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals.

Intuit will continue to monitor and evaluate new data transfer mechanisms as they are developed to stay true to our long standing commitment to privacy.

The security of our products and personal information remains a top priority. We are committed to keeping your information safe and use a variety of methods to safeguard your information including but not limited to: implementing physical and logical access controls; performing background checks on our employees upon hiring; conducting risk and compliance assessments; regular testing of security controls; and providing security and privacy training to our employees.

The QuickBooks Online Database is ISO/IEC 27001:2013 certified. Also QuickBooks Online is assessed annually for PCI DSS compliance and is listed on the Visa Registry of Global Service Providers.

For more information about our approach to information security, please visit our Security Center.