If personal data is hosted or processed by Xero outside the European Economic Area, the GDPR requires that it remain protected by appropriate safeguards in accordance with EU law. There are several ways Xero achieves this. We use a third-party organization, BrightPay, to provide our payroll software. This includes BrightPay Connect, a self-service option that allows you and your employees to be remotely controlled online to view and manage your payroll data 24/7. GoCardless` position as a data controller is an advantage for our merchants. GoCardless assumes direct responsibility for legal obligations related to the processing of personal data for our payment services. Your end customers have a direct legal relationship with GoCardless regarding the use of their personal data. This means that they can exercise certain rights directly against us. The protection of our customers` data is fundamental in everything we do. To better understand our security practices, you can refer to our security pages: While many organizations are already doing the right thing when it comes to personal data, the GDPR requires that organizations be able to document and demonstrate how they meet privacy requirements.
There are many aspects of the GDPR, but it really comes down to making a clear and ethical change with the personal data you process – it means treating it as if you were treating something valuable about yourself. Here are some first practical steps you can take to comply with the GDPR: We will retain your personal data for as long as we have a relationship with you and for a later period when we are required to retain it in accordance with our data retention policies and practices. At the end of this period, we will ensure that it is deleted or anonymized. The GDPR has arrived and it is here to stay. We`ve worked hard to make sure we`re ready (and yes, we`re ready), but the hard work doesn`t stop there. .