Xerox Privacy Statement
This privacy statement covers the websites and applications of Xerox Holdings Corporation (“Xerox” or “we”) that include a link to this statement. This privacy statement also applies to Xerox’s marketing and advertising practices where and when it is referenced. It is meant to inform you about our collection and use of your personal data.
Personal Data We Collect
You may choose to give us personal data to allow us to communicate with you, process your orders, provide you with services, or for employment consideration. Data we collect depends on the context of your interactions with Xerox, the choices you make, including your privacy settings, and the products and features you choose. The personal data we collect can include the following:
Name and Contact Data. Your first and last name, email address, postal address, phone number and other similar contact data in order to communicate with you, process orders or provide you with products or services. We may also collect your employer name, if you are procuring products or services on behalf of an organisation.
Credentials. Passwords, password hints and similar security information used for authentication and account access.
Demographic Data. Data about you such as your country of residence and preferred language.
Payment Data. Data necessary to process your payment if you make purchases, such as your payment card number, expiration date, and the security code associated with your payment card.
Geolocation Data. We may collect data about your location, which can be either precise or imprecise. Precise location data can be obtained through Global Navigation Satellite System data, as well as through nearby cell towers and Wi-Fi hotspots when you enable location-based products or features. Imprecise location data includes, for example, a location derived from your device or data that indicates where you are located with less precision, such as an internet protocol (IP) address or a city or postal code.
Social Media Data. We may provide social media features that enable you to share information with your social networks. Your use of these features may result in the collection or sharing of information about you by the social networking site. Please review the privacy policies and settings of social networks you use to understand their practices.
Job Applications/CVs/Resumes. Professional, education and employment-related information on job applications/CVs/resumes which you provide to us if you submit a job application to Xerox either directly or indirectly, which may include sensitive personal data. Xerox uses this information in order to evaluate your application and perform related employment activities.
Feedback and Product Reviews. Information you provide to us and the content of messages you send to us, such as feedback and product reviews you write, blog posts or questions and information you provide for customer support. When you contact us via our website, a Xerox application or a Help Desk, such as for customer support, phone conversations or chat sessions with our representatives may be monitored and recorded. Your feedback, posts and reviews will be used to seek improvements in our products and services.
Website Browsing and Commercial Information. Information about your visits to our websites and your browsing patterns, including inferences drawn from this information. This may include information related to your prior purchases and online buying preferences or data about your device, including IP address, browser type, and regional and language settings. This is more fully described under the section entitled “Cookies, Web Beacons and Privacy Choices” below. We collect this information to determine such things as the number of visitors to various parts of our websites, to personalise your experience on our sites, and tailor our interactions with you.
Products. Certain Xerox products collect data, such as product registration, device serial number, meter reads, supply levels, equipment configuration and settings, software version, and fault codes. Xerox uses this information for product improvement, billing, report generation, supplies replenishment and support services.
Third Party Sources. We also obtain data from third-parties. These third-party sources vary over time, but they are sources deemed credible by us and may be publicly available or available on a commercial basis. They can include:
Data brokers from which we purchase demographic data to supplement the data we collect;
Social networks when you grant permission to a Xerox product to access your data on one or more networks;
Designated entities within your business or enterprise (such as a member of your IT department) in the course of providing services to you;
Partners with whom we offer branded services or engage in joint marketing activities. If you purchase Xerox services or products from a Xerox partner we may receive certain information about your purchase from that partner;
Fraud prevention agencies or credit reporting agencies in connection with credit determinations; and
Publicly available sources such as open government databases or other data in the public domain.
How We Use Personal Data
We collect and process personal data with your consent, as required by law, or as necessary to fulfill the legitimate interests or business purposes of Xerox, including to: (i) provide you with products and services; (ii) manage, administer and operate our business; (iii) meet our contractual and legal obligations; (iv) carry out direct marketing; (v) prevent fraud; and (vi) protect the security of our systems and our customers.
Xerox uses personal data to:
respond to your questions and communicate with you;
provide customer support;
share news, updates, or helpful tips about Xerox products and services;
enable online shopping;
inform you of special promotions and other advertising;
allow you to sign up for online services;
create reseller partnerships;
receive and evaluate job applications;
customise, analyse, and improve our products, services, technologies, communications and relationships with you;
deliver products and services requested by you;
notify you about administrative matters that pertain to your Xerox products or services; and
in the event of a merger or acquisition of Xerox or a substantial portion of its assets, disclose or transfer personal data to the surviving or acquiring party, respectively.
Personal data that is submitted in a business capacity may be merged with available business database directories.
How We Share Personal Data
We share your personal data as necessary for Xerox’s business purposes, to complete a transaction or provide a product or service you have requested or authorised. For example, when you provide payment data to make a purchase, we will share your payment data with banks and other entities that process payment transactions or provide other financial services, and with consumer reporting agencies for fraud prevention and credit risk reduction.
We share personal data among Xerox affiliates and subsidiaries to efficiently manage the operation of our business. We also share personal data with vendors or agents working on our behalf for the purposes described in this statement or in our contracts with you. For example, companies we've hired to provide customer service support or assist in maintaining or servicing business accounts or products via our systems and services may need access to personal data to provide those functions. In addition, we may share information with third parties for the joint offering of a product or service. In such cases, these companies are required by contract to abide by our data privacy and security requirements and are not allowed to use personal data they receive from us for any other purpose. We may also disclose personal data as part of a corporate transaction such as a merger or sale of assets.
Finally, we will transfer or disclose personal data when we have a good faith belief that doing so is necessary to:
Comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies;
Protect our customers, for example to prevent attempts to defraud users of our products, or to help prevent the loss of life or serious injury of anyone; or
Operate and maintain the security of our products, including to prevent or stop an attack on our computer systems or networks.
We do not sell your personal data to third parties.
Where We Process and Store Personal Data
Personal data collected by Xerox may be transferred to, stored and processed in your region, the United States, or any other country in which Xerox or its subsidiaries, affiliates, sub-contractors, agents or partners maintain facilities. Our subsidiaries, affiliates, sub-contractors, agents and partners are required by contract to safeguard any personal data they receive from us and are prohibited from using the personal data for any purpose other than to perform the services as instructed by Xerox. We also take steps to provide adequate protection for any transfers of your personal data in accordance with applicable law.
Our privacy guidelines are communicated to Xerox employees on an annual basis as part of our mandatory training program. We take steps to ensure that the data we collect under this privacy statement is processed according to the provisions of this statement and the requirements of applicable law wherever the data is located. Sometimes we transfer personal data from the European Economic Area and Switzerland to other countries. When we do, we use a variety of legal mechanisms, including Standard Contractual Clauses, to help ensure any required rights and protections apply to your data.
Clicking on videos on Xerox.com may (1) take you to a third party’s site to play the video, or (2) play the video on Xerox.com and this functionality may be supported by a third party’s site or technology (e.g., YouTube, YouTube API, or another third party site). In any such case, by playing the video you may become subject to the third party’s terms and conditions, including, but not limited to, its terms of service and policies on privacy and collection and use of your information. https://www.youtube.com/t/terms
EU-U.S. Privacy Shield
Commitment to Privacy Shield Principles. Through November 2020, Xerox Corporation certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, both of which were established by the U.S. Department of Commerce regarding the collection, use and retention of personal data transferred from the European Union and Switzerland, respectively, to the United States. The EU-U.S. Privacy Shield was recently invalidated by the Court of Justice of the European Union (“EU Court”). The Swiss-U.S. Privacy Shield remains in place, although for reasons similar to those cited by the EU Court, the Swiss DPA has opined that the U.S. does not provide an adequate level of protection for Swiss citizens. For more explanation on the adequacy of the protection of personal data transferred from the EU and Switzerland to Xerox in the U.S., see below under the headings “Schrems II” and “Transparency Report.” In anticipation of further developments from EU and Swiss data protection authorities as to a new framework for transfer of personal data of EU data subjects from the EU to the U.S., Xerox continues to comply in practice with the Privacy Principles of the aforementioned Privacy Shield Frameworks. In some cases, we rely on the GDPR Standard Contractual Clauses which contain requirements that are comparable to the Privacy Principles. Consistent with its commitment to the Privacy Principles, if third party agents process personal data on Xerox’s behalf in a manner inconsistent with the Privacy Shield Principles, we remain liable unless we prove we are not responsible for the event giving rise to the damage. If there is any conflict between the terms in this privacy statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. Similarly, Xerox continues its commitment to resolving complaints about our collection or use of personal data. EU and Swiss data subjects with inquiries or complaints regarding this privacy statement or Xerox’s collection or use of their personal data should first contact Xerox at: firstname.lastname@example.org and indicate “Privacy Shield Query” in the Subject line. Xerox also commits to cooperate with the panel established by the EU data protection authorities or the Swiss Federal Data Protection and Information Commissioner, as applicable, and to comply with the advice given by the panel or commissioner with regard to data transferred from the EU or Switzerland. Data subjects may also be able, under certain conditions, to invoke binding arbitration. The U.S. Federal Trade Commission has jurisdiction over Xerox’s compliance with the Privacy Shield.
Schrems II. Xerox is aware of the July 2020 Schrems II decision of the EU Court that invalidated the EU-U.S. Privacy Shield Framework, and the subsequent opinion of the Swiss DPA regarding the adequacy of the Swiss-U.S. Privacy Shield Framework. As stated above, Xerox continues to adhere to the Privacy Principles in its collection, use and retention of the personal data of EU and Swiss data subjects and to provide adequate security and protection for such data subjects and their personal data that is transferred to it in the U.S. The primary basis for the EU Court’s decision in Schrems II was its opinion that even taking into account the protections afforded by the EU-U.S. Privacy Shield, national security surveillance conducted by the U.S. federal government can take place without adequate protections for EU data subjects. The two specific authorities upon which the EU Court based its decision are §7022 of the Foreign Intelligence Surveillance Act (“FISA”) and Executive Order 12333 (“EO 12333”). Pursuant to these authorities, the U.S. government may obtain secret subpoenas or warrants, the targets of which may include EU data subjects.
Transparency Report. To the best of its knowledge, Xerox Holdings Corporation has never received or responded to any national surveillance subpoena or warrant under FISA or EO 12333. Based on this history and Xerox’s continued commitment to adhere to the Privacy Principles, EU and Swiss data subjects and our customers may have reasonable assurance that (1) Xerox Holdings Corporation is unlikely to receive a FISA or EO 12333 subpoena or warrant targeting the personal data of an EU or Swiss citizen, and therefore the concerns cited by the EU Court in Schrems II are unlikely to be implicated as to such personal data transferred to Xerox in the U.S., and (2) the personal data transferred to Xerox in the U.S. and the rights of EU and Swiss citizens are adequately protected consistent with the requirements of GDPR and the Swiss FADP.
Period of Storage
Xerox retains personal data for as long as necessary to provide the products and fulfill the services and transactions you have requested or for other essential purposes such as complying with our legal obligations, resolving disputes and enforcing our agreements. Actual retention periods can vary. The criteria used to determine the retention periods include: (i) how long personal data is needed to provide our products or operate our business; (ii) whether the personal data is of a sensitive type; and (iii) whether Xerox is subject to a legal, contractual or similar obligation to retain the data.
Your Privacy Rights
You have choices about the data we collect. When you are asked to provide personal data, you may decline. However if you choose not to provide data that is necessary to provide a product or feature, you may not be able to use that product or feature.
If the processing of personal data is based on your consent, you have a right to withdraw consent at any time for future processing;
Where applicable, you have a right to request from us, (i) access to and receipt of personal data, (ii) transfer of personal data, and (iii) rectification or deletion of your personal data;
You may also have a right to object to or restrict the processing of your personal data;
You have the right to object to direct marketing (you may unsubscribe at www.xerox.com/unsubscribe or via an ‘opt-out’ provided in the communication); and
You have a right to file a complaint with a regulator or data protection authority.
You may contact Xerox to check the accuracy of your personal data or to request that your information be updated or deleted by writing to email@example.com. Please indicate "Access" in the subject line and let us know the details of your request in the body of the message. Xerox reserves the right to confirm your identity and to modify the scope and number of requests. In certain cases, your request may be denied on the basis of a legitimate exception or where we are legally prevented from honouring such request.
Xerox does not direct any part of its website to children under 13 years old (or such age as a child is defined by local law if higher) and does not knowingly collect personal data from children or target its website or products to children. If we learn we have collected or received personal data from a child under 13 years old without verification of parental consent, we will delete the information.
Security of Personal Data
Xerox is committed to protecting the security of your personal data and maintains strict access control over it. We utilise reasonable and appropriate physical, technical and administrative procedures to safeguard personal information we collect and process. Only authorised Xerox personnel, and those of our subsidiaries, affiliates, agents, and partners are allowed to handle information collected by Xerox.
Xerox websites store personal data in password-protected environments on servers that are subject to Xerox's information security policies, standards, and procedures. We use a variety of security technologies and procedures to help protect your personal data from unauthorised access, use or disclosure. For example, we store the personal data you provide on computer systems that have limited access and are in controlled facilities. When we transmit sensitive personal data such as a password over the Internet, we protect it through the use of encryption.
To ensure that you can purchase with confidence from Xerox websites, Xerox protects credit card information submitted online with industry-standard encryption technology or tokenisation.
Our Agents and Partners Protect Personal Data
When you provide personal data to Xerox, it may be necessary to transfer personal data to our subsidiaries, affiliates, agents or partners, who then fulfill the orders or provide the services. Xerox requires that its subsidiaries, affiliates, agents and partners handle personal data with the same concern for personal data privacy as Xerox.
Cookies, Web Beacons and Privacy Choices
What is a Cookie?
Cookies are small text files that are placed on your computer or mobile device by websites that you visit. They are widely used in order to make websites work efficiently, as well as to provide information to the owners of the site. Cookies are useful because they allow a website to recognise your device, letting you navigate between pages efficiently, remembering your preferences, and generally improving your experience.
The cookie information that Xerox collects helps us track the number of visitors to our websites over time and determine whether these were new or repeat visits.
What is a Web Beacon?
A web beacon is an electronic image that can be used to recognise a cookie on your computer or other device when you view a web page or email.
How Does Xerox Use Web Beacons?
Xerox and our third party advertising partners may use web beacons on our websites, in our emails, and in our advertisements on other websites to measure the effectiveness of our websites and our advertising. For example, web beacons may count the number of individuals who visit our websites from a particular advertisement or the number of individuals who open or act upon an email message.
Can I Block Cookies and Web Beacons?
Links to Non-Xerox Websites.
Privacy Choices: How Does Xerox Use Interest-Based Advertising?
What Information Do Xerox Websites Collect for Interest-Based Advertising?
Can I Control the Interest-Based Advertising that Xerox Websites Collect About Me?
Yes, Xerox provides a tool to opt-out of data collection by companies.
Xerox may send commercial email to you advertising our products and services. You can also subscribe to various product and service-specific communications on our websites. If you receive commercial email from Xerox and wish to discontinue these mailings, you may unsubscribe at www.xerox.com/unsubscribe or via an ‘opt-out’ provided in the communication. You may also mail an unsubscribe request to:
Marketing Privacy Preferences Xerox Holdings Corporation Marketing Manager 27063 SW Canyon Creek Road, Building 63 MS 7063-630, Wilsonville, OR 97070
This unsubscribe option does not apply to communications primarily for the purpose of administering order completion, contracts, support, product safety warnings, software updates, or other administrative and transactional notices, the primary purpose of which is not promotional in nature.
Xerox commits to resolve complaints about your privacy and our collection or use of your personal data.
To report your inquiries or concerns to the Xerox Business Ethics and Compliance Office please contact the Xerox Ethics Helpline. The Xerox Ethics Helpline is confidential and anonymous, if you so desire, and is available online and via the toll-free number listed below.
Web Reporting: www.xeroxethicshelpline.com
US & Canada Toll-Free Number: 1-866-XRX-0001
You may also contact us via postal mail at:
Xerox Holdings Corporation Xerox Business Ethics and Compliance Office 201 Merritt 7 Norwalk, CT 06851-1056 USA
Xerox Limited is our representative for the European Economic Area and Switzerland:
Xerox Limited, Uxbridge Business Park, Building 4, Sanderson Road, Uxbridge, UB8 1DH
The Xerox subsidiary in your country or region can be found here.
If you have questions about Xerox products or services, call us toll-free at 1-800-ASK-XEROX or 1-800-275-9376. More contact information is available on www.xerox.com if you have questions about support, sales, corporate information, scholarships, research and innovation, or services.
Xerox reserves the right to make changes to this statement. If we make changes, we will revise this privacy statement to reflect such changes and revise the effective date of the statement.
Statement Effective Date: 24 December 2020.
What Was Revised in this Update? The section of this privacy statement entitled “EU-U.S. Privacy Shield” has been updated to describe Xerox’s current practices as to the transfer of personal data of EU and Swiss data subjects, to address concerns raised by the recent decision of the Court of Justice of the European Union in Schrems II, and to add a Transparency Report.