Privacy and Data Security
Fiserv takes our obligations to preserve the privacy of data seriously. We maintain rigorous controls to manage the collection, use and disclosure of data in a manner consistent with our legal requirements, ethical framework and obligations to stakeholders.
Our global privacy programs are subject to privacy regulations around the world, including laws such as the Gramm-Leach-Bliley Act, various U.S. state privacy laws and regulations, the Health Insurance Portability and Accountability Act and the General Data Protection Regulations in the EU and the U.K. Fiserv uses a cross-functional team comprised of compliance, technology, security and legal experts who work together to ensure customer and consumer data is managed and used appropriately and in compliance with internal policies and global privacy and data protection laws. Every Fiserv product, service and business process is expected to comply with the global privacy program and each is subject to regular risk assessments. The global privacy program includes controller and processor binding corporate rules adopted by Fiserv. These rules require Fiserv businesses to follow certain principles recognized by the EU to enable Fiserv to move personal data from Europe across our systems. The Fiserv binding corporate rules are reviewed and approved by EU regulators. Only a select number of companies have EU-approved binding corporate rules.
To further support our global privacy program, our Code requires every associate to maintain the confidentiality of all relevant data and adhere to the global privacy program. In addition, there is mandatory privacy training that must be completed by all new associates when onboarding and annually thereafter. We have also adopted a global data ethics framework which outlines ethical principles regarding how we use and manage data. Our data ethics framework enhances transparency and provides guidance to associates in their decision-making processes.
To investigate any privacy incidents, we have a dedicated Privacy Incident Management team. They are responsible for investigating all suspected privacy incidents globally. They ensure corrective action is taken as needed in accordance with all local regulatory rules and client commitments.
As a service provider, Fiserv handles data in accordance with our client agreements, privacy notices, and product- or service-specific disclosures made to our clients and customers.
From time to time, we receive requests from law enforcement and other governmental agencies for information. Our policy is to ensure that any such requests are being made on lawful grounds and, if so, to comply with such requests. Our legal team is responsible for handling and reviewing these requests.
Principles of the Data Ethics Framework
- We Know Our Data
- We Are Accountable for Our Handling of Data
- We Are Transparent in Respect of Data
- We Take Action to Uphold Our Data Ethics Framework