MaritzCX GDPR Overview


Beginning May 25, 2018, the EU’s new privacy law takes effect across all EU member states. The General Data Protection Regulation (GDPR) aims to bring order to a patchwork of privacy rules across the EU and replaces the Data Protection Directive 95/46/EC.

If you would like to read the GDPR, please find it HERE.


GDPR is European legislation designed to harmonize data protection across the EU. It imposes new regulations for companies to protect consumers regarding data processing, access, and security, in addition to tougher enforcement for breaches of the rules.

GDPR was created to address six core principles (Article 5) for handling personal data.

Lawfulness, Fairness, and Transparency

Personal data should be processed lawfully, fairly and in a transparent manner.

Purpose Limitation 

Personal data should only be collected for specified, explicit and legitimate purposes and not processed beyond those purposes.

Data Minimization

Data should be limited to what is relevant, necessary and adequate to the purposes for which it is processed.


Collected data should be accurate and, where necessary, kept up to date.

Storage Limitation

Data should be kept in a form which permits identification of data subjects for no longer than is necessary to meet the defined purpose of the processing.

Integrity and Confidentiality

Information should be processed in a manner that ensures appropriate security of the personal data.

GDPR also addresses another principle referred to as Accountability.  This principle requires businesses to be able to demonstrate compliance with GDPR to regulatory authorities.  For example, MaritzCX must be able to show our process to manage requests from individuals regarding what data we may have about them, and provide an audit trail to evidence that the business took the proper actions.

GDPR contains several new protections and threatens significant penalties for non-compliance. In addition, there are new security, recordkeeping, access rights, and notification procedures that companies must implement to ensure compliance. Items of particular note include increased administrative requirements, and the need to provide the tools necessary to meet the numerous obligations on both controllers and processors.

MaritzCX and GDPR

MaritzCX is committed to meeting our legal and regulatory obligations.  Moreover, we take data privacy and security very seriously.  The core of our business involves the collection and dissemination of sales account data, which almost always includes personal data.  We are constantly working to ensure we collect, process, and share the data we deal with in a lawful, transparent manner.

To that end, we want to share some information about MaritzCX’s practices and procedures related to data collection and GDPR compliance.


The MaritzCX platform is packed with enterprise security features that make us the trusted platform for over 200 major companies. Our goal is to ensure the level of security for personal data is a) appropriate to the level of risk, and b) designed to protect the rights of individuals. To accomplish this, MaritzCX has implemented the following technical and organizational measures to keep personal data safe and satisfy the requirements of GDPR.

Role-Based Access that empowers users

The MaritzCX platform allows administrators to fully customize reporting and dashboards. This approach allows you to limit access based on least privilege and need-to-know without compromising your program goals.

Protection for Data in Transit and at Rest

MaritzCX provides encryption for all data in transit. For customers who desire additional protections, we offer encryption for data at rest.

Flexibility for Data Controllers who wish to Pseudonymize

Although MaritzCX serves as a processor, we can work directly with Controllers to anonymize individual fields or entire surveys. The combination of technology and services provides Controllers with the flexibility to adapt as your program needs change.

Audit logs for Controllers and Processors

As an enterprise solution, the MaritzCX platform offers built-in audit logs for Controllers with administrative access. In addition to those logs built into the platform, the MaritzCX Security and Operations teams continue to implement logging solutions that provide insights and alerts.

Easily Obtain Informed Consent and Transparency

The MaritzCX Platform includes a built-in feature for Controllers wishing to collect consent or inform users of their intentions following data collection. In addition, the MaritzCX Platform allows users to easily opt-out of data collection as required by GDPR.

Security and Privacy by Design

Our risk-based approach to security and operations allows the MaritzCX teams to establish priorities that balance security and privacy against feature development. This holistic approach helps ensure Enterprise CX Managers with a solution that meets both their CX Goals as well as the requirements of their internal security teams.

Formalized Policies and Comprehensive Procedures

As suggested by GDPR regulators, MaritzCX has strengthened its internal security program to meet a documented standard. Utilizing the ISO27001 Framework, MaritzCX has established comprehensive procedures that address Incident Management and Breach Notification rules as defined by GDPR.

Gold-Standard Third-Party Verification

In addition to technical features that support GDPR requirements, we have committed to outside verification of these controls. MaritzCX is currently seeking ISO 27001 certification by the end of 2018. As the gold standard for SaaS providers, ISO27001 has been identified by GDPR regulators as evidence of a mature program that lowers the overall risk related to data processing.

GDPR Contract Update

Both MaritzCX (processor) and its customers (controllers) are jointly and separately responsible for certain actions under GDPR. Therefore, the GDPR requires shared responsibility to protect an individual’s privacy rights. GDPR Article 28 requires that a contract be in place between a controller and a processor. For years, the MaritzCX [Terms of Service and Master Services Agreement] has provided the fundamental legal requirements and obligations regarding data ownership, confidentiality, processing responsibilities, security of data, breach notification, and more.

Sub-processors and MaritzCX: As an Enterprise solution, the MaritzCX team provides a comprehensive suite of services. While we have long-standing relationships with established suppliers, the majority of work is performed in-house. With only a few exceptions, customer data provided to MaritzCX as part of your program efforts is maintained solely by the MaritzCX team.

However, if a MaritzCX customer desires to update their agreement with MaritzCX with a GDPR-specific language, please email MaritzCX at

Privacy Commitment

MaritzCX has updated its privacy policy with GDPR-level protections applicable to our business.  Please take a moment to review the updated MaritzCX Privacy Policy to see all the ways in which we are working to protect and increase users’ privacy rights.

Data Transfer

EU-U.S. Privacy Shield. MaritzCX is certified under the Privacy Shield Framework set forth by the U.S. Department of Commerce regarding the collection, use, processing, and cross-border transfer of personal data from the EU to the United States. MaritzCX is committed to managing all personal data received from European Union EU member countries, in compliance with the requirements of the EU-U.S. Privacy Shield Frameworks. Under this Privacy Shield Framework, MaritzCX is responsible for the processing of personal data it receives and subsequently transfers to a third party. MaritzCX complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions. To learn more about these Privacy Shield Frameworks and to view the Maritz certification, please visit and search for the Maritz subsidiary or division.


  • Does MaritzCX treat work email addresses and business contact information as “Personal Data?”

    Personal data is defined by GDPR as “any information relating to an identified or identifiable natural person.” This broad definition covers work email addresses containing the business partner’s name or any business contact information tied to or related to an individual, such as the individual’s name, job title, company, business address, work phone number, etc. However, personal data does not include generic business names, business addresses, generic email addresses or any other general business information, as long as this information has not been linked to an individual.

  • Does MaritzCX comply with right to be forgotten requests?

    Only as directed by our clients as data controllers. GDPR indicates that people have a “right to be forgotten” in some situations, but that right is not absolute. Rather it only exists in the following six situations – many of which do not apply to personal data collected as part of an employment relationship.

    1.  Businesses must delete data upon request if data is no longer necessary.
    2. Businesses must delete data upon request if data was processed based solely on consent.
    3. Businesses must delete data upon request if the data was processed based upon the controller’s legitimate interest, and that interest is outweighed by the data subject’s rights.
    4. Businesses must delete data upon request if data is being processed unlawfully.
    5. Businesses must delete data upon request if erasure is already required by law.
    6. Businesses must delete data upon request if it is collected from a child (under age 16) as part of offering an information society service.

    Even if a right to be forgotten request obligation is met, erasure should only be performed under the specific direction of the data controller.

  • Are companies always required to get opt-in consent from people before using their data?

    No. GDPR allows businesses to process personal data as long as any one of six situations applies:

    1. Consent. If a business obtains a data subject’s consent it generally is sufficient to allow the business to process the person’s data.
    2. Necessary to perform a contract. If a business collects personal information about a person as part of performing a contract, the business does not have to ask for consent separately. For example, if an individual visits an ecommerce site and orders food to be delivered to their home, the website operator is not required to ask the consumer for their consent to collect delivery information, transfer that information as necessary, or use that information to process an order.
    3. Necessary to comply with a legal obligation. If a business processes information about a person in order to comply with a legal obligation that is imposed on the business, it does not need that person’s consent to process the information. For example, if a bank is required to report suspicious financial transactions to government agencies charged with identifying money laundering, the bank does not have to ask its customers for their consent to collect, process, or transmit that information.
    4. Necessary to protect vital interests of a natural person. If an organization processes information in order to protect the “vital interests” of a person, it does not need to ask the person for their consent. For example, if a business collects the name of someone who has suffered an accident on their premises and their identity is transferred to render medical assistance it is not required to obtain the person’s consent.
    5. Processing is necessary for the performance of a task carried out in the public interest. If the purpose of processing information is to perform a task that is in the “public interest,” a business does not need that person’s consent.
    6. Processing is necessary for a legitimate interest pursued by a controller. If the purpose of processing is to further a legitimate interest of a data controller (such as to conduct direct marketing), the controller is required to ensure that its interests are not trumped by the interest of “fundamental rights and freedoms of the data subject.” If that is the case, a business does not need that person’s consent to process their personal data.
  • Does GDPR data breach notification provision cover the same type of data as United States data breach notification provisions?

    No. In the United States almost every state and federal territory has its own data breach notification law. In addition there are several federal breach notification laws with national applicability that apply to specific industry sectors. Almost all of the United States breach notification laws apply only to certain categories of sensitive information (such as Social Security Numbers, driver’s license numbers, health information, or financial account numbers).

    GDPR breach notification provision is far broader. It potentially applies to any data breach that involves “personal data.” That term is defined as including any information relating to an identified or identifiable person. As a result, theoretically a loss of personal data as harmless as a list of names could trigger a notification obligation in Europe, but would rarely if ever trigger a notification obligation in the United States

  • What does MaritzCX need in order to transfer data from an office in the EU to one of our offices or data centers in the United States?

    Before transferring personal data from the EU to the US, we must ensure that the appropriate safeguards in place. Existing appropriate safeguards include Standard Contractual Clauses (sometimes referred to as Model Clauses), certification to the Privacy Shield, or the implementation and approval of Binding Corporate Rules.

    Although MaritzCX is certified under the Privacy Shield, some clients require Standard Contractual Clauses to make such transfers. If Standard Clauses are desired or requested please contact the MaritzCX Law department for assistance.

  • Does MaritzCX have a Data Protection Officer?

    Yes. Businesses are required to appoint a DPO if the core activities consist of personal data processing which

    • Requires regular and systematic monitoring of individuals on a large scale; or
    • Is about special categories of data on a large scale and data relating to criminal convictions and offenses. ‘Special categories of data’ is the type of data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; genetic data, biometric data or data concerning health or sex life and sexual orientation.

    The customer experience data we collect and process is not generally described as a special category of data. Additionally, MaritzCX does not systematically monitor individuals. The law of member state Germany requires a data protection be appointed by organizations that process personal data  As a result, MaritzCX has appointed ActiveMind to serve as our Data Protection Officer.


Do not hesitate to contact us to find out more about these changes. You can speak with a MaritzCX representative by emailing:



See why MaritzCX was named a Leader for Employee Experience Management