Last updated - July 17, 2023
RRD DATA PRIVACY POLICY
RR Donnelley & Sons Company (RRD) and its worldwide subsidiaries (“RRD,” “we”, “our”)
including Precision Dialogue Marketing LLC, are committed to protecting your privacy. This
privacy policy applies to data we collect when you use our websites and other online products,
mobile applications, and services that link to this privacy policy (collectively, the "Services") or
when you otherwise interact with us. There are various ways that you might interact with RRD,
and the data you provide when doing so allows us to improve our services. By using this
website (“Site”) and by supplying your details to RRD, you consent to RRD collecting and
processing your data.
This privacy policy explains:
-
What data we collect, and why we collect it
-
How we use that data
-
How we protect that data
-
How you can control your data, including accessing, updating and deleting what we store
-
How we share or sell data collected
Data We Collect, Share and Sell
RRD may collect or record basic personal data (e.g., name, e-mail address, mailing address,
phone number) which you voluntarily provide through forms on our Sites, through social media,
subscription to our email alerts, electronic mail you send to us, or through other means of
communication between you and RRD.
RRD only collects personal data of a more sensitive nature (e.g., social security or other
governmental ID numbers, credit card details, account numbers and audio/video recordings)
where it is appropriate or necessary for conducting business. RRD will only collect and sell
additional sensitive information (e.g., Demographic Information) that you voluntarily provide
with explicit consent through participation in our Opinion Center. This data will be collected, stored, accessed and processed in a secure manner. RRD may also collect general non-personal data pertaining to users of our sites, including IP addresses, source domain names, specific web pages, length of time spent, and pages accessed. This data is collected, among other things, to aggregate statistical data, facilitate system administration and improve the Site.
RRD also collects, uses, and discloses identifiable data about individual contacts for RRD’s
customers (“Business Contact Data”) in the ordinary course of its business for managing and
maintaining customer relationships. In particular, RRD may obtain the following types of Business Contact data: name, address, invoice data including bank account data, and order data. Unless otherwise specified or prohibited, RRD may share data with affiliates, business
partners, service providers, subsidiaries or contractors who are required to provide you with
services which you have requested from us.
RRD may also post links to third party websites as a service to you. These third–party websites
are operated by companies that are outside of our control, and your activities at those
third–party websites will be governed by the policies and practices of those third parties. We
encourage you to review the privacy policies of these third parties before disclosing any data,
as we are not responsible for the privacy policies of those websites.
RRD Employee Information:
With regard to RRD employee data, RRD collects employee data only for legitimate business
purposes, including:
-
Carrying out obligations under employment contracts and employment, tax and benefits
laws, and in connection with other working relationships or arrangements
-
Employee communications, including development and training programs
-
Maintaining a global employee directory
-
HR activity including:
-
Managing employee compensation and performance
-
Managing employee hiring (including background checks, reference checks) and employee terminations
-
Voluntarily obtaining employee personal data about family members, including emergency points of contact
-
RRD Help Desk activity, including audio recordings
-
Physical Security based video recordings
Employee information on health, performance evaluations and other sensitive employee
matters, whether it is stored manually or electronically, is accessible by other RRD employees
only if necessary with respect to legitimate human resource functions or issues. Additionally,
employee personal/family information is never sold, leased, or rented to any third party. RRD will obtain affirmative consent from an employee before using such employee’s personal data
for any purpose other than described above.
Employee personal data will never be disclosed to third parties except as follows:
-
To those retained by RRD as agents for the purposes of providing requested services to
RRD
-
Where required pursuant to an applicable law, governmental or judicial order, law or
regulation, or to protect the rights or property of RRD
-
Where the employee voluntarily provides personal data and the context makes it clear
that such data will be provided to a third party.
Where human resource data is transferred from the EU to the US in the context of the
employment relationship, RRD will cooperate in investigations by and to comply with the advice
of the appropriate EU authorities.
How We Use Data
RRD uses the data we collect to provide you with services which you request and to improve
our existing services and the content of our Site. When you contact RRD, we may keep a record
of your communication to help solve any issues that you might be facing. Depending on the
country in which you live, work or access our Site(s), your data may be retained for a
reasonable time for use in future contact with you, or for future improvements to RRD services.
In the event the data you provide to us is an application for employment, that application will
be held in accordance with our HR records management policy. You have the option to opt-out
or opt-in for further communications from RRD.
RRD may also use or disclose your personal data when RRD believes, in good faith, that such
use or disclosure is reasonably necessary to (i) comply with law, (ii) enforce or apply the terms
of any of our user agreements, or (iii) protect the rights, property or safety of RRD, RRD users,
or others. RRD reserves the right to transfer and disclose your data if RRD becomes involved in
a business divestiture, change of control, sale, merger, or acquisition of all or a part of its
business.
Web User Tracking – Use of Cookies
Cookies are a technology that can be used to help personalize your use of a website. A cookie is
an element of data that a website can send to your browser, which may then store it on your
system. You can set your browser to notify you when you receive a cookie, giving you the
chance to decide whether to accept it or decline at any time. To enable RRD to access the
effectiveness and usefulness of this Site, and to give you the best user experience, we collect
and store data on pages viewed by you, your domain names and similar data. Our Site makes
use of anonymous cookies for the purposes of:
-
Completion and support of Site activity;
-
Site and system administration;
-
Research and development;
-
Anonymous user analysis, user profiling, and decision-making.
In addition, in certain external facing RRD applications and geographical regions, you can accept
or decline the use of 3rd party cookies based on your personal preferences.
Please note that when visiting our sites, RRD does not support “Do Not Track” settings with
respect to browser or mobile applications.
Security
The security of your personal data is important to us. We follow generally accepted industry
standards to protect the personal data submitted to us, both during transmission and once we
receive it.
RRD uses reasonable measures to safeguard personally identifiable data, which measures are
appropriate to the type of data maintained, and follows applicable laws regarding safeguarding
any such data under our control. In addition, in some areas of our Sites, RRD may use
encryption technology to enhance data privacy and help prevent loss, misuse, or alteration of
the data under RRD’s control. RRD also employs industry-standard measures and processes for
detecting and responding to inappropriate attempts to breach our systems.
Monitoring and Enforcement
RRD regularly reviews our compliance with our privacy policy. We also adhere to several self-
regulatory frameworks in addition to complying with applicable law. If we receive formal
written complaints, we will follow up with the person making the complaint. We work with the
appropriate regulatory authorities to resolve any complaints that cannot be resolved directly.
Compliance
RRD adheres to US and other international regulations such as:
-
Personal Information Protection and Electronic Document Act (PIPEDA)
-
General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (for the purposes of Article 3(2) of that Regulation.
-
ePrivacy Directive (ePD) - Privacy and Electronic Communications Directive (2002/58/EC)
Directives (as amended)
-
California Consumer Protection Act - AB-375 (CCPA)
Consistent with the spirit of International Privacy Regulations, RRD aims to resolve complaints
about our collection or use of your personal data at no cost to the individual. However, as
permitted by applicable Privacy Regulations, RRD reserves the right to seek compensation for
requests that are unfounded, impose an excessive burden or have a repetitive character.
PIPEDA (Canada)
RRD recognizes and has controls in place to ensure that the privacy of personal data about an
"identifiable individual" used in the course of "commercial activity" is protected and managed
in such a manner which meets or exceeds the guidelines set out in PIPEDA and applicable
provincial legislation.
GDPR and the Standard Contractual Clauses (European Union, Switzerland and United
Kingdom)
RRD uses Standard Contractual Clauses (SCCs) and internal assessments to ensure that
appropriate data safeguards can be used as a ground for data transfers from the EU,
Switzerland, and UK to third countries. These clauses have been “pre-approved” by the
European Commission under the GDPR for data transfers from controllers or processors in the
EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the
EU/EEA (and not subject to the GDPR).
RRD may obtain in the US the following types of EU, UK and Swiss information: name, address,
invoice information including bank account information, and order information (“EU, UK and
Swiss Business Contact Information”). RRD uses EU, UK and Swiss Business Contact Information
for the following purposes: managing customer relationships, managing orders, tracking
payments and ensuring payment, and otherwise maintaining the customer relationship. RRD
may disclose EU, UK and Swiss Business Contact Information to its affiliates, subsidiaries,
business partners, and service providers for the purposes listed above.
In situations where RRD discloses (i.e., onward transfers) EU, UK and Swiss Business Contact
Information to any third parties acting as service providers or “agents” on behalf of RRD, RRD
will require the recipient to protect the disclosed EU, UK and Swiss Business Contact
Information in accordance with the Standard Contractual Clauses, or otherwise take steps to
ensure that the EU, UK and Swiss Business Contact Information is appropriately protected. With
respect to any sharing of EU, UK and Swiss Business Contact Information for the purposes of
marketing RRD products and services, RRD obtains guarantees from its affiliates, subsidiaries
and business partners that such entities will use and disclose such EU, UK and Swiss Business
Contact Information for purposes of marketing RRD products and services only. In cases of onward
transfer of EU, UK or Swiss Business Information to third parties pursuant to Standard
Contractual Clauses, RRD is potentially liable in the event of an improper disclosure. In certain
situations, individuals may seek to opt-out of disclosures of their EU, UK and Swiss Business
Contact Information by contacting RRD as specified in the “Contacting RRD” section below.
RRD takes appropriate technical and organizational measures to safeguard EU, UK and Swiss
personal data against unauthorized or unlawful processing of, or accidental loss, damage,
misuse, unauthorized access, unauthorized disclosure, unauthorized alteration, or destruction,
and maintains reasonable procedures to help ensure that such information is relevant for its
intended use, accurate, complete, current and not excessive and that such information is not
retained longer than is reasonably necessary.
With respect to personal data received or transferred pursuant to the Standard Contractual
Clauses, RRD is subject to the regulatory enforcement powers of the United States Federal
Trade Commission. In certain situations, RRD may disclose EU, UK and Swiss personal data as
necessary in connection with the sale or transfer of all or part of its business, where required or
permitted by law, where RRD believes that such disclosures are appropriate in connection with
a law enforcement request or as otherwise permitted by the Standard Contractual Clauses, or
in order to investigate, prevent or take action regarding illegal activities or suspected fraud or in
order to comply with, enforce or apply RRD agreements.
While RRD has certified its adherence to and continues to comply with the EU-US Privacy Shield
framework, RRD no longer relies on Privacy Shield as a legal basis for cross-border transfers of
personal data from the EU to the US, and instead utilizes SCCs and internal assessments for
such as described above.
European Union, UK and Swiss individuals with inquiries or complaints regarding our Privacy
policy should contact the RRD Privacy point of contact - at DataPrivacy@rrd.com. RRD will
respond to your inquiry within 45 days.
In the event of a reported complaint that RRD does not resolve itself, RRD commits to
cooperate with the EU Data Protection Authorities (DPA’s) and the Swiss Federal Data
Protection and Information Commissioner (FDPIC) and comply with the advice given by the EU
DPA panel or Swiss Commissioner with regard to human resource and non-human resource
data transferred from the EU,UK and Switzerland to RRD in the United States (US).
Data Processor Activities
RRD operates as a data processor for our business customers located in the US, EU, UK and
other geographic locations worldwide. RRD’s business customers remain the data controllers
with respect to any Customer data that they provide to RRD for our provision of services. RRD
therefore acts in accordance with the instructions of such customers regarding the collection,
processing, storage, deletion and transfer of Customer data, as well as other matters such as
the provision of access to and rectification of this Customer data.
Children’s Online Privacy Protection – COPPA
RRD does not sell its services to children. As such, our Sites are designed for adult user
interaction. We do not intentionally collect personally identifiable data from children under the
age of 13.
Accessing and Updating Your Personal Data
If you have provided RRD with your personal data you have various rights:
-
If you are a consumer based in California, US (and to the extent the CCPA applies to you), and where we control your data, you have the right, once your request has been verified:
-
To request disclosure of personal information collected about you
-
(in certain circumstances) to the deletion of your personal data
-
(where applicable) to the right to opt-out of the selling of your personal data
-
To the right of nondiscrimination for exercising your rights
-
A summary of 2020 CCPA request metrics can be found here.
-
Where the above does not apply to you, you may have the right to inspect the data stored by us for accuracy, or may request that the data be removed from our files. RRD will make a reasonable effort to comply with such requests except where it would require a disproportionate effort (for example, developing a new system or changing an existing practice). We will require that you verify your identity before we act on a request to edit or remove your data. Please direct any questions about your data to RRD by sending an inquiry to the appropriate contact in the “Contacting RRD” section below.
Changes to this Privacy Policy
RRD may change this privacy policy from time to time. If this privacy policy changes, the revised
privacy policy will be posted at the “Privacy Policy" link on the Site’s home page. Your continued
use of the Site constitutes acceptance of such changes in the privacy policy, except where
further steps are required by applicable law.
Contacting RRD
In North America, the EU, UK and the rest of the world excluding The Philippines, questions
regarding RRD’s Privacy Policy, including access and deletion requests, should be directed to
RRD at dataprivacy@rrd.com or by calling 1-877-RRD-4411.
In the Philippines, please direct questions to the Data Protection Officer - Philippines at
DataPrivacyPH@rrd.com.