OverDrive and the GDPR
The General Data Protection Regulation (GDPR) is a data protection law that goes into effect on 25 May 2018. It applies to all organizations that collect and/or process personal data of individuals located in the European Union.
Does the GDPR apply to OverDrive?
Yes, OverDrive serves library patrons, students, and other users in the EU. OverDrive is committed to GDPR compliance.
Is OverDrive a Controller or Processor under GDPR?
OverDrive functions as the Controller of personal data because it “determines the purposes and means of data processing” for data collected by its service. Certain personal data, such as an email address, may be submitted by a user directly to OverDrive. Other personal data, such as a cookie identifier or device identifier, may be collected by the OverDrive service during a user’s interaction with the service. OverDrive determines the purpose and legal basis for such data being collected by its service (e.g., an email address is required to place a hold on a title). It is important to note that OverDrive’s services have been designed to collect and process only the personal data that is necessary to provide the requested services to the user.
Additionally, as required of Controllers by GDPR, users can contact OverDrive directly to exercise their rights to personal data access, rectification, portability, objection, and erasure (see below for more information). OverDrive will respond to all requests within the GDPR-required 30-day timeframe.
What updates are happening in my OverDrive service?
Cookies are small data file identifiers that are transferred to a user’s device or web browser. They allow OverDrive to recognize the device or web browser when the user visits or uses OverDrive’s services. Generally, cookies are used to improve a user’s experience and monitor service performance. Commencing 25 May, a new Cookie Settings footer link will allow users to manage their cookie preferences.
Does OverDrive transmit data internationally?
Yes. OverDrive’s servers are located in the United States. As the US-EU Safe Harbor Framework has been declared invalid by the European Court of Justice, OverDrive has adopted Binding Corporate Rules (BCRs) to comply with data protection requirements when transferring personal data from the EU to the US. OverDrive, as a company owned by Rakuten, has adopted Rakuten’s BCRs. Rakuten’s BCRs were approved by the Luxembourg Data Protection Authority.
OverDrive will continue to monitor and evaluate GDPR compliance guidance supplied by regulatory bodies and others, and may adjust its GDPR compliance efforts if necessary.
If you have questions regarding this GDPR page, or about OverDrive’s GDPR compliance, please email OverDrive at firstname.lastname@example.org.