OverDrive User Login Manager Data Processing Agreement
This OverDrive User Login Manager Data Processing Agreement (“DPA”) applies to your use of OverDrive’s User Login Manager (“ULM”). This DPA applies to ULM only; it does not apply to any other OverDrive provided products or services.
In the course of providing the ULM services, on behalf of your library or school (“Institution”), OverDrive may process personal data of your patrons, students, or other authorized users (“Users”). OverDrive and Institution agree to comply with the following provisions with respect to any User Personal Data.
"Controller" means the entity which determines the purposes and means of the Processing of Personal Data.
"Data Protection Laws and Regulations" means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data.
"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
"Personal Data" means any information relating to a User. Institution may submit such information to ULM, including but not limited to the following categories: Barcode (e.g. library card number or student ID), PIN, Password, Branch Code, Status, Name, Address, Date of Birth, Graduation Year.
"Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
"Processor" means the entity which Processes Personal Data on behalf of the Controller.
"User" means the identified or identifiable person to whom Personal Data relates.
Provision of Personal Data
- Institution acknowledges and agrees that it 1) has the necessary rights to provide Personal Data to ULM, and 2) is uploading Personal Data to ULM for the sole purpose of allowing Users to access and checkout digital titles from its collection.
- Institution, in its sole discretion, may allow authorized OverDrive personnel to perform the upload of Personal Data. In such an instance, Institution acknowledges and agrees that it has the authority to provide OverDrive personnel with such Personal Data and allow the upload of Personal Data on its behalf.
Processing of Personal Data
- The parties acknowledge and agree that with regard to ULM’s Processing of Personal Data, Institution is the Controller and OverDrive is the Processor.
- Institution’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Institution shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Institution acquired Personal Data.
- OverDrive shall treat Personal Data as confidential information and shall only Process Personal Data on behalf of and in accordance with Institution’s documented instructions where such instructions are consistent with the purpose and capabilities of ULM.
Rights of Users
- OverDrive shall, to the extent legally permitted, promptly notify Institution if OverDrive receives a request from a User to exercise the User's GDPR right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Taking into account the nature of the Processing, OverDrive shall provide commercially reasonable efforts to assist Institution by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Institution’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Institution, in its use of ULM, does not have the ability to address a Data Subject Request, OverDrive shall upon Institution’s request provide commercially reasonable efforts to assist Institution in responding to such Data Subject Request, to the extent OverDrive is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations.
- OverDrive shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data and have received appropriate training on their responsibilities. OverDrive shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
- OverDrive shall take commercially reasonable steps to ensure the reliability of any OverDrive personnel engaged in the Processing of Personal Data.
- OverDrive shall ensure that OverDrive’s access to Personal Data is limited to those personnel performing services in accordance with ULM.
- OverDrive does not utilize the services of any sub-processors for the provision of ULM.
- OverDrive shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality, and integrity of Personal Data. OverDrive regularly monitors compliance with these measures. OverDrive will not materially decrease the overall security of ULM.
- OverDrive maintains security incident management policies and procedures and shall notify Institution without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored or otherwise Processed by OverDrive of which OverDrive becomes aware (a “Personal Data Incident”). The notification of the Personal Data Incident to Institution shall be by email to the email address(es) selected by Institution within ULM. Institution is solely responsible for keeping this email address current. OverDrive shall make commercially reasonable efforts to identify the cause of such Personal Data Incident and take those steps as OverDrive deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within OverDrive’s reasonable control. The obligations herein shall not apply to incidents that are caused by Institution.
- OverDrive will Process Personal Data for the duration of Institution’s use of ULM. Upon Institution’s termination of use of ULM, or upon Institution’s written request, OverDrive shall return Personal Data to Institution and, to the extent allowed by applicable law, delete Personal Data.
European Specific Provisions
- OverDrive will Process Personal Data in accordance with the GDPR requirements directly applicable to OverDrive’s provision of ULM.
- Upon Institution’s request, OverDrive shall provide Institution with reasonable cooperation and assistance needed to fulfil Institution’s obligation under the GDPR to carry out a data protection impact assessment related to Institution’s use of ULM, to the extent Institution does not otherwise have access to the relevant information, and to the extent such information is available to OverDrive.
- OverDrive has adopted Binding Corporate Rules (BCRs) to comply with data protection requirements when transferring Personal Data from the EU to the US. OverDrive, as a company owned by Rakuten, has adopted Rakuten’s BCRs. Rakuten’s BCRs were approved by the Luxembourg Data Protection Authority.