ON24 and the GDPR

GDPR: What ON24 Is Doing to Help Your Company and How We Are Preparing for Compliance

One of the most significant recent developments in privacy laws worldwide is the EU General Data Protection Regulation (GDPR), which was approved to replace the previous EU Data Protection Directive, and takes effect May 25, 2018. GDPR replaces the current EU privacy regime — which includes separate data protection laws in each of the EU Member States — with a single data protection law across the EU. GDPR expands the privacy rights granted to EU individuals, and it places many new obligations on organizations that market to, track or handle EU personal data, no matter where an organization is located. ON24 welcomes GDPR as an important step forward in streamlining data protection requirements across the EU and as an opportunity for ON24 to deepen our commitment to data protection.

What is ON24 doing to support its customers’ compliance with GDPR?

ON24 is here to help our customers in their efforts to comply with GDPR. Compliance with GDPR requires a partnership between ON24 and our customers in their use of our services. We are also dedicated to helping our customers comply with GDPR. We have closely analyzed the requirements of GDPR and are working to make enhancements to our products, contracts, and documentation to help support ON24’s and our customers’ compliance with GDPR.

ON24 has updated its data processing addendum to incorporate GDPR-compliant terms that address the processing activities of ON24. Once signed, your company will have terms in place with ON24 to cover any transfers of EU personal data that may occur through your company’s use of the ON24 webinar platform and other services.

To review and download ON24’s GDPR-compliant Data Processing Addendum, please click here. Within the document, you will also find instructions for returning the signed addendum to ON24.

If your company has signed an older version of ON24’s data processing addendum, the new GDPR-compliant Data Processing Addendum will replace the older version.

Does GDPR prevent EU personal data from being transferred to ON24 and other companies in the U.S.?

Similar to current EU data protection law, GDPR recognizes several mechanisms for transferring EU personal data from the EU to the U.S., and it also opens the door to the development of additional mechanisms going forward. Among these mechanisms are the EU-U.S. Privacy Shield Framework.

The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements related to transferring personal data from the EU to the United States. ON24 is a certified Privacy Shield company.

ON24’s Privacy Shield certification and GDPR-compliant Data Processing Addendum will continue to help our customers by providing a recognized mechanism for transfers of EU personal data from the EU into the U.S.

You can review ON24’s Privacy Shield certification here.

You can review and download ON24’s GDPR-compliant Data Processing Addendum here.

What else is ON24 doing to prepare for complying with GDPR?

The following are some of the additional actions ON24 is taking to comply with GDPR:

A. Reviewing our data processing activities to determine which data processing activities and systems are subject to the GDPR.

B. Conducting an assessment of our current activities and privacy program against GDPR, and inventorying and mapping our data processing activities, including global data transfers, in preparation for GDPR compliance.

C. Reviewing and updating existing third-party service provider agreements to include GDPR-compliant data processing terms where necessary to comply with cross-border transfer obligations.

D. Expanding our onboarding of new third-party service providers to include a review of personal information processed, and to identify those relationships for which formal data protection impact assessments (DPIAs) should be conducted.

E. Identifying and conducting any necessary DPIAs on data processing activities, where warranted.

F. Implementing and updating policies and procedures to address privacy-by-design principles. As part of this we are assessing data processing activities and related risks, and implementing practices and safeguards to mitigate such risks.

G. Updating our incident response program to address GDPR’s breach notification standard and requirements.

H. Amending and developing internal processes to address and accommodate expanded individual rights requests, including the rights to information, access, rectification, erasure, restricted processing, data portability, objection, and freedom from automated decision-making including profiling.

I. Adopting new tools to manage, document, and renew GDPR compliance requirements (e.g., DPIAs, Records of Processing, Data Subject Requests).

Any other questions?

Please feel free to email the ON24 privacy team at privacy@on24.com.