One of the most significant developments in privacy law worldwide is the EU General Data Protection Regulation (GDPR), which was approved to replace the previous EU Data Protection Directive and takes effect on May 25, 2018. The GDPR replaces the previous EU privacy regime – which included separate data protection laws in each of the EU Member States – with a single data protection law across the EU. The GDPR expands the privacy rights granted to EU individuals, and it places many new obligations on organizations that market to individuals in the EU or track or handle EU personal data, no matter where an organization is located. ON24 welcomes the GDPR as an important step forward in streamlining data protection requirements across the EU and as an opportunity for ON24 to deepen our commitment to data protection.
How ON24 is Supporting its Clients’ Compliance with the GDPR
Compliance with the GDPR requires a partnership between ON24 and our clients in their use of our services. We are dedicated to helping our clients comply with the GDPR. We have made enhancements to our products, systems, procedures and documentation to help support ON24’s and our clients’ compliance with the GDPR. ON24 acts as a data processor for personal data that we process on behalf of clients through their use of ON24’s services. Companies that are subject to the GDPR are required to have contracts with their data processors that contain certain terms and information. ON24 has a Data Processing Addendum to meet that requirement. It is tailored to address the unique aspects of ON24’s platform and services and reflects our data security procedures and data processing activities.
Once signed, your company will have terms in place with ON24 to cover transfers of EU personal data that may occur through your company’s use of the ON24 webinar platform and other services.
To review and download ON24’s GDPR-compliant Data Processing Addendum, please click here. Within the document, you will also find instructions for returning the signed addendum to ON24.
We also have a GDPR Frequently Asked Questions section in each of our Product Help Centers, which includes helpful information about the customizable options and controls available within the ON24 platform. Clients should contact their ON24 Customer Success Manager for more information and to access the FAQs.
EU Personal Data
The GDPR recognizes several mechanisms for transferring EU personal data from the EU to the U.S., and it also opens the door to the development of additional mechanisms going forward. Among these mechanisms is the EU-U.S. Privacy Shield Framework.
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements related to transferring personal data from the EU to the United States. ON24 has certified to the EU-US Privacy Shield program.
ON24’s Privacy Shield certification and GDPR-compliant Data Processing Addendum helps our clients by providing a recognized mechanism for transfers of EU personal data from the EU into the U.S.
ON24 is also opening an EU data center. While neither the GDPR nor EU data protection law requires EU personal data be hosted in the EU, ON24 recognizes that EU hosting is important to some of our clients. We are working to provide our clients with this option and are targeting an early 2019 opening.
You can review ON24’s Privacy Shield certification here.
You can review and download ON24’s GDPR-compliant Data Processing Addendum here.
Additional GDPR Compliance Actions
The following are some of the additional actions ON24 has taken to comply with the GDPR:
A. Reviewed our data processing activities and determined which data processing activities and systems are subject to the GDPR.
B. Conducted an assessment of our current activities and privacy program with regard to the GDPR, and inventoried and mapped our data processing activities, including global data transfers.
C. Reviewed and updated existing third-party service provider agreements to include GDPR-compliant data processing terms where necessary to comply with cross-border transfer obligations.
D. Identified which third-party service providers are subprocessors and expanded our onboarding process to identify new subprocessors in the future. ON24 subprocessors have implemented technical and organizational measures to ensure that their processing meets the requirements of the GDPR.
E. Implemented and updated policies and procedures to address privacy-by-design principles. As part of this we have assessed data processing activities and related risks and implemented practices and safeguards to mitigate such risks.
G. Reviewed and updated IT security policies as well as other policies to ensure compliance with the GDPR.
H. Updated incident response procedures through which any security and privacy incidents are to be reported, investigated, and resolved.
I. Updated and expanded internal processes to accommodate data subject rights requests.
Any other questions?
Please feel free to email the ON24 privacy team at email@example.com.