ON24 and the GDPR

One of the most significant developments in privacy law worldwide has been the EU General Data Protection Regulation (GDPR), which was approved to replace the previous EU Data Protection Directive and took effect on May 25, 2018. The GDPR replaces the previous EU privacy regime – which included separate data protection laws in each of the EU Member States – with a single data protection law across the EU. The GDPR expands the privacy rights granted to EU individuals, and it places many new obligations on organizations that market to individuals in the EU or track or handle EU personal data, no matter where an organization is located. ON24 welcomes the GDPR as an important step forward in streamlining data protection requirements across the EU and as an opportunity for ON24 to deepen our commitment to data protection. Following Brexit, the UK adopted in its domestic law the GDPR, now known as the UK GDPR.

How ON24 is supporting its clients’ compliance with the GDPR and the UK GDPR

Compliance with the GDPR and the UK GDPR requires a partnership between ON24 and our clients in their use of our services. We are dedicated to helping our clients comply with the GDPR and the UK GDPR. Before GDPR took effect, we made enhancements to our products, systems, procedures, and documentation to help support ON24’s and our clients’ compliance with the GDPR. ON24 acts as a data processor for personal data that we process on behalf of clients through their use of ON24’s services. Companies that are subject to the GDPR and UK GDPR are required to have contracts with their data processors that contain certain terms and information. ON24 has a Data Processing Addendum to meet that requirement. It is tailored to address the unique aspects of ON24’s platform and services and reflects our data security procedures and data processing activities.

Once signed, your company will have terms in place with ON24 to cover transfers of EU and UK personal data that may occur through your company’s use of the ON24 webinar platform and other services.

ON24’s Data Processing Addendum, which includes the Standard Contractual Clauses issued by the European Commission in June 2021, and the International Data Transfer Addendum adopted by the UK Parliament and that came into force in March 2022, helps our clients by providing a recognized mechanism for transfers of EU and UK personal data from the EU and the UK into the U.S. You can review and download ON24’s GDPR- and UK GDPR-compliant Data Processing Addendum, which includes the Standard Contractual Clauses and the International Data Transfer Addendum, here.

To add the Standard Contractual Clauses to your existing ON24 contracts, or to update the Standard Contractual Clauses included in your existing ON24 contracts, please download and review ON24’s Standard Contractual Clauses Addendum located here.

We also have a GDPR/UK GDPR Frequently Asked Questions section in each of our Product Help Centers, which includes helpful information about the customizable options and controls available within the ON24 platform. Clients should contact their ON24 Customer Success Manager for more information and to access the FAQs.

EU and UK personal data

The GDPR and UK GDPR recognize several mechanisms for transferring EU and UK personal data from the EU and the UK to non-EU countries, and it also opens the door to the development of additional mechanisms going forward. Among these mechanisms are the Standard Contractual Clauses, together with the International Data Transfer Addendum

The Standard Contractual Clauses were designed by the European Commission to provide companies with a mechanism to comply with data protection requirements related to transferring personal data from the EU to non-EU countries. The International Data Transfer Addendum was adopted by the UK Parliament to address the transfer of personal data from the UK to non-EU countries post-Brexit.

You can review and download ON24’s GDPR- and UK GDPR-compliant Data Processing Addendum, which includes the Standard Contractual Clauses and the International Data Transfer Addendum, here.

Additional GDPR compliance actions

The following are some of the additional actions ON24 took to comply with the GDPR. These actions are also relevant to comply with the UK GDPR:

Reviewed our data processing activities and determined which data processing activities and systems are subject to the GDPR.
Conducted an assessment of our current activities and privacy program with regard to the GDPR, and inventoried and mapped our data processing activities, including global data transfers.
Reviewed and updated existing third-party service provider agreements to include GDPR-compliant data processing terms where necessary to comply with cross-border transfer obligations.
Identified which third-party service providers are subprocessors and expanded our onboarding process to identify new subprocessors in the future. ON24 subprocessors have implemented technical and organizational measures to ensure that their processing meets the requirements of the GDPR.
Implemented and updated policies and procedures to address privacy-by-design principles. As part of this, we assessed data processing activities and related risks and implemented practices and safeguards to mitigate such risks.
Updated our Platform Privacy Policy and Online Privacy Policy to further clarify ON24’s role and how we process personal information related to the ON24 platform and our website and website services.
Reviewed and updated IT security policies as well as other policies to ensure compliance with the GDPR.
Updated incident response procedures through which any security and privacy incidents are to be reported, investigated, and resolved.
Updated and expanded internal processes to accommodate data subject rights requests.

Any other questions?

Please feel free to email the ON24 privacy team at privacy@on24.com.

ON24 and the GDPR

PRODUCTS

RESOURCES

ON24

Contact