OCLC's Response to the General Data Protection Regulation

Last Revised: 21 June 2019

In May 2018, the General Data Protection Regulation (GDPR) went into effect for the European Union (EU). OCLC is committed to supporting our partners and customers by proactively reviewing practices and products with a GDPR lens and taking ongoing action as appropriate. What's more, we have initiated formal GDPR projects and other activities specifically focused on our products to help libraries meet GDPR obligations.

Responsibility for GDPR compliance involves different activities on the part of data controllers (in this case, OCLC's customers in general) and data processors (OCLC). The information below is meant to provide insight into OCLC's response to the GDPR and a customer's role in the compliance process.  

Note: The information below does not constitute legal advice. If you have any specific questions as to how the GDPR impacts your institution's relationship with OCLC, please contact the OCLC data protection officer at [email protected].

Articles

OCLC's Response to the Articles

Article 1: Subject Matter and Objectives

Article 1 highlights the objectives of the GDPR, which include protection of personal data and the free movement of personal data.

OCLC respects people's fundamental rights and freedoms and has in place protections for the processing of personal data, including the personal data of library staff members and patrons. OCLC analyzes data transfers both within the EU and outside the EU.

Article 2: Material Scope

The processing of personal data, in whole or in part, by automated means can fall within the scope of the GDPR under Article 2.

OCLC processes personal data that can be within the scope of processing described in Article 2. OCLC's products are used by libraries to manage their operations. OCLC receives the personal data of staff members and patrons from libraries.

Article 3: Territorial Scope

Article 3 describes situations during which the GDPR applies. It applies to companies with an establishment in the EU and outside the EU in the context of the activities of the EU establishments. Further, the GDPR can apply to companies without an establishment in the EU when they offer goods or services to people in the EU or monitor those people's behavior.

The GDPR applies to OCLC. OCLC has establishments in the EU, including our EU headquarters in the Netherlands. OCLC has non-EU activities supporting EU establishments that are also subject to the GDPR.

Article 4: Definitions

Article 4 defines 26 terms, including personal data, processing, controller, and processor.

Generally, as between OCLC and a library, the library is the controller under the GDPR with respect to the handling of personal data of its staff members and patrons. OCLC is then a processor for the library when providing products.

Article 5: Principles Relating to the Processing of Personal Data

Article 5 sets out the principles of data processing, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.

Generally, the library will be in the position of making these determinations in its relationship with its patrons and staff members. For example, the library would determine what data to collect from its patrons in order to offer library services, the lawful basis of processing the data, and how to provide a privacy notice to the patrons in order to be transparent about the library's use of the data.

In many instances, however, OCLC products may be able to help a library fulfill its obligations with respect to these principles. For example, the applicable OCLC product may allow the library to display a privacy notice drafted by the library.

Article 6: Lawfulness of Processing

Article 6 provides the various lawful bases of processing personal data, such as consent of the data subject or necessity for the purposes of the legitimate interests of the controller.

As the controller, the library determines the lawful bases for the processing of personal data of its patrons and staff members. OCLC's processing, as a processor for the library, would be performed at the direction of the library as described in the applicable contract between the library and OCLC.

Articles 7 and 8: Conditions for Consent; Conditions Applicable to Child's Consent in Relation to Information Society Services

Article 7 describes what is required for consent when this is the lawful basis of processing.

Article 8 expands upon the consent requirements in Article 7 with respect to children.

As the controller, the library is responsible for complying with Articles 7 and 8, as applicable, when consent is the lawful basis for the processing of patron or staff member data.

Article 9: Processing of Special Categories of Personal Data

Article 9 describes personal data that are illegal to process unless an exception applies.

While libraries determine whether to process special categories of personal data, OCLC discourages the collection and storage of these data in OCLC products by our customers. Collection and storage of these data are not necessary for the use of OCLC products.

Article 10: Processing of Personal Data Relating to Criminal Convictions and Offences

Article 10 address the processing of personal data relating to criminal convictions and offenses.

Like the special categories of personal data described in Article 9, these personal data are not required for the use of OCLC's products. OCLC discourages the collection and storage of these data in OCLC products.

Articles 11 and 12: Processing which Does Not Require Identification; Transparent Information, Communication, and Modalities for the Exercise of Rights of the Data Subject

Article 11 contains laws related to the controller's identification of data subjects, including in relation to data subjects exercising rights afforded under the GDPR.

Article 12 contains laws about the controller providing information to data subjects, including the deadlines for responding to requests from data subjects.

As the controller, it is the library's responsibility to comply with Articles 11 and 12 in its relationships with its patrons and staff members.

OCLC receives requests from data subjects, requests information when needed to validate identity, and evaluates what OCLC's role is with respect to the data subject.

When OCLC is a controller, OCLC has processes in place for the handling of requests in accordance with the requirements of Article 12.

If OCLC determines it is a processor, OCLC directs the data subject to place the request with the controller.

Articles 13 and 14: Information to be Provided where Personal Data Are Collected from the Data Subject; Information to be Provided where Personal Data Have Not Been Obtained from the Data Subject

Articles 13 and 14 provide specific requirements to be provided to data subjects.

When acting as the controller with respect to data subjects, OCLC provides appropriate notice. For example, OCLC publishes a privacy notice on OCLC.org.

With respect to library patrons and staff members, the library is the controller and should provide privacy notices that meet the requirements of Articles 13 or 14, as applicable. In addition to the processing performed by OCLC as a processor for a library, a library's notices would likely describe other processing performed by the library and performed by other processors for the library.

Articles 15 – 23: Right of Access by the Data Subject; Right to Rectification; Right to Erasure ("Right to be Forgotten"); Right to Restriction of Processing; Notification Obligation Regarding Rectification or Erasure of Personal Data or Restriction of Processing; Right to Data Portability; Right to Object; Automated Decision-Making Including Profiling; Restrictions

Articles 15 through 23 are laws associated with various rights of data subjects.

As the controller, it is the library's responsibility to comply with Articles 15 through 23, as applicable, in its relationship with its patrons and staff members.

OCLC receives requests from data subjects, requests information when needed to validate identity, and evaluates what OCLC's role is with respect to the data subject.

When OCLC is a controller, OCLC has processes in place for handling requests.

If OCLC determines it is a processor, OCLC directs the data subject to place the request with the controller.

Article 24: Responsibility of the Controller

Article 24 lists responsibilities of the data controller, including establishment of appropriate technical and organizational measures and data protection policies.

As the controller with respect to data of its patrons and staff members, the library is responsible for complying with Article 24.

Article 25: Data Protection by Design and Default

Article 25 requires controllers to implement data protection by design and default.

As the controller with respect to data of its patrons and staff members, the library would be responsible for complying with Article 25. OCLC has established formal GDPR projects and other activities focused on our products to help libraries meet these obligations. For example, OCLC has completed a project focused on enabling libraries to display privacy notices for certain products. OCLC is committed to continuing to evaluate our products and to make determinations on whether and how to improve them with respect to data protection by design and default considerations.

Article 26: Joint Controllers

Article 26 addresses arrangements between joint controllers.

OCLC would not typically be a joint controller with libraries. Libraries are the controllers, and OCLC is a processor.

Article 27: Representatives of Controllers or Processors Not Established in the Union

Article 27 is related to the territorial scope of the GDPR when the controller or processor is not established in the EU. When not established in the EU, the controller or processor must appoint a representative physically located in the EU.

OCLC has multiple establishments in the EU, and our European headquarters is located in the Netherlands.

Article 28: Processor

Article 28 sets forth obligations of both controllers and processors. Article 28 focuses heavily on the establishment of contracts to govern the processing by the processor and the establishment of contracts by that processor when engaging other processors.

As a processor for libraries, OCLC has developed data processing agreements for libraries to execute to meet the requirements of Article 28. These contracts are available in multiple languages. Further, OCLC has developed sub-processor agreements to sign when sub-processors are engaged by OCLC.

OCLC has made and continues to make efforts to identify libraries it believes are subject to the GDPR and to have those libraries execute data processing agreements. However, note that the requirement to execute this contract does directly apply to libraries subject to the GDPR. If a library is subject to the GDPR and has not executed a contract with OCLC, the library's representative should contact us immediately to receive a copy of the data processing agreement to sign.

Article 29: Processing Under the Authority of the Controller or Processor

Article 29 addresses processing by processors. Processors are not to process personal data except on the instruction of the controller.

The Article 28 contracts, described above, provide the instructions from the library, as controller, to OCLC for the processing of personal data.

Article 30: Records of Processing Activities

Article 30 is a record-keeping requirement with respect to the processing of personal data. There are requirements for both controllers and processors to maintain the records and to provide records to supervisory authorities when requested.

OCLC has created and maintains records of processing activities.

Article 31: Cooperation with the Supervisory Authority

Article 31 requires controllers and processors, on request, to cooperate with supervisory authorities in the performance of their tasks.

OCLC will cooperate with supervisory authorities when requested.

Article 32: Security of Processing

Article 32 contains obligations for controllers and processors to implement appropriate technical and organizational measures to ensure an appropriate level of security.

OCLC has implemented technical and organizational measures. These are described in the contracts required by Article 28. Additional information about OCLC's security is also available on our website.

Articles 33 and 34: Notification of a Personal Data Breach to the Supervisory Authority; Communication of a Personal Data Breach to the Data Subject

Articles 33 and 34 contain the obligations of controllers and processors with respect to a personal data breach notification.

As a processor, OCLC would notify a library of a related personal data breach under Article 33. This would occur without undue delay after becoming aware of a personal data breach. OCLC reviews incidents quickly and maintains a database of library contact information to help ensure that any required notifications can be made without undue delay. With respect to unavailability, OCLC also encourages libraries to review our System Status dashboard on our website.

Libraries, as controllers, would need to determine whether to notify supervisory authorities and data subjects.

Articles 35 and 36: Data Protection Impact Assessment; Prior Consultation

Articles 35 and 36 contain, in certain circumstances, obligations for controllers to conduct data protection impact assessments and to consult with supervisory authorities.

These are obligations of controllers; therefore, the obligations apply to libraries. OCLC is typically a processor for the libraries.

In instances in which OCLC is required to complete data protection impact assessments under the GDPR, OCLC has processes in place for their completion.

Article 37: Designation of the Data Protection Officer

Article 37 describes the instances in which controllers and processors must appoint data protection officers, including the ability for a group of undertakings to appoint a single data protection officer. The data protection officer must be appointed based on professional qualities, including expert knowledge of data protection law and practices.

OCLC has appointed a data protection officer for its various affiliates as a group of undertakings. The current officer holds three certifications from the International Association of Privacy Professionals, including both of the "GDPR Ready" certifications (CIPP/E and CIPM).

Articles 38 and 39: Position of the Data Protection Officer; Tasks of the Data Protection Officer

Articles 38 and 39 describe when the data protection officer is to be involved in issues, the data protection officer's independence, and the tasks of the data protection officer.

OCLC's data protection officer is assigned to fulfill the tasks of Article 39. Further, OCLC has established a privacy support team to help the data protection officer in the fulfillment of these duties and to help address local issues, as needed. OCLC is committed to ensuring the independence of its data protection officer. If a possible conflict is identified, OCLC's general counsel and data protection officer would discuss the possible conflict and work together to ensure that independence is maintained.

Articles 40 – 43: Codes of Conduct; Monitoring of Approved Codes of Conduct; Certification; Certification Bodies

These Articles are concerned with promoting associations and other bodies to create and adopt codes of conduct with respect to the GDPR.

OCLC is not currently involved in efforts to create codes of conduct.

Articles 44 – 49: General Principles for Transfer; Transfers on the Basis of an Adequacy Decision; Transfers Subject to Appropriate Safeguards; Binding Corporate Rules; Transfers or Disclosures not Authorized by Union Law; Derogations for Specific Situations

Articles 44 through 49 address various requirements associated with personal data transfers.

OCLC's headquarters is in the US. It has offices in many locations, including data centers in the Netherlands, US, Australia, and Canada. Transfers of personal data from the EU may occur.

With respect to transfers that require appropriate safeguards, these transfers are pursuant to standard data protection clauses as allowed in Article 46. OCLC executes standard data protection clauses with libraries when signing Article 28 contracts.

Articles 50 – 78: International Cooperation for the Protection of Personal Data; Supervisory Authority; Independence; General Conditions for the Members of the Supervisory Authority; Rules on the Establishment of the Supervisory Authority; Competence; Competence of the Lead Supervisory Authority; Tasks; Powers; Activity Reports; Cooperation between the Lead Supervisory Authority and Other Supervisory Authorities Concerned; Mutual Assistance; Joint Operations of the Supervisory Authorities; Consistency Mechanism; Opinion of the Board; Dispute Resolution by the Board; Urgency Procedure; Exchange of Information; European Data Protection Board; Independence; Tasks of the Board; Reports; Procedure; Chair; Tasks of the Chair; Secretariat; Confidentiality; Right to Lodge a Complaint with a Supervisory Authority; Right to an Effective Judicial Remedy against a Supervisory Authority

Articles 50 through 78 contain rules regarding member states, their supervisory authorities, and the European Data Protection Board.

Article 79: Right to an Effective Judicial Remedy against a Controller or Processor

Article 79 describes the rights of data subjects to seek remedies. This may include court proceedings against controllers or processors where they have an establishment.

OCLC is a processor for libraries and could be subject to Article 79 with respect to a library's staff members and patrons. OCLC has establishments within the EU where court proceedings could occur.

Articles 80 and 81: Representation of Data Subjects; Suspension of Proceedings

These Articles of the GDPR relate to how complaints could be brought by data subjects and how courts could suspend proceedings.

Article 82: Right to Compensation and Liability

Article 82 describes how data subjects may seek compensation from controllers and processors.

Under Article 82, library staff members and patrons could pursue compensation directly against OCLC as a processor for the library. Article 82 and the contracts between OCLC and a library also allocate responsibilities between OCLC and each library.

Articles 83 and 84: General Conditions for Imposing Administrative Fines; Penalties

Articles 83 and 84 contain provisions allowing supervisory authorities and Member States to assess administrative fines and other penalties.

If OCLC as a processor for libraries were to infringe the GDPR's provisions applicable to processors, OCLC could be subject to assessments of fines or other penalties.

Articles 85 – 90: Processing and Freedom of Expression and Information; Processing and Public Access to Official Documents; Processing of the National Identification Number; Processing in the Context of Employment; Safeguards and Derogations Relating to Processing for Archiving Purposes in the Public Interest, Scientific or Historical Research Purposes or Statistical Purposes; Obligations of Secrecy

Articles 85 through 90 contain various requirements for and rights of Member States, such as reconciling the GDPR with rights of freedom of expression and allowing Member States to create more specific rules in the context of processing employment data.

Article 91: Existing Data Protection Rules of Churches and Religious Associations

Article 91 contains laws that apply to churches and religious associations.

Article 91 is not applicable to OCLC, as it is not a church or religious association.

Articles 92 – 99: Exercise of the Delegation; Committee Procedure; Repeal of Directive 95/46/EC; Relationship with Directive 2002/58/EC; Relationship with Previously Concluded Agreements; Commission Reports; Review of Other Union Legal Acts on Data Protection; Entry into Force and Application

These Articles address the operation and effectiveness of the GDPR.

The GDPR became effective on 25 May 2018.