What You Need to Know

The EU General Data Protection Regulation (GDPR) became effective from May 25, 2018, and with it comes a legal obligation for your institution to formalize its personal data processing arrangement with OCLC. OCLC supports the strong data privacy and security principles emphasized by the GDPR and is committed to ensuring our relevant service offerings allow our customers to meet their GDPR obligations as data controllers.

As required by the GDPR, OCLC and customers must have a data processing agreement (DPA) in place for both: 1) services that are hosted in data centers and that process personal data and 2) services that allow for remote processing of personal information for support and maintenance purposes.

OCLC's DPA contains data processing provisions required by the GDPR; gives assurances regarding the protection of the personal data of your patrons, staff members, and others; and makes clear the respective roles and responsibilities we both have with respect to the personal data being processed.

Why OCLC's template?

To meet GDPR requirements, OCLC has prepared a pre-signed agreement designed specifically with the GDPR in mind and the type of processing activity that occurs through the use of OCLC products and services. If your institution's personal data is subject to the GDPR, a DPA is necessary.

Does OCLC transfer data outside the European Union?

• Yes. When personal data is transferred from the EU to OCLC in the United States (US), it is transferred pursuant to the standard contractual clauses document incorporated into the DPA. The standard contractual clauses is a form document, drafted and approved by the European Commission, which contains detailed obligations related to the protection of personal data that is transferred outside of the EU.
• It is legal under the GDPR to transfer data outside the EU, provided that the processors adhere to the necessary data protection regulations. When personal data is transferred from the EU to OCLC in the US, it is transferred pursuant to the standard contractual clauses, which satisfies these regulations.
• OCLC is not registered under the EU-US Privacy Shield; it not eligible because it is a non-profit entity. OCLC instead relies on the standard contractual clauses for personal data transfers from the EU to the US.

What products does the DPA apply to?

The DPA applies to any of the hosted and non-hosted products and services provided by OCLC in the EU.

Who is the customer in the DPA?

The institution is the customer as well as the controller of the personal data being processed. OCLC is the processor. The customer may submit personal data to/through OCLC's products (called "covered services" in the DPA) and may request that individual users of the covered services (known as "data subjects") submit personal data to the covered services, the extent of which is determined and controlled by the customer.

Why do we require a DPA if the service is hosted by the institution?

Personnel of OCLC, due to expertise or availability, may be required to provide remote support or maintenance as requested by the customer. The extent of these remote services is dependent upon the system and the support requested by the customer. These services are covered by OCLC's standard contractual clauses.

What kind of personal data is being processed?

• The personal data processed by OCLC may concern the following categories of data subjects:
  • Authorized patrons of the customer's library services
  • Customer employees who are authorized to use the covered services
  • Customer's suppliers of library resources
  • For customers using course reserves, instructors whose courses are included in course reserves
• The type of personal data submitted by the customer may include:
  • Names
  • Job titles (for employees)
  • Contact information (including physical addresses, telephone numbers, fax numbers, and email addresses)
  • Unique identifiers, whether assigned by the customer or the processor (e.g., patron ID numbers and barcodes, employee ID numbers)
  • Usernames and passwords
  • Patron attributes (e.g., date of birth, gender, department, patron type)
  • Photographs (via URL)

What are OCLC's incident response policies?

• Under the GDPR, processors are obligated to notify a controller "without undue delay" after becoming aware of a personal data breach. Therefore, OCLC's DPA states it will do so.
  • This is a commonly misunderstood term within the GDPR. Any more specific timeline requiring the processor to report a breach to the controller actually imposes risk on the controller, because under the GDPR, the controller has only 72 hours from becoming aware of the breach to reporting the breach to the relevant authorities.

What are OCLC's audit policies?

• Under the GDPR, controllers have a right to audit processors to ensure compliance. Therefore, OCLC's DPA states that the customer may engage, at its cost, a third-party auditor to inspect OCLC's policies and records to ensure compliance. OCLC asks for one month's written notice of an audit, and the chosen auditor must sign a non-disclosure agreement. OCLC will also provide relevant third-party certifications on request, such as ISO certifications, in order to demonstrate compliance.

Data Processing Agreements