Support > The EU General Data Protection Regulation (GDPR) Overview

The EU General Data Protection Regulation (GDPR) Overview

The EU General Data Protection Regulation (EU GDPR) was created to protect all EU residents from privacy and data breaches. It went into effect May 25, 2018. This guide is provided for informational purposes only. It should not be considered as legal advice.

What is the GDPR?

The GDPR is a privacy law enacted by the European Commission in 2016. The GDPR replaces a prior EU privacy directive (Directive 95/46/EC). The regulation is a binding act, which must be followed in its entirety by all organizations who process EU residents' personal data, regardless of location. The GDPR is intended to modernize EU privacy data protection. The GDPR regulates how organizations gather, use and retain personal data. The GDPR will have an impact on all organizations involved in processing personal data of EU residents.

Personal Data: Any information that results in the identification of an individual. Personal data includes name and email address, data that is embedded in LISTSERV.

The GDPR applies to any organization regardless of where the data is processed. All organizations should determine whether they are processing personal data of EU residents. The GDPR also encompasses all industries and sectors.

What is new with the GDPR?

The GDPR has a broad impact. The following changes are particularly relevant to our customers:

1. Expansion of individual rights

EU residents will have important new rights under the GDPR, including:

Right to be forgotten: the right to require an organization to delete an individual's personal data without undue delay
Right to object: the right to prohibit certain data uses
Right to rectification: the right to require that incomplete data be completed or that incorrect data be corrected
Right of access: the right to know what data about the individual is being processed and how
Right of portability: the right to request that personal data held by one organization be transported to another organization

You, as a data controller, must accommodate these rights if you are processing the personal data of EU residents.

2. Stricter consent requirements

Organizations must ensure that consent is obtained for the use of personal data. Obtain consent from your subscribers for each different usage of their personal data. The surest route to compliance is to obtain explicit consent via the double opt-in subscription method built into LISTSERV and LISTSERV Maestro.

3. Stricter processing requirements

Individuals have the right to receive information about the processing of their personal data, including:

Data Controller contact details
Purpose of the data: Be as specific as possible. Consider what data you are collecting and why. Be prepared to justify this purpose to a regulator.
Retention period: This should be as short as possible.
Legal basis: You must have a legal basis for processing personal data. For example, an individual has consented, or the processing is necessary to the performance of a contract.

Review the GDPR in its entirety to ensure that you have a full understanding of its requirements.

Who must comply with the GDPR?

Consult your legal counsel regarding your compliance obligations. If your organization is in the European Union or your organization processes the personal information of EU residents, then the GDPR probably applies to you.

Are the responsibilities different for Controllers vs Processors?

If your organization accesses personal data, you do so in the role of either a controller or a processor. The obligations differ based on the role. A controller is the organization that determines the:

Purpose(s) and means of processing personal data
Specific personal data that is collected from an individual (subscriber)

If you administer or own a LISTSERV or LISTSERV Maestro list, you are a data controller. A processor is the organization that processes the data on behalf of the controller.

Controllers are responsible for the protection of personal data. Controllers must respond to subscriber inquiries about personal data use, personal data corrections, requests to be "forgotten" and requests for data transfer. Controllers have the obligation to report data breaches to the appropriate Data Protection Authority (DPA). L-Soft customers, using LISTSERV and LISTSERV Maestro, are responsible for EU resident's personal data.

L-Soft is a processor of personal data for its hosting customers (ListPlex and EASE). The LISTSERV and LISTSERV Maestro software distribute email messages and collect information based on the instructions of the hosting customer.

How will L-Soft support your organization's compliance with GDPR?

L-Soft software will help your organization respond to EU subscriber requests based on their rights, including:

Right to be forgotten: You (the controller) may remove individual subscribers from your list upon their request. In addition, if individual subscribers contact L-Soft directly to request deletion of their data from an individual account or across multiple accounts (if the subscriber is on more than one list), L-Soft will forward the pertinent subscriber requests to your organization for removal from your list. Also, your subscribers can remove themselves from your list. An "unsubscribe" option can be included in the footer of every email sent through LISTSERV or LISTSERV Maestro. This allows any recipient to easily unsubscribe, thereby helping you comply with your GDPR obligations when a subscriber withdraws consent to receive emails.
Right to rectification: At any time, you can update your subscriber lists to correct or complete subscriber information upon their request.
Right of portability: You may export any of your lists, or selected information within your list, by accessing your LISTSERV or LISTSERV Maestro account.

If you are a ListPlex or EASE customer, review the privacy statement and practices applicable to your organization and ensure that these documents and practices include proper notice that the personal data of your subscribers will be transferred to and processed by L-Soft. Consider updating your privacy statement to include language that specifically identifies L-Soft as one of your processors and delineates the applicable processing activities performed by L-Soft, such as the collection and storage of personal data within your LISTSERV account to allow you to create and use distribution lists.

If you have specific questions about GDPR, please contact L-Soft sales at: sales@lsoft.com.

For a list of frequently asked question about GDPR, visit:
https://www.lsoft.com/resources/gdpr-faq.asp

Contract terms for compliance with the GDPR

Your company may have an existing contract with L-Soft International, Inc. and its affiliates (L-Soft). According to the EU General Data Protection Regulation (GDPR, article 28), the controller (your company) and the processor (L-Soft) are obligated to have an agreement governing the processing of personal data (for example, name and email address). To comply with article 28 and permit your company to update the existing contracts with your users, L-Soft created the Data Processing Addendum (DPA).

Use this amendment to the existing contract if:

L-Soft is processing personal data on behalf of your users and
the GDPR applies to such processing of personal data.

In the event of any conflict with existing data privacy or security terms of agreement, the DPA shall prevail. The DPA can be found at the following location:
https://www.lsoft.com/resources/dpa.asp

If you contract with L-Soft for a hosting service (ListPlex, EASE), L-Soft will store and process personal data for your subscribers. Where notice to or consent by the individuals is required for such processing, you will notify and obtain such consent.

Your continued ordering, marketing or accessing of the L-Soft services provided under your existing contract indicates your acceptance of the DPA.