The General Data Protection Regulation (GDPR) is a data protection law that went into effect on 25 May 2018. It applies to all organizations that collect and/or process personal data of individuals located in the European Union.
Yes, OverDrive serves library patrons, students, and other users in the EU. OverDrive is committed to GDPR compliance.
OverDrive functions as the Controller of personal data because it “determines the purposes and means of data processing” for data collected by its service. Certain personal data, such as an email address, may be submitted by a user directly to OverDrive. Other personal data, such as a cookie identifier or device identifier, may be collected by the OverDrive service during a user’s interaction with the service. OverDrive determines the purpose and legal basis for such data being collected by its service (e.g., an email address is required to place a hold on a title). It is important to note that OverDrive’s services have been designed to collect and process only the personal data that is necessary to provide the requested services to the user.
Additionally, as required of Controllers by GDPR, users can contact OverDrive directly to exercise their rights to personal data access, rectification, portability, objection, and erasure (see below for more information). OverDrive will respond to all requests within the GDPR-required 30-day timeframe.
Updated Privacy Policy. Our Privacy Policy contains a privacy notice that is specific to EU users. Under the GDPR, there must be a lawful basis for an organization to process the personal data of EU users. The updated Privacy Policy describes the different legal bases under which OverDrive may process EU users’ personal data, including consent, legitimate interests, and contract performance.
Data Requests. Under the GDPR, EU users have the right to make several different types of requests to Controllers. Generally, EU users may contact Controllers and exercise their rights to personal data access, rectification, portability, objection, and erasure. As the updated Privacy Policy sets forth, EU users can contact privacy@overdrive.com or visit the Data Request center to exercise their rights.
New Cookie Policy. We introduced a new Cookie Policy that better explains OverDrive’s use of cookies and similar technologies. It replaced the cookie information that was included in OverDrive’s Privacy Policy prior to 25 May 2018.
Cookies are small data file identifiers that are transferred to a user’s device or web browser. They allow OverDrive to recognize the device or web browser when the user visits or uses OverDrive’s services. Generally, cookies are used to improve a user’s experience and monitor service performance. As of 25 May 2018, a new Cookie Settings link allows users to manage their cookie preferences. EU users must opt-in to the use of certain types of cookies before such cookies can be used by OverDrive.
Yes. OverDrive’s servers are located in the United States. As the US-EU Privacy Shield Framework has been declared invalid by the European Court of Justice, OverDrive has adopted Standard Contractual Clauses (SCCs) to safeguard international data transfers, including transfers of personal data from the EU, Switzerland, and other countries that use SCCs, to the US. OverDrive has adopted the International Data Transfer Agreement (IDTA) to safeguard international data transfers of personal data from the UK to the US.
OverDrive will continue to monitor and evaluate GDPR compliance guidance supplied by regulatory bodies and others, and may adjust its GDPR compliance efforts if necessary.
If you have questions regarding this GDPR page, or about OverDrive’s GDPR compliance, please email OverDrive at privacy@overdrive.com.