The General Data Protection Regulation (GDPR) is a data protection law that went into effect on 25 May 2018. It applies to all organizations that collect and/or process personal data of individuals located in the European Union.
Yes, OverDrive serves library patrons, students, and other users in the EU. OverDrive is committed to GDPR compliance.
Updated Privacy Policy. Our Privacy Policy contains a privacy notice that is specific to EU users. Under the GDPR, there must be a lawful basis for an organization to process the personal data of EU users. The Privacy Policy describes the different legal bases under which OverDrive may process EU users’ personal data, including consent, legitimate interests, and contract performance.
Data Requests. Under the GDPR, EU users have the right to make several different types of requests to controllers of data. Generally, EU users may contact controllers and exercise their rights to personal data access, rectification, portability, objection, and erasure. As the updated Privacy Policy sets forth, EU users can contact privacy@overdrive.com or visit the Data Request center to exercise their rights.
New Cookie Policy. We introduced a new Cookie Policy that better explains OverDrive’s use of cookies and similar technologies. It replaced the cookie information that was included in OverDrive’s Privacy Policy prior to 25 May 2018.
Cookies are small data file identifiers that are transferred to a user’s device or web browser. They allow OverDrive to recognize the device or web browser when the user visits or uses OverDrive’s services. Generally, cookies are used to improve a user’s experience and monitor service performance. As of 25 May 2018, a new Cookie Settings link allows users to manage their cookie preferences. EU users must opt-in to the use of certain types of cookies before such cookies can be used by OverDrive.
Yes. OverDrive’s servers are located in the United States. OverDrive has adopted Standard Contractual Clauses (SCCs) to safeguard international data transfers, including transfers of personal data from the EU, Switzerland, and other countries that use SCCs, to the US. OverDrive has adopted the International Data Transfer Agreement (IDTA) to safeguard international data transfers of personal data from the UK to the US.
OverDrive has also adopted the required principles for the EU-U.S. Data Privacy Framework (DPF), UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, as set forth by the U.S. Department of Commerce. To learn more about the DPF program, see: Data Privacy Framework (DPF) Principles. To view our certification under the DPF program, see: U.S. Department of Commerce Data Privacy Framework List.
OverDrive will continue to monitor and evaluate GDPR compliance guidance supplied by regulatory bodies and others, and may adjust its GDPR compliance efforts if necessary.
If you have questions regarding this GDPR page, or about OverDrive’s GDPR compliance, please email OverDrive at privacy@overdrive.com.