This OverDrive User Login Manager Data Processing Agreement (“DPA”) applies to your use of OverDrive’s User Login Manager (“ULM”). This DPA applies to ULM only; it does not apply to any other OverDrive provided products or services.
In the course of providing the ULM services, on behalf of your library, school, or organization (“Institution”), OverDrive may process personal data your patrons, students, or other authorized users (“Users”). OverDrive and Institution agree to comply with the following provisions with respect to any User Personal Data.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the United States, European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any personally identifiable information submitted by the Institution to ULM that relates to an Institution’s Users. Institution may submit such information to ULM, including but not limited to the following categories: Barcode (e.g. library card number, student ID, or employee ID), PIN, Password, Branch Code, Status, Name, Address, Date of Birth, Graduation Year.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“UK Data Protection Laws” means all laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
“User” means the identified or identifiable natural person to whom Personal Data relates.
2.1 Institution acknowledges and agrees that it 1) has the necessary rights to provide Personal Data to OverDrive for ULM, and 2) shall upload Personal Data to ULM for the sole purpose of allowing Users to access OverDrive’s services.
2.2 Institution, in its sole discretion, may allow authorized OverDrive personnel to perform the upload of Personal Data to ULM. In such an instance, Institution acknowledges and agrees that it has the authority to provide OverDrive personnel with such Personal Data and allow the upload of Personal Data on its behalf.
3.1 The parties acknowledge and agree that with regard to ULM’s Processing of Personal Data, Institution is the Controller and OverDrive is the Processor.
3.2 All Processing of Personal Data shall occur in the United States.
3.3 Institution’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Institution shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Institution acquired Personal Data.
3.4 OverDrive shall treat Personal Data as confidential information and shall only Process Personal Data on behalf of and in accordance with Institution’s documented instructions where such instructions are consistent with the purpose and capabilities of ULM.
4.1 OverDrive shall respond to Users or refer Users to Institution within the legally required time frame if OverDrive receives requests from Users to exercise User rights in relation to User’s Personal Data. Each such request is a “Data Subject Request”. Taking into account the nature of the Processing, OverDrive shall provide commercially reasonable efforts to assist Institution by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Institution’s obligation to respond to a Data Subject Request under applicable Data Protection Laws and Regulations.
5.1 OverDrive shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data and have received appropriate training on their responsibilities to keep Personal Data confidential. OverDrive shall require personnel to honor such confidentiality obligations beyond departure from OverDrive.
5.2 OverDrive shall ensure that its access to Personal Data is limited to those OverDrive personnel necessary to perform OverDrive’s services for Institution.
5.3 OverDrive does not utilize the services of any sub-processors for the provision of ULM.
6.1 OverDrive shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality, and integrity of Personal Data.
6.2 OverDrive maintains security incident management policies and procedures and shall notify Institution without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored or otherwise Processed by OverDrive of which OverDrive becomes aware (a “Personal Data Incident”). The notification of the Personal Data Incident to Institution shall be by email to the email address(es) selected by Institution within ULM. Institution is solely responsible for keeping the email address(es) current. OverDrive shall make commercially reasonable efforts to identify the cause of Personal Data Incidents and take those steps as OverDrive deems necessary and reasonable in order to remediate the cause of such Personal Data Incidents to the extent the remediation is within OverDrive’s reasonable control. The obligations herein shall not apply to incidents that are caused by Institution or its negligence.
6.3 OverDrive shall Process Personal Data for the duration of Institution’s use of ULM. Upon Institution’s termination of use of ULM, or upon Institution’s written request, OverDrive shall return Personal Data to Institution and, to the extent allowed by applicable law, delete Personal Data.
6.4 Users are responsible for reasonable password management. When constructing a password for use of OverDrive services it is recommended to: 1) contain multiple of the following four categories: English uppercase characters (A through Z), English lowercase characters (a through z), base 10 digits (0 through 9), non-alphabetic characters; 2) be at least 16 characters long; 3) be unique to the account; 4) be stored in a secure location; 5) be rotated periodically.
7.1 OverDrive shall Process Personal Data in accordance with Data Protection Laws and Regulations directly applicable to OverDrive’s provision of ULM to Users and Institutions.
7.2 Upon Institution’s written request, OverDrive shall provide Institution with reasonable cooperation and assistance needed to fulfill Institution’s obligation under the GDPR to carry out a data protection impact assessment related to Institution’s use of ULM, to the extent Institution does not otherwise have access to the relevant information, and to the extent such information is available to OverDrive.
7.3 OverDrive has adopted Standard Contractual Clauses (SCCs) to safeguard international data transfers, including transfers of personal data from the EU, Switzerland, and other countries that use SCCs, to the US. OverDrive has adopted the International Data Transfer Agreement (IDTA) to safeguard international data transfers of personal data from the UK to the US.
8.1 Independent Contractor. Institution and OverDrive are independent contractors under this DPA and nothing in this DPA authorizes either party to act as a legal representative or agent of the other for any purpose. It is expressly understood that this DPA does not establish a franchise relationship, partnership, principal-agent relationship, or joint venture. Neither party shall have the power to bind the other with respect to any obligation to any third party. Each party is solely responsible for its employees, including terms of employment, wages, hours, required insurance, and daily direction and control.
8.2 Assignment. The rights and obligations under this DPA shall not be assigned or subcontracted by Institution without the express prior written consent of OverDrive.
8.3 All Disputes Arising from this DPA. This DPA shall be governed by the laws of the State of Ohio, USA, without regard to any conflict of laws principles. Any dispute regarding this DPA shall be solely and exclusively brought in courts residing in the Northern District of Ohio, USA, and the local laws of Ohio shall apply to any such action related to the above without regard to any conflicts of laws principles. The parties agree that exclusive venue and jurisdiction for any and all actions brought by the parties or related entities, shall be in the courts residing in the Northern District of Ohio. You waive any and all objections and challenges to the exclusive venue and jurisdiction of this section.
8.4 Severability. In the event that a court of competent jurisdiction determines that any portion of this DPA is unenforceable, void, invalid, or inoperative, the remaining provisions of this DPA shall not be affected and shall continue in effect as though such invalid provisions were deleted.
2.1 Institution acknowledges and agrees that it 1) has the necessary rights to provide Personal Data to ULM, and 2) is uploading Personal Data to ULM for the sole purpose of allowing Users to access and checkout digital titles from its collection.
2.2 Institution, in its sole discretion, may allow authorized OverDrive personnel to perform the upload of Personal Data. In such an instance, Institution acknowledges and agrees that it has the authority to provide OverDrive personnel with such Personal Data and allow the upload of Personal Data on its behalf.
3.1 The parties acknowledge and agree that with regard to ULM's Processing of Personal Data, Institution is the Controller and OverDrive is the Processor.
3.2 Institution's instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Institution shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Institution acquired Personal Data.
3.3 OverDrive shall treat Personal Data as confidential information and shall only Process Personal Data on behalf of and in accordance with Institution's documented instructions where such instructions are consistent with the purpose and capabilities of ULM.
4.1 OverDrive shall, to the extent legally permitted, promptly notify Institution if OverDrive receives a request from a User to exercise the User's GDPR right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Taking into account the nature of the Processing, OverDrive shall provide commercially reasonable efforts to assist Institution by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Institution’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Institution, in its use of ULM, does not have the ability to address a Data Subject Request, OverDrive shall upon Institution’s request provide commercially reasonable efforts to assist Institution in responding to such Data Subject Request, to the extent OverDrive is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations.
5.1 OverDrive shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data and have received appropriate training on their responsibilities. OverDrive shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
5.2 OverDrive shall take commercially reasonable steps to ensure the reliability of any OverDrive personnel engaged in the Processing of Personal Data.
5.3 OverDrive shall ensure that OverDrive’s access to Personal Data is limited to those personnel performing services in accordance with ULM.
5.4 OverDrive does not utilize the services of any sub-processors for the provision of ULM.
6.1 OverDrive shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality, and integrity of Personal Data. OverDrive regularly monitors compliance with these measures. OverDrive will not materially decrease the overall security of ULM.
6.2 OverDrive maintains security incident management policies and procedures and shall notify Institution without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, transmitted, stored or otherwise Processed by OverDrive of which OverDrive becomes aware (a “Personal Data Incident”). The notification of the Personal Data Incident to Institution shall be by email to the email address(es) selected by Institution within ULM. Institution is solely responsible for keeping this email address current. OverDrive shall make commercially reasonable efforts to identify the cause of such Personal Data Incident and take those steps as OverDrive deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within OverDrive’s reasonable control. The obligations herein shall not apply to incidents that are caused by Institution.
6.3 OverDrive will Process Personal Data for the duration of Institution’s use of ULM. Upon Institution’s termination of use of ULM, or upon Institution’s written request, OverDrive shall return Personal Data to Institution and, to the extent allowed by applicable law, delete Personal Data.
6.4 Users are responsible for reasonable password management. When constructing a password for use of OverDrive services it is recommended to: 1) contain multiple of the following four categories: English uppercase characters (A through Z), English lowercase characters (a through z), base 10 digits (0 through 9), non-alphabetic characters; 2) be at least 16 characters long; 3) be unique to the account; 4) be stored in a secure location; 5) be rotated periodically.
7.1 OverDrive will Process Personal Data in accordance with the GDPR requirements directly applicable to OverDrive’s provision of ULM.
7.2 Upon Institution’s request, OverDrive shall provide Institution with reasonable cooperation and assistance needed to fulfil Institution’s obligation under the GDPR to carry out a data protection impact assessment related to Institution’s use of ULM, to the extent Institution does not otherwise have access to the relevant information, and to the extent such information is available to OverDrive.
7.3 OverDrive has adopted Standard Contractual Clauses (SCCs) to safeguard international data transfers, including transfers of personal data from the EU, Switzerland, and other countries that use SCCs, to the US. OverDrive has adopted the International Data Transfer Agreement (IDTA) to safeguard international data transfers of personal data from the UK to the US.