GDPR: Partnering with Customers

OCLC is committed to ensuring our partners and customers can continue to use our products and services while complying with the EU General Data Protection Regulation (GDPR). We recognize that compliance with the GDPR requires a partnership between OCLC and our partners and customers in their use of applicable OCLC services. Working together, we have been addressing and will continue to explore opportunities within our relevant service offerings to assist our customers in meeting their GDPR obligations as data controllers.  

Below we have answered some of the most urgent questions our partners and customers have about OCLC's service offerings and the GDPR.

How does OCLC ensure GDPR compliance?

OCLC believes the GDPR is an important milestone in the data privacy landscape. We are excited about the strong data privacy and security principles that the GDPR emphasizes.

  • Assessment and Governance: OCLC carefully monitors where and how our relevant services collect, use, store, and dispose of personal data. As part of our worldwide privacy and data governance program, we have established and continually improve our procedures, policies, standards, governance, and documentation as needed.
  • Products: We have developed features in our various products to assist our customers in meeting some of their GDPR compliance obligations, such as display of privacy notices. Release notes of products, when available, describe product changes that may be helpful with respect to GDPR.
  • Cross-Border Transfers of EU Personal Data: With respect to OCLC's products and services, cross-border transfers of personal data can vary by OCLC product. For some products, personal data is localized within the European Economic Area. For others, transfers of personal data outside of the European Economic Area occur. OCLC has standard contractual clauses in place to account for data transfers from the EEA, and OCLC establishes standard contractual clauses directly with our customers when they are the data exporters to OCLC outside of the EEA.
  • Employee Training and Awareness: All OCLC employees must complete data security training. In addition to these training requirements, OCLC conducts ongoing awareness initiatives on a variety of topics, including data protection, security, and privacy.
  • Contractual Commitments: Working in conjunction with our customers and vendors, OCLC executes data processing agreements as needed to directly address GDPR requirements.

What security measures does OCLC have in place to protect the personal data it processes?

OCLC has robust technical and organizational measures in place, meeting international audit standards, to ensure a level of security appropriate for the personal data collected. We regularly test, assess, and evaluate the effectiveness of our technical and organizational measures. OCLC has administrative and technological controls in place to limit its use of personal data to the purposes for which it is collected, and processes in place to detect and respond to security breaches.

What is the difference between a controller and a processor?

With respect to the various products and services that OCLC hosts for our customers, our customers generally act as controllers, and OCLC acts as the processor. In the context of processing personal data, a controller is the organization that determines the purposes and means of processing the personal data. A processor is the organization that processes the data on behalf of the controller.

What personal data does OCLC process?

Many of OCLC's products are library management systems that help our customers process their patrons' circulation and discovery requests. These products also collect minimal personal data of library employees for library management purposes. While some personal data, such as names of patrons, are collected and used by all libraries, our customers differ on what data they use. Customers, as the controllers, determine the specific personal data that they will collect from the data subjects and provide to OCLC for processing. OCLC encourages its customers to examine what personal data they are processing to determine what obligations they may have under the GDPR.

Will OCLC assist customers in responding to requests made by data subjects related to their expanded individual rights under the GDPR?

The GDPR provides individuals more control over the processing of their personal data. OCLC has established processes for reviewing data subject requests. OCLC’s privacy notice describes the rights of data subjects and how to make requests. In many instances, requests by data subjects should be reviewed and fulfilled directly by our customers, as data controllers, instead of by OCLC, who is acting at the direction of the customer. Customers who believe they are unable to fulfill requests themselves through use of our products may contact OCLC to seek assistance.

What steps does OCLC take to ensure its customers can lawfully transfer personal data outside of the European Union?

When personal data is transferred from the EU to OCLC, Inc. in the United States, it is transferred pursuant to the standard contractual clauses issued by the European Commission. OCLC maintains consistent strong data security controls worldwide, to safeguard transferred personal data.