The Global Data Protection Regulation (GDPR) is effective May 25, 2018. The GDPR is designed to enable individuals residing in the European Union (EU) to better control their personal data. The GDPR applies to any entity that processes or controls personal information owned by EU residents (data subjects). The regulation is specifically aimed at businesses that sell goods and services to EU residents while in the EU, but also may apply to nonprofit organizations if they intentionally solicit donations from EU residents.
Within the scope of the GDPR, Acceptiva may (as defined by the GDPR) be considered a ‘processor’ (Article 3). We do not solicit EU residents or entities as potential clients and therefore we are not deemed a ‘controller’. As some Acceptiva clients may be deemed to be ‘controllers’, we comply with the GDPR as a processor on behalf of our controller clients, to meet or exceed all requirements and technical operations measures, including but not limited to the core principles of processing personal information (Article 5), data protection by design (Article 25), data inventory management (Article 30), work flow management, data mapping, legal use of data within Acceptiva (Article 6), managing data lifecycles, the provision of personal information to data subjects in the appropriate format (Articles 12(3), 15 and 20) upon request and the erasure of personal information (Article 17) upon request.
We have appointed a Data Protection Officer (Articles 37-39) to ensure that Acceptiva complies with all required activities of the role, including Articles 33 and 34.
Acceptiva is not required to comply with Article 27 as a ‘processor’, or as the processor for our ‘controller’ clients as per Article 27, as processing by Acceptiva on behalf of our clients “is occasional, does not include, on a large scale, processing of special categories of data referred to in Article 9(1) or processing of personal data relating to criminal convictions or offences referred to in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purpose of the processing”.
Do Acceptiva Clients Need to be GDPR Compliant?
For the vast majority of Acceptiva clients the answer is simply ‘no’. All Acceptiva clients are nonprofit organizations based in the USA, and it is our understanding is that unless your organization is intentionally and actively soliciting donations and payments from residents in the EU, the GDPR does not apply to you. Unintentionally acquired donations or payments are not covered by the GDPR, i.e., a donor in Holland finds your English based website through a Google search and makes an unsolicited donation. This would not be covered by the GDPR.
HOWEVER, if your nonprofit does actively and intentionally solicit and receive donations and payments as a result of targeting residents of the EU, then you may be considered a ‘controller’ of personal information and may be subject to the GDPR. You should research the GDPR and ensure that your organization is compliant if applicable. For a comprehensive review of the GDPR click: http://www.privacy-regulation.eu/en/index.htm.
If the GDPR does apply to your organization, consult with your IT and technology team to ensure that you are in compliance as a controller of personal information. One requirement you must meet immediately, is that you must acquire ‘affirmative consent’ (Article 7) before you can proceed with the acceptance of personal information from a donor. This means that you should contact Acceptiva to request the addition of a check box to each Acceptiva form that you intend to use to target residents in the EU, to force donors to “affirmatively consent” to providing you with their personal information prior to completing a transaction. Requests can be sent to firstname.lastname@example.org.
For the transactions that Acceptiva processes for your organization, Acceptiva can assist you in meeting the GDPR relative to the rights of data subjects to have their personal information provided to them or erased at their request. We are able to perform these functions for data that we store and manage on our secure servers on your behalf as your ‘processor’, but you are responsible for these functions with regard to personal information that you export and store in your organization’s systems such as donor databases or CRM databases.
If any of your EU donors request that their information be erased in compliance with their rights under the GDPR, please instruct them to send an email to Acceptiva at email@example.com.
GDPR Statement Changes
It is our policy to post any changes we make to our GDPR statement on this page. It is your responsibility to check this page from time to time to check for any change.
No Legal Advice Intended
The contents of this Statement are intended to convey general information only and not to provide legal advice or opinions. The contents of this website, and the posting and viewing of the information on this website, should not be construed as, and should not be relied upon for, legal advice in any particular circumstance or fact situation. The information presented on this website may not reflect the most current legal developments. No action should be taken in reliance on the information contained on this website and we disclaim all liability in respect to actions taken or not taken based on any or all of the contents of this site to the fullest extent permitted by law. An attorney should be contacted for advice on specific legal issues.
Questions, comments and requests regarding this GDPR statement are welcomed and should be addressed to firstname.lastname@example.org.
This GDPR statement was last updated – January 2019.