What is the GDPR?
In April 2016, the European Commission (EC) approved and adopted the new General Data Protection Regulation (GDPR), which replaced the 1995 EU Data Protection Directive and standardized data protection law across the EU countries. The GDPR went into effect on May 25, 2018.
Does it apply to me?
GDPR applies to all organizations processing the “personal data” of EU residents, regardless of whether the organization is operating in the EU. GDPR defines “personal data” as “any information relating to an identified or identifiable natural person.” This definition includes a wide range of personal identifiers, such as name, identification number, location information, and online identifiers. “Personal data” as defined by GDPR is notably much broader than the terms used in other data protection regulations, such as “sensitive information” or “personally identifiable information.”
What is advanced privacy at NationBuilder?
One of NationBuilder’s core tenets has always been that our customers own and can efficiently manage their own data. With that comes a responsibility to help our customers ensure that they are protecting and securing their data, which includes complying with applicable regulations. NationBuilder has always been committed to robust compliance, data protection, and security practices. Consistent with that commitment, we created a variety of advanced privacy tools so that you can ensure you have gained the consent you need to build strong relationships with your supporters. Once advanced privacy is enabled, you’ll have the ability to collect and manage data in compliance with GDPR, including creating consent options, customizing consent forms, and more. Read more here about how to enable your advanced privacy suite of tools.
Transferring data outside the EU
There is no obligation under the GDPR for data to be stored and processed exclusively in the EU. NationBuilder maintains a Privacy Shield certification with the U.S. Department of Commerce and has relied upon that certification as a mechanism to transfer data from the EU to the U.S. On July 16, 2020, the Court of Justice of the European Union issued the Schrems II decision which invalidated the Privacy Shield as a mechanism for transfer of data. However the CJEU upheld the Standard Contractual Clauses as a valid mechanism for transfer along with supplemental measures. On November 13, 2020, the European Data Privacy Board issued recommendations on measures that businesses can adopt to supplement transfer tools. These measures were subject to a comment period ending on November 30, 2020, and final recommendations will be issued thereafter. Since the GDPR went into effect, NationBuilder has included the SCCs as part of its Data Processing Addendum, which in turn forms part of the Master Terms of Service, and does not require a separate signature or click to accept. We recognize that customers may need to implement supplementary measures to ensure compliance with the level of data protection required under the GDPR, and NationBuilder stands ready to work with our customers on such measures.
Last updated December 2020