What is the GDPR and who does it apply to?
The General Data Protection Regulation (GDPR) is a privacy and security law passed by the European Union, effective May 25, 2018. The GDPR imposes obligations on companies and organizations, not only in the EU, but all around the world, if they target or collect personal data related to people in the EU. The purpose of the GDPR is to protect individuals and the data that describes them and to ensure the organizations that collect the data, do so in a responsible manner.
What is considered personal data under the GDPR?
GDPR defines “personal data” as “any information relating to an identified or identifiable natural person.” This definition includes a wide range of personal identifiers, such as name, identification number, location information, and online identifiers. “Personal data” as defined by GDPR is notably much broader than the terms used in other data protection regulations, such as “sensitive information” or “personally identifiable information.
What is the EU-US Data Privacy Framework and does it allow personal data to be transferred from the EU to the US?
On July 10, 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework. On that basis, personal data can flow freely from the EU to companies in the US that participate in the Data Privacy Framework (“DPF”). NationBuilder participates in the DPF and therefore is able to legally receive personal data from the EU.
Why did the US receive an adequacy decision?
The adequacy decision issued by the European Commission followed the adoption of Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’ by U. S. President Joe Biden and a Regulation issued by the US Attorney General. These instruments introduced new binding safeguards to address the points raised by the Court of Justice of the European Union in its Schrems II decision of July 2020, thereby ensuring that data can be accessed by U.S. intelligence agencies only to the extent necessary and proportionate and by establishing an independent and impartial redress mechanism to handle and resolve complaints from Europeans concerning the collection of their data for national security purposes.
In addition, the safeguards put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US, regardless of the transfer mechanisms used. These safeguards therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules.
What are NationBuilder’s Advanced Privacy tools?
The Advanced Privacy suite of tools was designed with GDPR compliance in mind and provides NationBuilder customers additional data privacy tools. Using the Advanced Privacy tools, customers can:
- Gather and manage consent for data processing
- Gather consent for certain analytics cookies
- Respond to individuals seeking to exercise their rights to data erasure, data access, and data portability
What can you tell me about consent?
The GDPR provides that a lawful basis must exist for the processing of personal data. Consent from the individual whose data is being processed is one possible lawful basis. You can learn more about the principles of consent (and other lawful bases) by reviewing the guidance from the UK’s Information Commissioner’s Office. You can also check out our webinar regarding consent under the GDPR, where we provide an overview of the concepts of consent and information about NationBuilder’s consent tools.
Where can I find more guidance about the legislation in my country?
If you need guidance on practices and/or compliance in your country, we recommend you visit the website of your country/state data regulator and get advice from your legal counsel.
If I have additional questions regarding NationBuilder and the GDPR who can I contact?
Please email our team at privacy@nationbuilder and we will get back to you as soon as possible.
Last Updated September 2023