GDPR Frequently Asked Questions

What is GDPR?

The General Data Protection Regulation (“GDPR”) is a data protection regulation that the European Union issued in order to replace the European Data Protection Directive of 1995. The GDPR directly applies to all member states of the European Union from 25 May 2018 forward. The GDPR applies to organizations both inside and outside the European Union that are processing the personal data of data subjects who are in the European Union (“EU”).

Who does GDPR affect?

The GDPR applies to organizations located within the EU as well as organizations located outside of the EU that do business with, offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location.

What does GDPR protect?

GDPR is focused on the protection of the personal data of individuals in the European Union. Under the GDPR, Personal Data is defined broadly in Article 4 (1) as follows:

“[A]ny information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Some examples of personal data include, but are not limited to: name, personalized e-mail address, mailing address, phone number, dynamic and static IP addresses etc.

What are the principles of GDPR as it pertains to personal data?

There are six principles to be mindful of in regards to personal data:

- Should be processed lawfully, fairly and in a transparent way.

- Should be collected for specified, explicit and legitimate purpose.

- Should be kept up to date.

- Should be limited to what is necessary.

- Should not allow identification of people for longer than necessary.

- Should be processed in a way that ensures appropriate security.

The GDPR strengthens the rights of individuals in the EU under the currently existing data protection regulations, as well as giving new rights.

How does the GDPR affect data collection?

The definition of personal data in the GDPR (see FAQ3 above) has been expanded to include any single identifying point for a natural person (e.g. the inclusion of dynamic and static IP addresses, job titles etc.). The effect to data collection is that the collection must be purposeful, with clear intent of use, transparent as well as secure, and legitimate. At any time, users must be aware that their data is being gathered, and known what it’s being used for and why. Users must also have the ability to choose to opt-out of one, some, or all forms of data collections and methods of use (even if previously decided to opt-in) and have the right to request that one, some, or all types of personal data, methods of collection, or intention of use be deleted. So long as this is made clear to users, and the users have accepted the terms of use, companies may continue to collect data as needed for use in marketing.

How does the GDPR affect marketing personalization?

GDPR doesn’t prevent personalization, but as mentioned above, it does change the way marketers collect personal data. Marketers who are informed about GDPR will understand that as long as the gathering and use of personal data is justified for legitimate business purposes and secured (via least privileged access, access control management, encrypted, pseudonymized, etc.), companies may continue to gather personal data from users for marketing efforts. GDPR allows for personalization based on cookies, and the customer needs to comply with applicable requirements such as transparency of cookies, user consent etc. Acquia’s personalization solutions provide tools for our customers to configure data collection properly, such as the ability to: set cookie duration; set visitor to do not track; anonymize profile; hash any identifier.

Read more: Marketing Personalization in the Age of GDPR


Acquia’s Privacy Policy

Acquia Inc. is committed to protecting the privacy of your information.

Acquia’s GDPR Compliance

The GDPR regulates the protection of personal data across the EU member states. Read how Acquia is prepared.

Acquia Sub-Processors Supporting Acquia as Data Processor

A list of sub-processors currently authorized by Acquia Inc. (“Acquia”) to process customer data and assist Acquia with respect to the provision of the applicable services under the Acquia Subscription and Services Agreement.

Acquia Security Annex

Acquia has implemented and will maintain technical and organizational measures inclusive of administrative, technical and physical safeguards.

Acquia GDPR Data Processing Addendum

This DPA is available to customers from your account manager who have executed a subscription and services agreement.

Marketing Personalization in the Age of GDPR

Read about best practices and how our personalization products provide tools to help customers collect data responsibly.

Acquia Legal & Compliance

Find legal information and resources for Acquia’s services.

Acquia is GDPR Compliant

Acquia is in compliance with the General Data Protection Regulation (GDPR). Read our blog to learn more.

Legal Disclaimer: Customer is responsible for ensuring compliance with laws & regulations (i.e. European Union GDPR). Customer/prospective customer must seek legal counsel to understand applicability of any law or regulation on processing of personal data, including through the use of Acquia products or services.  Some products, services, & other capabilities described herein may/may not be available based upon an organization’s specific environment & Acquia services acquired. *Please note, for Acquia Cloud Professional users: See the Terms of Service for GDPR requirements.

External Resources

EU-U.S. Privacy Shield

Acquia’s certification for the EU-U.S. Privacy Shield

Data Transfers

European Commission – data transfers outside the EU

Data Protection Rules

European Commission – reform of EU data protection rules

Contact Us
If you have questions about Acquia’s policies, terms, archives or other legal and data security topics, we’d like to hear from you.
General Inquiries

For privacy inquiries, email: [email protected]    
For DMCA notices and all other legal inquiries, email: [email protected]
For security inquiries, email: [email protected]
Please contact the Acquia GDPR team at [email protected].