OverDrive and the GDPR

The General Data Protection Regulation (GDPR) is a data protection law that goes into effect on 25 May 2018.  It applies to all organizations that collect and/or process personal data of individuals located in the European Union.

Does the GDPR apply to OverDrive?

Yes, OverDrive serves library patrons, students, and other users in the EU.  OverDrive is committed to GDPR compliance.

Is OverDrive a Controller or Processor under GDPR?

OverDrive functions as the Controller of personal data because it “determines the purposes and means of data processing” for data collected by its service.  Certain personal data, such as an email address, may be submitted by a user directly to OverDrive.  Other personal data, such as a cookie identifier or device identifier, may be collected by the OverDrive service during a user’s interaction with the service.  OverDrive determines the purpose and legal basis for such data being collected by its service (e.g., an email address is required to place a hold on a title).  It is important to note that OverDrive’s services have been designed to collect and process only the personal data that is necessary to provide the requested services to the user.

Additionally, as required of Controllers by GDPR, users can contact OverDrive directly to exercise their rights to personal data access, rectification, portability, objection, and erasure (see below for more information).  OverDrive will respond to all requests within the GDPR-required 30-day timeframe.

What updates are happening in my OverDrive service?

Updated Privacy Policy.  Our Privacy Policy will contain a privacy notice that is specific to EU users.  Under the GDPR, there must be a lawful basis for an organization to process the personal data of EU users.  The updated Privacy Policy describes the different legal bases under which OverDrive may process EU users’ personal data, including consent, legitimate interests, and contract performance.

Right of Access.  Under the GDPR, EU users have the right to make several different types of requests to Controllers.  Generally, EU users may contact Controllers and exercise their rights to personal data access, rectification, portability, objection, and erasure.  As the updated Privacy Policy sets forth, EU users can contact GDPRrequest@overdrive.com to exercise their rights.

New Cookie Policy.  We are introducing a new Cookie Policy that better explains OverDrive’s use of cookies and similar technologies.  It is replacing the cookie information that has previously been included in OverDrive’s Privacy Policy.

Can you tell me more about OverDrive’s use of cookies?

Cookies are small data file identifiers that are transferred to a user’s device or web browser.  They allow OverDrive to recognize the device or web browser when the user visits or uses OverDrive’s services.  Generally, cookies are used to improve a user’s experience and monitor service performance.  Commencing 25 May, a new Cookie Settings footer link will allow users to manage their cookie preferences.

Does OverDrive transmit data internationally?

Yes.  OverDrive’s servers are located in the United States.  As the US-EU Safe Harbor Framework has been declared invalid by the European Court of Justice, OverDrive has adopted Binding Corporate Rules (BCRs) to comply with data protection requirements when transferring personal data from the EU to the US.  OverDrive, as a company owned by Rakuten, has adopted Rakuten’s BCRs.  Rakuten’s BCRs were approved by the Luxembourg Data Protection Authority.


OverDrive will continue to monitor and evaluate GDPR compliance guidance supplied by regulatory bodies and others, and may adjust its GDPR compliance efforts if necessary.

If you have questions regarding this GDPR page, or about OverDrive’s GDPR compliance, please email OverDrive at legalteam@overdrive.com.