General Data Protection Regulation (GDPR)
The European Union's General Data Protection Regulation (GDPR) took effect on 25 May 2018.
List-owners have obligations to their subscribers in the EU – namely ensuring that their subscribers' consent to be on the list; and ensuring their subscribers' information is not shared without permission. List-owners' obligations are set out in MailmanLists' Terms and conditions of use.
The GDPR is a set of data protection rules that applies to businesses based in the EU, as well as businesses around the world that provide services and process data from or about individuals in the EU. It requires that individuals must have control over their personal data and it specifies how such data may be collected, processed, and stored.
In summary, the GDPR requires:
- transparency about how data is processed
- an individual's access to, and information about, collected data
- the correction of stored data as requested
- the removal of data ("right to be forgotten")
- the restriction of data processing
- data portability.
And in protecting data, the GDPR requires that:
- personal data must only be collected when consent from the user has been obtained
- personal data must not be used for purposes inconsistent with the initial purpose of collection
- personal data must not be stored longer than required by the purpose of collection
- personal data must be kept confidential unless required by law.
See: European Commission's Data protection in the EU