Our commitment to
GDPR compliance

All You Need to Know About Ex Libris and GDPR


Introduction to GDPR

On May 25, 2018, a new privacy law called the General Data Protection Regulation (GDPR) took effect in the European Union (EU).  It replaces the Data Protection Directive (“the Directive”), which has been in effect since 1995.

While the GDPR preserves the principles established in the Directive, it is a much more ambitious law. Among its most notable changes, the GDPR gives individuals greater control over their personal data and imposes many new obligations on organizations that collect, handle, or analyze personal data.

As part of our commitment to assist our customers on their journey to GDPR compliance, Ex Libris has developed product-specific papers to help our customers prepare for GDPR. These papers  describe tools and capabilities built into our products and other defined procedures that can assist your organization in addressing individual “data subject” rights under the GDPR.


Our Commitment

Ex Libris is committed to General Data Protection Regulation (GDPR) compliance. Our engineering, product, security and legal teams have been working to align our procedures, documentation, contracts, and services to support compliance with the GDPR.

We also support our customers with their GDPR compliance journey with our strong foundation of implemented security and privacy frameworks and certified security and privacy controls.

Learn how Ex Libris addresses each of the provisions of the GDPR >



Data Processing Agreement

Ex Libris has published a Data Processing Agreement (DPA) for each of our product groups to incorporate the appropriate terms required by the GDPR into the relevant customer agreements. These DPAs have been created under the supervision of EU privacy experts and are designed to comply with the GDPR and to reflect the specific details of the data processing activities within Ex Libris services.

All customers that are processing personal data that is subject to the GDPR through Ex Libris services must have a DPA with us to allow both the customer and Ex Libris to comply with the DPA requirements of the GDPR. Most of the agreements signed with our customers prior to May 2018 did not include a GDPR DPA. If your current Ex Libris service agreement does not include a GDPR DPA, you should download, sign, and return the DPA or DPAs appropriate to the Ex Libris service that you use.

Instructions for completing the GDPR DPA Addendum (Read this first) >

Download the applicable GDPR DPA Addendum > 

Once you have downloaded, reviewed, and signed the Addendum, please scan and email it to:

Please ensure that you return an Addendum for each relevant group of Ex Libris services that you use.


Privacy Impact Assessments (PIAs)

Privacy Impact Assessments, including a brief description of the data processed in each solution, the privacy impact, and the measures Ex Libris is taking in order to manage the risks involved, are available for select Ex Libris solutions. These PIAs were performed by a leading privacy consultation firm, KPMG.

Read Privacy Impact Assessments >




What You Need to Know about GDPR Data Subject Rights and:

See more in our Resources Center >


Data Protection Officer (DPO)

Ex Libris has appointed a Data Protection Officer who is responsible for, among other duties, ensuring that:

  • Ex Libris complies with all relevant privacy-related legislation
  • Employees are fully informed of their own responsibilities for acting within the law
  • Ex Libris has proper risk-based systems of control over the personal data that it processes
  • Ex Libris deals promptly and professionally with requests for information
  • When acting as a data controller, Ex Libris will provide data subjects with a reasonable access mechanism that enables them to access their personal data and will allow them to update, rectify, erase, or transmit their personal data

Our DPO is Ellen Amsel (CIPM, CISSP, CISM, CISA), who can be reached at dpo@exlibrisgroup.com