GDPR and OneAffiniti

What has OneAffiniti done to comply with the GDPR?

OneAffiniti is committed to being responsible custodians of the personal information you trust us to collect and process. As part of our commitment to privacy, we have taken specialist legal advice and established an internal GDPR team to assess our responsibilities and implement the measures required for GDPR compliance. Here is a summary of the key steps we have taken:

  • Gap analysis: We have performed a gap analysis of the requirements imposed by GDPR, as applicable to OneAffiniti’s business operation.
  • Data Maps: We’ve created comprehensive data maps that track personal data flows throughout our systems and services.
  • Disclosure: We have updated disclosures on our marketing materials and landing pages.
  • Privacy notice: We have updated our website privacy notice and internal privacy notices to make them GDPR compliant as well as being more clear, concise and transparent about how we process personal data.
  • Data breach notification: We have updated our data breach plan and incident response procedures to bring them into line with the GDPR.
  • Data security: We have reviewed and where appropriate updated/upgraded our technical and organizational system security practices.
  • Data subject rights: We have put in place processes for dealing with key data subject rights, such as the right to access, right to request portability of data and right to erasure.
  • Data processing records: We have GDPR-compliant data processing records, including cross-border transfer procedures.
  • Data protection policies and training: We have developed data protection and handling policies and have put in place a training framework for all OneAffiniti personnel.
  • Vendors and third parties: We have reviewed our relationships with third party providers and have ensured the terms we have in place meet the requirements of the GDPR.

Our GDPR compliance journey involves a process of continuous improvement.  We are here to support your marketing initiatives and working as team we can build a trusting and transparent relationship with your current and prospective subscribers.

Quick FAQs

Where does OneAffiniti store partner and subscriber data?

We use a top-tier, third-party data hosting provider (Amazon Web Services), to host our services. For more information about AWS’s approach to compliance with the GDPR, see

Who are OneAffiniti’s sub-processors or third-party providers?

A full list of our third-party processors can be found here.

I am a partner participating in the OneAffiniti program. Do I still need to worry about GDPR compliance?

Yes, if you are established in the EU, or where you are established outside of the EU, to the extent that any of your subscribers are located in the EU, you will be considered the controller of your subscriber information. In this event, when you participate in the OneAffiniti program, your obligations under the GDPR include making sure that:

  • you have a GDPR-compliant subscriber list
  • your privacy notice has adequate disclosure in line with GDPR requirements
  • you have appropriate technical and organizational security measures in place to mitigate risk of a privacy breach
  • you notify OneAffiniti immediately if you receive a privacy complaint or request or are involved in a potential or actual data breach incident.

OneAffiniti is committed to helping you meet your GDPR obligations with respect to subscriber preference management, cookie disclosure, personal information requests and other data subject rights. We will be doing our best to make sure our service is delivered in compliance with applicable privacy regulations and are working to help you deliver your marketing message to customers in line with the GDPR.

Please see our partner GDPR obligations section for further information.

What security measures does OneAffiniti have in place to protect data?

We have technical measures and organizational procedures in place to safeguard the security and confidentiality of personal information. Some of these include:

  • Network protection: Multiple layers of security controls protect access to and within our environment, including firewalls, intrusion protection systems and network segregation. We engage data security experts on a regular basis and leverage their expertise to protect our systems.
  • Data encryption: We encrypt all data that goes between you, your subscribers and OneAffiniti using industry-standard TLS (Transport Layer Security).
  • Secure data centers: Our servers are located within enterprise-grade hosting facilities that employ robust physical security controls. OneAffiniti maintains geographically separated data replicas and hosting environments to minimize the risk of data loss or outages.
  • Internal policies and controls: We maintain extensive data protection policies and IT security policies, as well as conducting regular audits of systems and controls.

This material is provided for your general information and is not intended to provide legal advice. To understand the full impact of the GDPR on any of your data processing activities please consult with an independent legal and/or privacy professional.