The EU General Data Protection Regulation (GDPR) FAQ


The EU General Data Protection Regulation (EU GDPR) was created to protect all EU residents from privacy and data breaches. It went into effect May 25, 2018. These FAQs are provided for informational purposes only, not to be considered as legal advice.

1. What is personal data?

Any information related to an individual that can be used to directly or indirectly identify the person. Name and email address qualify as personal data.

2. Who does the GDPR affect?

If you are an L-Soft customer using LISTSERV or LISTSERV Maestro, either on-premises or through L-Soft's hosting services (ListPlex and EASE), and have subscribers residing in the European Union, then you are a "data controller" and must comply with the GDPR. If you use L-Soft hosting services, then L-Soft is your "data processor". Also, L-Soft is the data controller of some personal data (e.g. our newsletter). See next question for definitions.

3. What is the difference between a data processor and a data controller?

A controller is the entity that determines the purposes, conditions and means of the processing of personal data. A processor is an entity that processes personal data on behalf of a controller. The controller is responsible for processing GDPR-related requests from EU residents and determining which data should be deleted and which data should be kept for legitimate purposes as allowed by the GDPR. As a data processor, L-Soft can help customers who need assistance complying with a GDPR request from their subscribers. L-Soft will not respond directly to the customer's subscriber making the request.

4. What is the policy for a data breach of personal data?

If L-Soft has a data breach of a personal data controlled by a customer, the affected customer must be notified as soon as possible. If L-Soft has a data breach of data the company controls (e.g. L-Soft newsletter), L-Soft must alert affected individuals (subscribers) without undue delay.

5. Does L-Soft have a Data Protection Officer (DPO)?

No. L-Soft is not required to appoint one.

6. Do the owners of personal data have new rights under the GDPR regulation?

Yes. See the Data Subject Rights information in the GDPR Portal at:

7. Does personal data need to be encrypted?

It depends. The GDPR does not mandate that personal data be encrypted; it only requires that personal data be stored securely. If, hypothetically, one was to run LISTSERV on a laptop, it would be prudent to use hardware or file system encryption to protect personal data in case of theft. Most customers run LISTSERV in a secure data center using automated storage tiering (where the data constantly moves from disk to disk depending on access patterns, and only the storage controller knows where data is located at any given second). In this scenario, data theft is much more likely to occur via export to USB device than removal of physical disk drives that are in practice useless without the storage controller and Storage Area Network (SAN) infrastructure.

In the end, this is a call that data controllers must make depending on their circumstances and on the kind of personal data that they store, besides names and email addresses (e.g. medical information, social security information, payroll and income tax information).

L-Soft's hosting services do not use self-encrypting hard drives. This is available as a custom option for the ListPlex Dedicated service.

8. Does L-Soft's email list management and email marketing software enable users to exercise their right to be forgotten?

Yes, users (subscribers) can unsubscribe from a LISTSERV or LISTSERV Maestro list on their own, and list owners can remove users from the lists that they control.

9. Can a subscriber have his or her contributions removed from a list archive?

Technically, yes – the data controller can remove individual messages from a list archive, and there may be cases where this is warranted, depending on the nature of the list. But, in most other cases, there will be other legitimate interests that the controller will have to weigh against the user's interest in having the messages removed. The right to be forgotten under the GDPR is not absolute and is subject to many exceptions.

Imagine a former employee requesting that all the articles he authored in the company newsletter be deleted. The company would have a legitimate business interest in preserving the integrity of its newsletter. There would also probably be a conflict with other laws, as the employer would likely own the intellectual property rights to the articles in question under the work-for-hire doctrine.

Also, this would likely apply to an academic discussion list scenario in which removing all messages from a frequent contributor would render the discussions unintelligible. Furthermore, other subscribers may have cited the user in a way that permits indirect identification and would likely have a legitimate interest in not having their own contributions removed just because they happened to elaborate on the user's contributions. Preserving valuable research resources, or the history of the development of a particular field, are likely to be legitimate interests for the data controller.

When weighing conflicting legitimate interests against the user's own interest, one factor to consider is that the messages have already been sent to every subscriber and cannot be recalled from their inboxes. Deleting but one of hundreds or even thousands of copies of a message does not provide as much value to the user as deleting the one and only copy.

Data controllers must make this call on a case-by-case basis, depending on the purpose of the list.

LISTSERV is a registered trademark licensed to L-Soft international, Inc.

See Guidelines for Proper Usage of the LISTSERV Trademark for more details.

All other trademarks, both marked and unmarked, are the property of their respective owners.