GDPR for Episerver customers

With the Episerver Digital Experience Cloud, you can quickly meet the GDPR requirements, while keeping all of the functionalities that make you a digital leader. Learn what your GDPR responsibilities are and how Episerver can help.

10 ways to prepare for GDPR compliance

Here are the top ten things you should be considering and planning for when it comes to GDPR compliance. You'll also learn how Episerver has been preparing for GDPR.

Download the white paper

This checklist highlights some of the main GDPR responsibilities, what you need to do, and how Episerver's features and processes help you become compliant.


Data Controller

Data Processor

Minimize data necessary to complete a task or transaction that has been initiated by the individual Reduce the amount of personally identifiable information they store, and erase it when no longer necessary One of the ISO27001 guidelines we have in place is the data minimization. Customers should only submit data to Episerver for processing that is necessary.
Obtain Data Subject Consent/affirmative opt-in Provide clear and affirmative consent to the processing of private data. Pre-ticked boxes are not allowed. Single opt-in boxes for multiple consent types are also not allowed. Episerver will process data as instructed by customers but customers are responsible for such consent and opt-ins. We will provide reference solutions that include opt-in capture that comply with GDPR regulations as a guide.
Process data lawfully, fairly and transparently You must use plain language to make it clear to the subject what you are going to be using their data for and only process in line with those statements. Typically this will be done through an easily accessible privacy policy between you and your customers. Episerver’s products and services support the efforts to fulfil this requirement for the Data Controller. Episerver’s Data Privacy Policy addresses the lawful, fair, and transparent use of the data managed within the supported systems between Episerver and you.
Commit to confidentiality persons authorised to process personal data Appoint a Data Protection Officer (DPO) (mandatory for certain companies). Part of their role will be to document and put in place processes around security and data handling All employees sign an NDA which covers access, handling and treatment of data. In addition, required training is provided to address data privacy, information security, and confidentiality. Episerver has also appointed a global DPO.
Secure data physically and technically Adopt a GDPR mandatory privacy risk impact assessment, which is a risk-based approach, before undertaking higher-risk data processing activities. In order to analyze and minimize the risks to their data subjects, data controllers will be required to conduct privacy impact assessments where privacy breach risks are high. Episerver are in the process of attaining ISO 27001 certification for all products (some products have already achieved certification), the industry standard for an Information Security Management System (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. In addition, Episerver is Privacy Shield certified and has supporting controls in place to support the GDPR.
Manage record keeping and breach notification Report data breaches to their data protection authority within 72 hours of becoming aware of it unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. Episerver conducts proper logging of activities and conducts reoccurring audits. Episerver also has a formal Security Incident Management policy that was developed to accommodate applicable standards and regulations including what is required for the GDPR.
Provide PII info to subject on request within 30 days Have processes in place to provide information requests within 30 days. Episerver has processes in place to assist customer with requests to provide standard PII data on a subject from within our services.
Keep PII data only as long as necessary Keep personal information only for the length of time it takes to carry out the task that the subject has engaged with you for and shouldn’t be kept for longer or used for any other purpose. Episerver has SLA’s for data retention across all products including how long data will be stored in the system, when data will be deleted, what happens upon termination of contract and justification for why data is stored as long as it is. Episerver will also comply with customers instruction for deletion as requested.
Delete of data if requested under “the right to be forgotten” Providing the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed the data subject can request erasure of their personal data and processes need to be put in place for this. Episerver provides the ability to delete PII data from the products.
Build in privacy into the design - privacy by design Make sure when you carry out vendor assessments that you are choosing a supplier that can help deliver against your GDPR requirements. Episerver’s Information Security Management System is compliant to the ISO 27001:2013 standard. All products shall undergo a DPIA.

Further reading


Blog post: Considerations for GDPR Part 1

Learn how Episerver is going through transformational changes to enable all of our Digital Experience Cloud customers to be best situated for GDPR compliance.

Blog post: Considerations for GDPR Part 2

GDPR compliance is a requirement which extends beyond assigning a privacy or compliance team, it requires the involvement and co-operation of the organization to take compliance with the GDPR from theory to practice.


Frequently Asked Questions

What is Episerver's Privacy Policy and what does it cover?

Episerver's Privacy Policy applies to all personal data received by Episerver in the United States from the European Union in any tangible and/or electronic medium.

Where is Episerver's Privacy Policy located?

It can be accessed on our website, at

Will the Episerver Privacy Policy change?

Episerver's Privacy Policy may be amended from time to time. We will give appropriate public notice when we make such changes, and any policy changes will be posted on our website.

Who can I contact for questions?

Please contact us at [email protected] or write to:

Episerver Inc.
c/o Legal Department
542 Amherst Ave
Nashua, NH 03063, USA