How to run a GDPR compliant website + email list hosted by Dreamhost


#1

We want to move our website (incl. an email newsletter list) + email hosting to Dreamhost but we’re in the UK.

How do we go about making sure we’re GDPR compliant? And is it possible given that Dreamhost is not part of the Privacy Shield framework?


#4

Hi @christiaan,

DreamHost is GDPR compliant but not Privacy Shield certified. It should be noted, you do not need to be Privacy Shield certified to be GDPR compliant. You would be responsible for obtaining/maintaining your own certifications and compliance.

You can find more information regarding our GDPR compliance below:

https://www.dreamhost.com/legal/privacy-policy/


#5

That’s great, thanks @Ohnolo, so it sounds like it’s possible.

One specific question I have: if we have a mailing list is it okay that that mailing list is hosted on Dreamhost servers, which are based in the US?


#6

Okay I found this useful article: https://www.twilio.com/blog/2018/05/gdpr-and-eu-data-location-requirements.html

It notes some ways GDPR compliance can be achieved with regard to data transfer:

  1. The entity to whom you pass the data to happens to be in a country that has data protection laws that are just as strong as GDPR (as determined by the EU Commission).
  2. The entity to whom you pass the data to agrees by legally binding contract to follow GDPR principles of data protection.
  3. The company has enacted Binding Corporate Rules.
  4. There is some regulatory-approved code of conduct to which the entity subscribes.

Which one applies here for us with Dreamhost if we host EU-user data on your servers? Has Dreamhost “enacted Binding Corporate Rules”? Or do we need to have Dreamhost sign an agree with us to follow GDPR principles?


#7

@Ohnolo are you able to the answer the query in my last post? Do we need to have Dreamhost sign an agree with us to follow GDPR principles?


#8

Hi Christiann,

Per our legal team;

DreamHost addresses the export of personal data outside of the EU by adopting the Standard Contractual Clauses (Model Clauses) in its Data Processing Addendum. You can find the full DPA, including the MC, here:

https://www.dreamhost.com/legal/customer-eu-data-processing-addendum/

DreamHost does not presently use Binding Corporate Rules and has not self-certified Privacy Shield, though we are reviewing the latter and may do so at a later date.

Thanks!
Matt C


#9

Thanks @DH_Matt_C.

So apart from the obligations we currently have under the GDPR while hosting our website and email list in the UK, is there action we would need to take apart from pointing to this Data Processing Addendum were we to move our hosting to Dreamhost?


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.