Bloomreach’s Commitment to GDPR Compliance


Introduction to GDPR

The EU General Data Protection Regulation (GDPR) was developed to align data protection laws throughout Europe in order to ensure that EU data subjects have greater rights regarding their personal data.  It requires organizations doing business in the EU to collect personal data of EU data subjects only for legitimate and articulated business reasons, to provide clear notice about the personal data they collect and how they use it, to adequately protect personal data and to provide EU data subjects the right to view, correct, obtain a copy of or have deleted their personal data.  It also requires that data subjects have the right to object to the collection of personal data in the first place. The GDPR is effective as of May 25, 2018. More information on GDPR can be found at here.


What GDPR Means to BloomReach

BloomReach operates as a Controller of its own internal business information, including corporate website visitors, marketing data and contacts, personal information of its employees and information about its customers’ employees use and interaction with our products and services.  BloomReach acts as a Processor with respect to the processing of personal data of users that interact with our products and services as they visit our customers’ websites through the use of our products and services. BloomReach has always taken data security and individual privacy seriously.  BloomReach is committed to protecting the personal data of its employees, vendors and customers as well as helping customers to meet their GDPR obligations. Our proactive approach to GDPR focuses on both BloomReach GDPR compliance and supporting customers in their compliance journeys.


Key Steps Taken

BloomReach’s legal, product, engineering, human resources and customer teams have worked together to ensure that BloomReach products, processes and services support GDPR compliance. This involved:

  • Detailed data mapping that considered both internal technologies and vendor resources.
  • Reviewing and enhancing privacy and incorporating privacy-by-design in BloomReach products and product designs.
  • Ensuring our data is secure and implementing risk-mitigating features in our products like pseudonymization of data.
  • Entering into GDPR compliant data processing agreements with our vendors and customers who process personal data of EU data subjects.
  • Introducing and sharing new notices on website privacy, product and services privacy and cookies that give customers, website visitors and data subjects more information about and greater control over their data.
  • Educating client-facing teams on GDPR and how to support BloomReach customers.


BloomReach’s Global Privacy Principles

BloomReach’s Global Privacy Principles guide our approach to GDPR and establish our principles for how we processes personal information to ensure that we are operating consistently across the organization and in accordance with applicable laws.  


  1. TRANSPARENCY: We must be open and honest about how and what data we process
  2. LEGITIMATE BUSINESS PURPOSES: We must only use personal information for specified, fair and lawful purposes
  3. INDIVIDUAL CHOICE AND CONTROL: In certain situations, we must obtain individual consent to process personal information and provide individuals with controls regarding the processing of their personal information
  4. DATA MINIMIZATION: We must only collect necessary and relevant personal information
  5. ACCOUNTABILITY: We are accountable for how we and our service providers process personal information
  6. RETENTION/DELETION: We must not use and retain personal information for longer than is necessary
  7. ACCURACY: We must keep personal information accurate, complete and up to date
  8. CUSTOMER INSTRUCTIONS: We must comply with our customers' processing instructions
  9. INDIVIDUAL ACCESS RIGHTS: We must respect individuals’ rights and choices
  10. SECURITY AND BREACH NOTIFICATION: We must use appropriate security safeguards and ensure we notify the appropriate parties if and when a security breach occurs
  11. INTERNATIONAL TRANSFERS: We must ensure protection for international transfers of personal information
  12. PRIVACY BY DESIGN: We must implement appropriate measures to ensure the principles of privacy by design and default are embedded into our processes and systems


Additional Information

Please find details on BloomReach’s privacy page.  If you have additional questions, reach out to your Account Manager or Customer Success Manager.  He or she will work with you to ensure that your questions get answered.