The GDPR and 360Alumni

GDPR with EU Stars

Whether you’re a school, association, institute or nonprofit, you’ve probably heard about the EU’s new regulation, the General Data Protection Regulation (GDPR). It’s a new set of laws aimed at enhancing the protection of EU citizens’ personal data and increasing the obligations of organizations to deal with that data in transparent and secure ways. The GDPR applies not only to EU-based businesses, but also to any business that controls or processes data of EU citizens, regardless of where they reside.

At 360Alumni, we've been working behind the scenes to ensure that our own practices are GDPR-compliant. But equally important to us is helping you, our clients, understand what the GDPR means for your organizations and build compliant processes of your own.

A big piece of that is ensuring that the 360Alumni platform sets you up for GDPR compliance. We’ve created this page to provide GDPR-related information.

DISCLAIMER: This page is neither a magnum opus on EU data privacy nor legal advice for your organization to use in complying with EU data privacy laws like the GDPR or PECR. Instead, it provides background information to help you better understand how 360Alumni has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy.


GDPR Considerations

Below, find a detailed list of the features we’ve built or are building to facilitate your GDPR compliance as a 360Alumni client.

But first, a quick primer on the legalese associated with the GDPR. Let’s say that Maria is a constituent of yours and an EU citizen. She's called the "data subject," and your organization (let's call you Smith School) is called the "controller" of that data. If you're a 360Alumni customer, then 360Alumni acts as the "processor" of Maria's data on behalf of Smith School. With the introduction of the GDPR, data subjects like Maria are given an enhanced set of rights, and controllers and processors like Smith School and 360Alumni, respectively, an enhanced set of regulations.



What it Means

How 360Alumni Addresses the Need

Lawful basis of processing

You need to have a legal reason to use Maria’s data. That reason could be 1) consent (she opted in) with notice (you told her what she was opting into), performance of a contract (e.g. she’s one of your donors and you want to send her a receipt), or 2) what the GDPR calls “legitimate interest” (e.g. she’s a member of your community, and you want to send her updates related to her expressed interests).

With legitimate interest, you can communicate without an opt-in, as long as those communications are truly in the interest of the community member. However, the personal requests of the community member will always take precedence - and therefore must be adhered to.

Whether you are using option 1 or 2, to be GDPR compliant you need the ability to track that reason (also known as “lawful basis”) for a given contact.

360Alumni enables you to track lawful basis through associations in the user’s profiles. This feature allows you to designate how each member of the community is associated with your organization, for example what program they participated in, when and where; or whether they are a student, parent, alumnus/a, or staff member.

To ensure that every member of your community has at least one association designated, email to request a list to be created of all those alumni that do not have one specified in their profile. You can then edit these profiles individually or in bulk, or reach out to these users to have them activate their account and complete their profile.

You can also use custom fields to track the type of lawful basis for users subject to GDPR regulations.


One type of lawful basis of processing is consent with proper notice. If you can not demonstrate legitimate interest (i.e. they participated in your program or are attending your event) then you’ll need to demonstrate consent.

In order for Maria to grant consent under the GDPR, a few things need to happen:

• She needs to be told what she’s opting into. That’s called “notice.”

• She needs to affirmatively opt-in. Pre-checked checkboxes are NOT valid under the GDPR. Her filling out a form alone cannot implicitly opt her into everything your company sends.

• The consent needs to be granular, meaning it needs to cover the various ways you process and use Maria’s personal data (e.g. marketing emails or donation appeals). You must log auditable evidence of what Maria consented to, what she was told (notice), and when she consented.

The most common ways that 360Alumni customers acquire new users are through the donation, RSVP, and account creation/activation forms.  All of these contain a check box where they opt-in to the Terms of Service (clearly linked next to the box). This way you are collecting the appropriate consent when Maria is ready to grant it, and telling her clearly what she is opting into.

For ‘pre-loaded’ alumni, it is important that you articulate in your community guidelines or GDPR statements how you selected who to create an account for, and the defaults you are setting for accounts that have and have not yet been activated.

You can download your data at any time to review or extract data such as email addresses, mailing addresses - anything in a user’s profile -to help fulfill GDPR-related requests. But if you receive one, let us know so we can conduct a full scan to ensure your response is complete.

If you need to link out to additional notice provisions (like privacy notices or community guidelines), you can do so using hyperlinks in the footer.

Once Maria creates or activates her account, we will store the date and time of this opt-in. We also retain past versions of our terms and conditions in our Legal Archives.

Withdrawal of consent (or opt out)

Maria needs the ability (as data subject) to see what she’s signed up for, and withdraw her consent (or object to how you’re processing her data) at any time. In other words, withdrawing consent needs to be just as easy as giving it.

In 360Alumni, Maria can withdraw her consent to marketing and transactional and other system-generated emails right from her Notification Settings page. 

If a user wants to be removed entirely from the community, they can send a message or email to either a community administrator or the 360Alumni Support Team, and their account will be deactivated. Please see “Data Retention” in our Privacy Policy for more information.


Maria needs to be given notice that you're using cookies to track her (in language she can understand) and needs to consent to being tracked by cookies.

*We know the ePrivacy Regulation is coming, and that it may have an impact on how cookies are regulated. We’ll adjust our product accordingly.

We’ll update the default language for enabling cookies on 360Alumni-hosted websites to reflect affirmative opt-ins, and make it possible to show the cookie-consent message in the right language, based on Maria's location.


Maria has the right to request that you delete all the personal data you have about her. The GDPR requires the permanent removal of Maria’s contact from your database, including email tracking history, call records, form submissions and more.

In many cases, you’ll need to respond to her request within 30 days. The right to deletion is not absolute, and can depend on the context of the request, so it doesn’t always apply.

Upon request, within 30 days 360Alumni will perform a GDPR-compliant permanent delete of a user's record and all their contact and profile data. If there has been financial activity associated with the user, we will anonymize the transaction information.  Analytics (from event attendance count to site visits) will not change, but no contact information will appear for the individual metrics. 

Access/ Portability

Just as she can request that you delete her data, Maria can request access to the personal data you have about her. Personal data is anything identifiable, like her name and email address. If she requests access, you (as the controller) need to provide a copy of the data, in some cases in machine-readable format (e.g. CSV or XLS).

Maria can also request to see and verify the lawfulness of processing (see above).

Upon request, 360Alumni can export all of a user’s profile and engagement history into an excel file. If Maria was a pre-loaded alumna, you will need to verify the lawfulness. 


Just as she can request to delete or access her data, Maria can ask your organization to modify her personal data if it’s inaccurate or incomplete. If and when she does, you need to be able to accommodate that modification request.

In 360Alumni, Maria can change almost all of her information herself.  If Maria asks you to change her information, you or your portal administrators can do so from within her profile.

Security Measures

The GDPR requires a slew of data protection safeguards, from encryption at rest and in transit to access controls to data pseudonymization and anonymization.

As part of 360Alumni’s response to the GDPR, we’ve strengthening our security controls across the board. In addition to industry standard practices around encryption, 360Alumni’s infrastructure teams have improved our systems for authentication, authorization, and auditing to better protect our customer's data. For more information, you can request our security overview by emailing