Data Privacy and GDPR
How Assembley approaches personal data and GDPR — EU data residency, what data an assembly processes, and why data protection is integral to running a defensible digital vote.
Running a digital assembly means processing personal data — voters' names, email addresses, identities, and how they voted. Handling that data properly isn't a side concern; it's part of running a defensible meeting. This article explains Assembley's approach at a factual level.
What data an assembly involves
A typical assembly touches:
- Voter register data — names, email addresses, and (for company groups) holdings and class.
- Identity confirmation — the verification used to tie a ballot to a person.
- Voting data — the ballots cast and the record of the meeting.
This is personal data under the GDPR, which means it has to be processed lawfully, stored securely, and handled transparently.
EU data residency
Assembley processes data within the EU, hosted in European infrastructure (in Frankfurt, Germany). Keeping personal data inside the EU/EEA is a meaningful part of GDPR compliance, because it avoids the complications that come with transferring personal data to third countries. For organisations whose members expect their data to stay in Europe, this is a deliberate design choice rather than an afterthought.
Why privacy and a valid vote go together
It's easy to think of data protection and vote validity as separate, but they reinforce each other. A defensible assembly needs to know who voted (identity) and keep an accurate, secure record of how — and doing that responsibly means handling the personal data behind it carefully. The same record that makes a result verifiable is also personal data that must be protected. See How Vote Integrity Is Protected and Identity Verification Levels.
Your responsibilities
Assembley provides the platform, but your organisation remains responsible for using it lawfully — for example, having a proper basis to hold your members' data, keeping your register accurate, and removing data you no longer need. Keeping a clean, current register is good practice both operationally and for data minimisation. See Editing and Removing Voters.
A note on scope
Compliance depends on your specific circumstances, and this article is a factual overview rather than legal advice. For requirements particular to your organisation — retention periods, lawful basis, members' rights — consult your own data protection adviser.
Where to go next
See Managing Your Account for account administration and The Evidence Package Explained for how the meeting record is produced.
Related articles
- Managing Your AccountHow to manage your Assembley organisation — updating organisation details, the participant label, inviting colleagues, and where billing and account settings live.
- Plans and PricingHow Assembley's plans are structured at a high level, what tends to differ between them, and where to find current pricing — including premium options like electronic ID verification.
- Roles and PermissionsHow access works in Assembley — organisation administrators who manage voters and run assemblies, and the platform-level oversight role — so you can give colleagues the right level of access.