AssembleyAssembley
PricingSecurityAbout

Data Privacy and GDPR

How Assembley approaches personal data and GDPR — EU data residency, what data an assembly processes, and why data protection is integral to running a defensible digital vote.

Running a digital assembly means processing personal data — voters' names, email addresses, identities, and how they voted. Handling that data properly isn't a side concern; it's part of running a defensible meeting. This article explains Assembley's approach at a factual level.

What data an assembly involves

A typical assembly touches:

  • Voter register data — names, email addresses, and (for company groups) holdings and class.
  • Identity confirmation — the verification used to tie a ballot to a person.
  • Voting data — the ballots cast and the record of the meeting.

This is personal data under the GDPR, which means it has to be processed lawfully, stored securely, and handled transparently.

EU data residency

Assembley processes data within the EU, hosted in European infrastructure (in Frankfurt, Germany). Keeping personal data inside the EU/EEA is a meaningful part of GDPR compliance, because it avoids the complications that come with transferring personal data to third countries. For organisations whose members expect their data to stay in Europe, this is a deliberate design choice rather than an afterthought.

Why privacy and a valid vote go together

It's easy to think of data protection and vote validity as separate, but they reinforce each other. A defensible assembly needs to know who voted (identity) and keep an accurate, secure record of how — and doing that responsibly means handling the personal data behind it carefully. The same record that makes a result verifiable is also personal data that must be protected. See How Vote Integrity Is Protected and Identity Verification Levels.

Your responsibilities

Assembley provides the platform, but your organisation remains responsible for using it lawfully — for example, having a proper basis to hold your members' data, keeping your register accurate, and removing data you no longer need. Keeping a clean, current register is good practice both operationally and for data minimisation. See Editing and Removing Voters.

A note on scope

Compliance depends on your specific circumstances, and this article is a factual overview rather than legal advice. For requirements particular to your organisation — retention periods, lawful basis, members' rights — consult your own data protection adviser.

Where to go next

See Managing Your Account for account administration and The Evidence Package Explained for how the meeting record is produced.

Related articles