General Data Protection Regulation (GDPR)

Last Updated:

General Data Protection Regulation (GDPR) is a set of data privacy regulations, which were adopted by the European Union (EU) and became effective May 25, 2018, to strengthen data protection for all individuals in the EU. GDPR provides a common set of regulations that govern the protection of the personal data of EU residents regardless of which companies they do business with, including:

  • How consent for data collection and processing must be obtained.
  • How data subjects may exercise their rights regarding personal data.
  • What must be done to demonstrate that data is processed and secured in accordance with the GDPR.

For more detail about the regulations, you can visit the official EU site.

Who does this impact?

This impacts Pendo along with most of Pendo’s customers.

Is Pendo a data processor or a data controller?

Pendo is both a data processor and data controller. Pendo processes their customer’s customer data and control the data of our customers that log into Pendo. Pendo has certain requirements and liability for both.

Individual Rights

There are 8 data subject rights under GDPR:

  • Right to be Informed.
    This right emphasizes transparency to individuals and provides an obligation to provide ‘fair processing information’ while using clear and plain language at the time the customer obtains consent to begin collecting personal data.

  • Right of Access.
    This right helps individuals access their personal data so they are aware of and/or verify the lawfulness of the processing.

  • Rights related to Automated Decision Making.
    This right provides safeguards to individuals against the risk of a potentially damaging decision to be taken without human intervention.

  • Right to Object. 
    On certain grounds, this right provides an individual to object to data processing for the purposes of profiling or direct marketing.

  • Right to Rectification.
    This right states that individuals are entitled to have personal data rectified if it is inaccurate or incomplete.

  • Right to Erasure.
    This right enables an individual to request the deletion of personal data if it is no longer necessary or the data subject withdraws consent.

  • Right to Restrict Processing.
    This right provides individuals to have a right to ‘block’ or suppress processing of personal data.

  • Right to Data Portability.
    This right allows individuals to obtain and reuse their personal data for their own purposes across different services.

How to Invoke Your Rights

If you have a request to invoke any of your rights listed above, contact Pendo Support to submit your request. Once a request is submitted, you will be able to monitor for completion with the support ticket submitted.

Note: Since Pendo is also a data processor, you might have a customer who needs to be removed from your Pendo account. For help with this, contact Pendo Support.

Pendo is committed to making the GDPR process as efficient as possible. Please follow these guidelines to make the request processing as smooth as possible:

  1. Please provide the Visitor ID in the request.
  2. Provide the name of the Pendo subscription to delete or request the data from. If you have more than one subscription, please provide the names of every subscription you would like to request or delete data from.

    Hi Pendo!

    This message is being sent to inform you that the following visitor has submitted a GDPR Request to invoke their "Right to Access".

    Visitor ID: uniqueIdentifier-abcde12345
    (Note: Email address isn’t always the Visitor ID as it varies based on how a customer decides to set this up. It can be in the form of randomized alphanumeric characters)

    Subscription Name: acme-solutions (Add names of every Pendo subscription you would like to request or delete data from.)

    Your Pendo Customer

What should I expect after I submit a request?

The Pendo support team will respond to each request to confirm that it’s been received and processes have been initialized.

Note: Requests for Erasure and Data Portability Rights will take up to 21 days to help meet required compliance timelines.
  • Erasure requests: Once the deletion has been confirmed, you will be updated via the request ticket confirming the deletion. The response may be batched if you have sent in multiple requests and it will be noted which visitors the delete requests have been fulfilled for.

  • Access requests: You will receive a .zip file with a .json file for each access request. These may be batched if you have sent in multiple requests to speed up processing into one zip file, with a separate .json file for each visitor ID.
Note: An empty .json file means there is no data for that user, or you may receive a notification via email that there is no data available for that user.

In an Event of a Data Breach

In the event of a breach, Pendo contacts the affected Pendo account administrators and designated contacts, and immediately triggers remedial action to ensure compliance. Defined within the breach response, Pendo includes continuous updates to ensure effective communication with any affected customers.

Additional Questions

For additional information, review Pendo’s GDPR Process and Approach white paper.

For any additional general questions or concerns about Pendo’s approach privacy, security, certifications, or GDPR compliance plans, contact us at

Was this article helpful?
3 out of 6 found this helpful