Can a European Zotero user be assured of not breaching the GDPR via Zotero cloud services?

edited February 18, 2019
Following the GDPR (General Data Protection Regulation) (, a European (EU) individual user must assure that their use of Zotero cloud services does not put their research materials outside of the European Economic Area (EEA), without assuring how and when these data are being used, disposed, disclosed, processed. Can Zotero.Org offer any certainty to UK and EU users that their information saved to its cloud services is not transferred outside of the EEA? If these Zotero cloud servers are located outside of the EEA then it seems there is the possibility of users and their sponsoring organizations permitting the use of such services (e.g. universities) being in breach of new stricter Data Protection Legislation. Please clear this up for us.
  • All data on Zotero servers are stored outside of EEA, but could you point me to that stipulation in GDPR, because I'm pretty sure that's not the case.
    1) Because Zotero complies with GDPR stipulations with regards to your own personal data and
    2) Because literature and notes about it does not constitute personal data by any definition.
    If you want to store sensitive reserach data such as identified interview transcripts in Zotero, that's probably illegal under GDPR, though.
  • Its confusing, I guess. See: Perhaps it may come down to the issue of what is personal data. Maybe as long as we don't keep and transfer research notes about specific living people, their families, business interests and so on, then there is little issue. This didn't come from me today, but from an organization with which I am affiliated and its Information Assurance Service branch that would not permit me to use Zotero on its servers because they had no certainty that information saved to Zotero cloud services is not transferred outside of the European Economic Area (EEA).
  • edited February 18, 2019
    All synced Zotero data is stored in the Amazon cloud in the US. The US has an Adequacy Decision. As far as we know, Zotero is compliant with GDPR.

    Edit: Or I guess the Adequacy Decision for the US is limited to the Privacy Shield framework? I don't really know anything about that or its relation to GDPR. In any case, Zotero obviously has a huge number of European users, and we've made sure we're in compliance with GDPR to the best of our knowledge. You can read about more about our policies in our privacy policy.
  • Sorry for the topic kick, but I am checking to see if we can use Zotero within our University and would like to know if there are any other Universities in Europe that officially allow the use of Zotero cloud? Our legal department is quite strict, but if there are other reputable universities using Zotero cloud, that might help persuade them.
  • edited November 3, 2020
    I know that Zotero is recommended and widely used at Karolinska Institutet in Stockholm:
    Faculty and students at KI have been using Zotero almost exclusively for many years as the bib manager of choice.

    Zotero is also used by many students and faculty at Ersamus in the Netherlands even though the university has licenses for EndNote and RefWorks.

    There is no mention anywhere about the Zotero sync itself being a potential violator of GDPR. Zotero users I know use Zotero's own sync system. I don't know about using Zotero to sync to other back-up services. If you intend to use Zotero for cataloging trade secret documents or individual financial or medical documents with personal identifiers that is a different question altogether. GDPR privacy protections will require specialty software for that.
  • @pascoa341: We don't disclose institutional customers, but yes, there are large European universities with institutional storage subscriptions, and Zotero is obviously recommended widely by libraries at universities across Europe and around the world.

    I'd encourage you to read through our privacy policy if you have any doubts about this. Privacy is a reason to use Zotero, not a reason not to.
  • One problem @pascoa341 could be facing is that some institutions (like mine) demand that a signed data processing agreement is in place to be considered GDPR compliant -- entirely separately from an adequate privacy policy.
  • I think the aspects mentioned here are quite valid. The current privacy policy does not fulfill the requirements set out by the GDPR (see Art. 13, e.g. the naming of the users' rights and the legal basis for the processing of personal data is currently missing) and for cooperation with bigger institutions a data processing agreement (see Art. 28 GDPR) is necessary. All these steps can be automated as part of the registration process (or as one-click-solution in the backend). Zotero Sync does fall under the scope of application of the GDPR, since at least the e-mail addresses are personal data (and actually also the entries in the bibliography, since they are connected to - personal - user account).

    Are there any plans to update the privacy policy and offer data processing agreements? Did that topic never come up with institutional customers?

    Of course, I'm only talking about Zotero Sync, the offline client is not affected by these privacy issues.
Sign In or Register to comment.