As you probably are aware of, Cision provides a system where we enable you to communicate with relevant target audiences. Being a customer, you can get access to Cision’s comprehensive media database, including named journalists and contact details to politicians amongst other data.

In the media database, you are also able to add your own contacts manually, either by importing lists or if receivers decide to sign up on your web page.

You can access all these contacts through Cision’s solutions.

Who is, according to GDPR, the controller of the personal data?

When it comes to the Cision database, we at Cision are responsible for collecting the data on legitimate terms and keeping it updated. Being a customer, you have the possibility to adjust these contacts by adding additional data as well as distributing information to them. By doing so, you will be the controller of this additional data.

In other words, we are joint controllers of the personal data of these contacts (acc. to article 26 in the GDPR) but we are responsible for various parts.

Who is responsible for my own distribution lists?

Regarding your own lists based on contacts you have added to the system yourselves, you will be the controller of that personal data. Cision will act data processors.

In the system, you can easily see if you are dealing with one of your own contact since it won’t have the Cision ”” placed next to it. You can find these contacts via the search function in CisionPoint by clicking on Contacts > Search > and new button on the right “List of all your own contacts” (see picture below). Mark all your contacts and press “save” to create your own list which you also can export to Excel

At this point, you must decide how you want to deal with these contacts according to GDPR and reflect upon if this data is collected on legitimate terms as well as how to make it compatible to the new law.

Do you have a subscription option from Cision on your web page where visitors can register in order to receive your e-mails?

If so, you will be the controller of this personal data. In this case, we recommend an information box in the form where they sign up, informing that you will store their personal data to execute the order along with a link to your privacy policy.

Here at Cision, we are applying a two step opt in functionality where the subscriber, after registering at the web site, must click on a link for the subscription to be activated. Inactive contacts and bounces are deleted within 30 days.

What to do next?

GDPR enters into force on May 25th and until that date, we recommend you consider whether to contact your subscribers to collect implicit or explicit consent. Cision has developed a tool for this, you can find it under “Publish” and “Subscribers” (depending on which solution you are using, you may find “Subscribers” by clicking “Connect” and “Distributions”, followed by “Publish Services”.

A few days ago, Cision sent out an addendum to your current agreement concerning GDPR from the address This was addressed to the agreement signer of each customer.

For questions regarding agreements, please contact us at:

Need help with handling lists and subscribers?

Learn more on Cision’s own GDPR site:

Find out more information regarding GDPR here


  • Regarding Cision contacts, you and Cision are joint controllers of the personal data.
  • Regarding contacts added by you and contacts registered as subscribers, you will be the data controller and Cision will act as data processor.
  • Consider how you want to handle your contacts, for instance when it comes to information regarding storing data, purpose, contact details and consent.