API Marketplace

Solutions

Resources

Our Company

Book a Demo

← Back to Glossary

GDPR Data Protection Regulation

European Union2016Privacy

Overview

The General Data Protection Regulation (GDPR) is the European Union’s comprehensive privacy law, enacted in 2016 and enforced from May 25, 2018. It governs the collection, processing, and transfer of personal data within the EU and for any entity handling EU residents’ data, regardless of location.

GDPR introduces strict requirements for data controllers and processors, including transparency, lawful basis for processing, individual rights, breach notification, and accountability. It empowers individuals with rights such as access, rectification, erasure, data portability, and objection to profiling. The law applies to technology companies, banks, insurers, healthcare providers, retailers, cloud service providers, and government agencies handling personal data of EU residents.

Key Obligations

Obtain clear and informed consent before processing personal data
Maintain records of processing activities and conduct Data Protection Impact Assessments (DPIAs)
Appoint a Data Protection Officer (DPO) in specific cases

Notify supervisory authorities of data breaches within 72 hours
Uphold data subject rights including access, correction, deletion, and portability
Ensure lawful cross-border data transfers through mechanisms like SCCs or adequacy decisions

Stay ahead of risk with Signzy

Explore tools that help you onboard, monitor, and verify with confidence

Identity Verification

Use facial match and liveness checks paired with government ID verification to validate users while onboarding.

One Touch KYC

Launch global KYC flows with built-in document OCR, liveness checks, deepfake detection, and AML, all through a single, customizable dashboard.

Bank Account Verification

Instantly verify bank account details to confirm account ownership and validity for secure financial transactions.

Related Regulations

EU-U.S. Data Privacy Framework

EU Data Act Regulation

UK GDPR Data Protection Act

FAQ

Who does the GDPR apply to?

Any organization inside or outside the EU that processes personal data of EU residents for business or monitoring purposes.

What are the penalties for non-compliance?

Fines can reach up to €20 million or 4% of global annual turnover, whichever is higher.

Is consent always required to process data?

No. GDPR permits six lawful bases for processing, including contractual necessity, legal obligation, and legitimate interests.

Does GDPR cover both personal and sensitive data?

Yes. It applies to any information that can identify a person, with stricter rules for special categories like health, race, and biometric data.