EN|FR
GDPR

GDPR Guides

Comprehensive guides to GDPR compliance, data protection, and privacy requirements for startups.

1What is GDPR? A Complete Guide for Startups7 min2Who Needs GDPR Compliance? Understanding Applicability8 min3The 7 GDPR Principles: Foundation of Data Protection6 min4Legal Bases for Processing: When You Can Use Personal Data8 min5Data Subject Rights: What Users Can Request Under GDPR8 min6GDPR Consent Management: Getting Permission Right8 min7GDPR Privacy Policies: What You Must Disclose7 min8Data Mapping and ROPA: Know What Data You Have7 min9Data Protection Officer: Do You Need One?7 min10Data Breach Notification: The 72-Hour Rule7 min11Data Processing Agreements: Managing Vendor Relationships7 min12GDPR Cookie Compliance: Beyond the Banner7 min13GDPR Compliance Checklist: Step-by-Step Guide7 min14GDPR Penalties: Understanding the Risks6 min15Maintaining GDPR Compliance: Ongoing Requirements7 min16GDPR vs CCPA: Key Differences Explained8 min17International Data Transfers: Moving Data Outside the EU8 min18Data Protection Impact Assessments (DPIA): When and How8 min19Privacy by Design and Default: Building Privacy In8 min20Special Categories of Data: Handling Sensitive Personal Information7 min21Children's Data Protection: Special Requirements Under GDPR7 min22GDPR Supervisory Authorities: Who Enforces the Regulation7 min23GDPR Compliance Costs: Understanding the Investment6 min24GDPR Audit Guide: Preparing for and Conducting Compliance Audits7 min25Employee Data Protection: GDPR Requirements for HR7 min26GDPR for SaaS Companies: Industry-Specific Guidance7 min

Common Questions About GDPR

Quick answers to the most frequently asked questions about GDPR compliance.

GDPR (General Data Protection Regulation) is the EU's comprehensive data protection law effective since May 25, 2018. It governs how organizations process personal data of EU residents, regardless of where the company is located. Maximum fines are EUR 20 million or 4% of global annual revenue.

Yes, if you collect data from EU residents (even through a website), GDPR applies regardless of your company location. GDPR has extraterritorial scope, meaning it's based on whose data you process, not where your company is headquartered.

Personal data is any information that can identify a living individual, directly or indirectly. This includes names, email addresses, IP addresses, cookie IDs, location data, financial data, behavioral data, and biometric data. Even pseudonymized data qualifies if it can be traced back to an individual.

A Data Controller determines why and how data is processed (that's you if you collect customer data). A Data Processor processes data on behalf of a controller (like your CRM provider). Controllers are responsible for compliance; processors must follow controller instructions and have a Data Processing Agreement.

GDPR grants 8 rights: Right to be Informed, Right of Access (DSAR), Right to Rectification, Right to Erasure ('right to be forgotten'), Right to Restrict Processing, Right to Data Portability, Right to Object, and Rights Related to Automated Decision-Making.

You must respond within one month for standard requests (Article 12). Complex requests can be extended by two additional months (up to three months total), but you must notify the requester within the first month. The first request must be free; you can charge for excessive or repetitive requests.

No, consent is one of six legal bases for processing data. Others include contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Legitimate interests or contractual necessity may be more appropriate than consent for many B2B uses.

Maximum penalties are EUR 20 million or 4% of global annual revenue, whichever is higher. Beyond fines, GDPR non-compliance affects customer trust, investor expectations, and enterprise sales opportunities.

A DPO is required under Article 37 for public authorities, organizations whose core activities involve large-scale regular monitoring of individuals, or those whose core activities involve large-scale processing of special categories of data. Most B2B SaaS companies don't legally require a DPO but may appoint one voluntarily.

A DPA is a legally binding contract between a data controller and processor. It defines data processing purposes, security measures, subprocessor rules, and audit rights. GDPR Article 28 requires DPAs whenever you share personal data with processors.

Ready to get GDPR certified?

Let our experts guide you through GDPR certification. We'll handle the complexity so you can focus on your business.

Talk to an expert