🇪🇺
General Data Protection Regulation
Regulation (EU) 2016/679 — Effective 25 May 2018
The world's most influential data protection law. GDPR sets the global standard for how organizations collect, process, store, and protect personal data of EU/EEA residents. It applies to any organization worldwide that processes EU residents' data.
€20M
or 4% global annual turnover
whichever is higher
whichever is higher
The 7 GDPR Principles Article 5
1. Lawfulness, Fairness & Transparency
Process data lawfully, fairly, and in a transparent manner. Individuals must know what you do with their data.2. Purpose Limitation
Collect data for specified, explicit, and legitimate purposes only. Do not reuse it for incompatible purposes.3. Data Minimisation
Only collect data that is adequate, relevant, and limited to what is necessary for the stated purpose.4. Accuracy
Keep personal data accurate and up-to-date. Take every reasonable step to erase or rectify inaccurate data without delay.5. Storage Limitation
Do not keep data longer than necessary. Define retention periods and delete data when the purpose is fulfilled.6. Integrity & Confidentiality
Process data securely. Protect against unauthorized access, accidental loss, destruction, or damage using appropriate technical and organizational measures.7. Accountability
The controller is responsible for — and must be able to demonstrate — compliance with all the above principles. This is why documentation, audit trails, and governance tools like this platform exist.6 Lawful Bases for Processing Article 6
1. Consent
Individual gives clear, informed agreement
Individual gives clear, informed agreement
2. Contract
Processing necessary to fulfill a contract
Processing necessary to fulfill a contract
3. Legal Obligation
Processing required by law (e.g., AML/KYC)
Processing required by law (e.g., AML/KYC)
4. Vital Interests
Protect someone's life
Protect someone's life
5. Public Task
Processing in the public interest
Processing in the public interest
6. Legitimate Interests
Controller's legitimate interest (balanced against rights)
Controller's legitimate interest (balanced against rights)
Banking context:
Banks typically use Contract (account management), Legal Obligation (AML/KYC, regulatory reporting), and Legitimate Interest (fraud prevention) as their lawful bases — rarely relying on consent alone.
8 Data Subject Rights Articles 12-22
Right to be Informed
Privacy notices
Privacy notices
Right of Access
Subject access requests
Subject access requests
Right to Rectification
Correct inaccuracies
Correct inaccuracies
Right to Erasure
"Right to be forgotten"
"Right to be forgotten"
Right to Restrict
Limit processing
Limit processing
Right to Portability
Machine-readable export
Machine-readable export
Right to Object
Including profiling
Including profiling
Automated Decisions
No solely automated decisions
No solely automated decisions
Key Organizational Requirements
| Requirement | GDPR Article | What It Means | Platform Feature |
|---|---|---|---|
| Records of Processing | Art. 30 | Document all processing activities, purposes, categories of data, recipients, transfers | Technical Metadata + Glossary |
| Data Protection Impact Assessment | Art. 35 | Assess risks before high-risk processing (profiling, large-scale PII) | CDE Registry identifies high-risk data |
| Data Protection Officer | Art. 37-39 | Appoint a DPO for public bodies or large-scale PII processing | Users & Roles |
| Breach Notification | Art. 33-34 | Notify supervisory authority within 72 hours; notify individuals if high risk | Audit Log for tracking |
| Data Protection by Design | Art. 25 | Build privacy into systems from the start (minimisation, pseudonymisation) | Data Classification |
| Cross-Border Transfers | Art. 44-49 | Only transfer to countries with adequate protection, or use SCCs/BCRs | Lineage tracks cross-system flows |
Penalty Structure Articles 83-84
Tier 1 (Lower)
€10M / 2%
For technical/organizational failures: inadequate security, failure to appoint DPO, no DPIA where required
Tier 2 (Higher)
€20M / 4%
For violating core principles: unlawful processing, no consent, ignoring data subject rights, illegal cross-border transfers
Notable GDPR fines in banking/finance:
Major financial institutions have faced multi-million euro fines for failures in data subject access requests, inadequate security measures, and unlawful processing of customer data without proper lawful basis.