# GDPR

Source: https://contracko.com/glossary/gdpr

# GDPR

The EU regulation governing how personal data of individuals must be processed and protected.

## Definition

The General Data Protection Regulation (GDPR) is the EU-wide law governing the processing of personal data, granting individuals rights of access, correction, and erasure and imposing principles such as lawfulness, purpose limitation, and data minimisation. It applies to controllers and processors, requires a lawful basis for processing, and backs compliance with fines up to €20 million or 4% of global turnover. In the Netherlands it is known as the AVG and supplemented by the Uitvoeringswet AVG.

## Example

> Before launching an email campaign, a marketer confirms a valid lawful basis (consent or legitimate interest) for processing the recipients' data under the GDPR.

## Why this is a business risk

GDPR compliance is not only a legal obligation but a contractual one: customer and partner contracts increasingly require warranted compliance, and a breach can trigger indemnity obligations as well as regulatory fines. Companies that treat GDPR as a checkbox exercise, rather than an ongoing programme, often discover gaps only when a breach or regulator inspection occurs.

## How to manage it

- Maintain a Record of Processing Activities (ROPA) so you know what data you process, on what basis, and who handles it.
- Ensure every supplier that processes personal data on your behalf has a signed DPA before processing begins.
- Test your 72-hour breach-notification process before an incident happens: know who is responsible and what data the regulator needs.
- Review contracts that include GDPR warranties periodically so the warranted standard keeps pace with regulatory guidance.

### How Contracko helps

Contracko helps you keep your GDPR paper trail in order. DPAs and data-related contracts are stored in the central repository with their expiry and review dates. The AI review extracts GDPR warranty clauses and data-transfer provisions so your compliance team can audit processor relationships without opening every contract.

## Legal references

- [Regulation (EU) 2016/679 General Data Protection Regulation](https://eur-lex.europa.eu/eli/reg/2016/679/oj)

Unless marked otherwise, references are to Dutch law (Burgerlijk Wetboek, the Dutch Civil Code); EU instruments such as the GDPR apply across the EU. This is general information, not legal advice. Other jurisdictions treat these concepts differently. Verify the current text and your situation with a qualified lawyer.

## Relevant for

[Software & SaaS](https://contracko.com/industries/software-saas)[Healthcare](https://contracko.com/industries/healthcare)[AI & Data Companies](https://contracko.com/industries/ai-data)[Financial Services](https://contracko.com/industries/financial-services)

## Related clauses

- [Data Processing Clause](https://contracko.com/clause-library/data-processing)
- [Confidentiality Clause](https://contracko.com/clause-library/confidentiality)
- [Warranties Clause](https://contracko.com/clause-library/warranties)

## Related terms

- [Data processing agreement (DPA)](https://contracko.com/glossary/data-processing-agreement)
- [Confidential information](https://contracko.com/glossary/confidential-information)
- [Non-disclosure agreement (NDA)](https://contracko.com/glossary/nda)

### Never miss a contract deadline again

- AI finds renewal and notice dates
- Risks and obligations are surfaced automatically
- Reminders help you act before dates slip

Drop a contract to start

PDF, DOCX, PNG, or JPG

[Start 7-day trial](https://app.contracko.com/register?appLanguage=en&utm_source=glossary_sidebar&utm_medium=lead_magnet&utm_campaign=glossary_sidebar_contract_upload&content_slug=gdpr&content_title=GDPR&cta_placement=glossary_sidebar_cta&source_tool=glossary_sidebar_gdpr)

GDPR compliant. Encrypted. Never used for AI training.

## Frequently asked questions

Common questions about this term.

- **Q:** Does the GDPR apply to companies outside the EU?
  **A:** Yes, where they offer goods or services to, or monitor, individuals in the EU. Such organisations must comply and often appoint an EU representative.

- **Q:** What is the maximum GDPR fine?
  **A:** Up to €20 million or 4% of total worldwide annual turnover, whichever is higher, for the most serious infringements.

- **Q:** What is the difference between a controller and a processor?
  **A:** A controller determines the purposes and means of processing personal data. A processor processes data on behalf of and under the instructions of the controller. A DPA is required between them.

- **Q:** What lawful bases are available under the GDPR?
  **A:** Six bases: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. The most commonly used in commercial contexts are consent, contract, and legitimate interests; each has different requirements and implications.

- **Q:** How does the GDPR affect AI and automated processing?
  **A:** Article 22 GDPR gives individuals the right not to be subject to solely automated decisions with significant effects, including profiling. AI systems making such decisions must have a lawful basis and provide for human review on request.

## See these terms in your own contracts

Upload a contract and Contracko pulls out the key terms, dates and obligations, then reminds you before each one matters.

[Start 7-day free trial](https://app.contracko.com/register?appLanguage=en)

Book demo
