GDPR: What It Requires and Who It Applies To

What is GDPR?

GDPR is Regulation (EU) 2016/679, adopted by the European Parliament and the Council of the EU on 27 April 2016 and directly applicable across all 27 member states since 25 May 2018. It replaced the 1995 Data Protection Directive, which had become inadequate for the digital economy.

The regulation standardized data protection rules across the EU's single market. Before GDPR, member states implemented the 1995 Directive in divergent ways, so a business operating in Germany, France, and Poland faced three materially different legal regimes. GDPR ended that fragmentation. One regulation, one set of rules, directly binding without national transposition.

At its core, GDPR defines six lawful bases for processing personal data: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Organizations must identify and document a lawful basis before any processing begins. They must also observe seven data protection principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.

Enforcement sits with national DPAs, coordinated at EU level by the European Data Protection Board (EDPB). The "one-stop-shop" mechanism means a company with its EU main establishment in Ireland faces the Irish DPC as its lead supervisory authority. Other DPAs can and do challenge decisions through the EDPB's dispute resolution process, as the WhatsApp fine in 2021 demonstrated when several DPAs objected to the original Irish draft decision and pushed it substantially higher.

The regulation's full text is published at EUR-Lex and has not been amended since adoption, though guidance from the EDPB continues to clarify its application.

Who does GDPR apply to?

GDPR's territorial scope in Article 3 is deliberately broad. It catches any controller or processor that:

• Is established in the EU and processes personal data in the context of that establishment, regardless of where the processing takes place
• Is established outside the EU but offers goods or services to EU data subjects (the "targeting" test, even where no payment is involved)
• Is established outside the EU but monitors the behavior of EU data subjects within the EU

In practice, covered entities include:

• Banks and credit institutions licensed or operating in the EU, processing account data, transaction histories, credit scores, and behavioral analytics
• Fintechs and payment service providers subject to PSD2 (EU), where open banking data flows create layered GDPR exposure alongside payment regulation obligations
• Insurance companies and asset managers processing policyholder and investor personal data
• Corporate entities running HR systems, customer databases, and B2B contact lists containing individual identifiers
• Non-EU firms including US banks, Asian financial institutions, and technology vendors with EU branches, subsidiaries, or customers
• Technology processors acting under Article 28, including cloud providers, analytics firms, and outsourced operations centers

There's no revenue or headcount threshold for GDPR applicability. A startup with 12 employees and an EU customer list is fully within scope. Organizations processing personal data "on a large scale" or systematically monitoring individuals must appoint a Data Protection Officer (DPO). For banks, the systematic monitoring criterion is almost always met given transaction surveillance and behavioral analytics programs.

What does GDPR require?

The regulation's substantive obligations fall into eight main categories:

1. Lawful basis and purpose documentation: Before any processing, identify one of the six lawful bases (Article 6) and document it in a Record of Processing Activities (RoPA). For special-category data covering health, biometrics, and criminal records, Article 9 requires a more restricted basis such as explicit consent or a specific legal obligation. Purpose must be documented and processing must not extend beyond that purpose without a fresh assessment.

2. Data subject rights: Respond to Data Subject Access Requests (DSARs) within one calendar month, extendable by two months for complex cases with written notice. Honor rights to rectification, erasure, restriction, portability, and objection. Automated decision-making that produces legal or similarly significant effects requires a human review path under Article 22 and a clear explanation of the logic involved.

3. Data Protection by Design and by Default: Article 25 requires privacy controls to be built into systems at design stage. Default settings must be the most privacy-protective option available, not the most permissive.

4. Records of Processing Activities (RoPA): Controllers with 250 or more employees, and smaller organizations conducting high-risk processing, must maintain a written RoPA covering purposes, data categories, recipients, retention periods, and security measures.

5. Data Protection Impact Assessments (DPIAs): Required before any processing "likely to result in a high risk" to individuals. This covers large-scale profiling, systematic monitoring, and processing of special-category data. The EDPB publishes lists of processing types that always require a DPIA. A fraud detection model that profiles all transactions at scale almost certainly qualifies.

6. Breach notification: Article 33 requires notification to the relevant DPA within 72 hours of becoming aware of a personal data breach that poses a risk to individuals. If the risk is high, Article 34 requires direct notification to affected individuals without undue delay. The 72-hour clock starts when the controller has a reasonable degree of certainty that a breach occurred, not when the forensic investigation concludes.

7. Data Protection Officer: Mandatory for public authorities, organizations conducting large-scale systematic monitoring, and those processing special-category data at scale. The DPO must have expert knowledge of data protection law, operate independently, and report directly to senior management.

8. International transfers: Personal data may only flow to third countries under an adequacy decision, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or another approved mechanism. The Court of Justice of the EU's Schrems II judgment in July 2020 (Case C-311/18) invalidated the EU-US Privacy Shield, requiring organizations to rely on SCCs paired with transfer impact assessments and supplementary technical measures.

What evidence do regulators expect?

When a DPA investigates a complaint or conducts a proactive audit, these are the documents they request first:

• Record of Processing Activities: Current, signed, and covering all processing activities with identified lawful bases. Gaps or outdated entries are an immediate red flag.
• Privacy notices: Date-stamped versions showing when they were last reviewed, with a direct mapping to the entries in the RoPA.
• Consent records: Where consent is the lawful basis, documented evidence of when consent was collected, what mechanism was used, and how withdrawals are honored. Cookie consent logs and audit trails are commonly requested.
• DPIA register: A list of DPIAs completed, with risk assessments, outcomes, DPO consultation records, and any residual risk sign-off.
• Breach log and notification records: The internal incident log covering all assessed events, including those below the notification threshold, with documented reasoning for non-reporting.
• Data subject rights register: A log of DSARs received, response dates, and any extensions invoked with written justification.
• DPO appointment documentation: Terms of reference, independence confirmation, and evidence the DPO was consulted on high-risk activities.
• Vendor contracts: Article 28 Data Processing Agreements for every third-party processor, including sub-processor chains and evidence of due diligence on sub-processor selection.
• International transfer records: Transfer impact assessments, current SCCs, and documentation of the legal framework in each recipient country.
• Training records: Staff who have completed data protection training, with dates and content summaries. DPAs treat missing training records as evidence of a systemic culture failure.
• Security documentation: Technical and organizational measures under Article 32, including encryption standards, access control policies, and penetration test results.

DPAs don't want frameworks. They want evidence those frameworks are followed. An examiner from the Irish DPC or Germany's BfDI will ask to see actual outputs, actual logs, actual dates.

Common failure modes

Enforcement patterns reveal a consistent set of failures across financial institutions:

• Invalid consent: Consent bundled with terms of service, pre-ticked boxes, or refusal tied to service denial doesn't meet the "freely given, specific, informed and unambiguous" standard. The EDPB's Guidelines 05/2020 are explicit on what consent requires.
• Inadequate transparency: Privacy notices that are long, legalistic, and fail to identify the lawful basis in plain language. France's CNIL fined Google €150 million in January 2022 specifically for making cookie rejection harder than acceptance, not for any data breach.
• Unlawful international transfers: Continuing to send data to US processors on the basis of Privacy Shield after Schrems II invalidated it in July 2020. The Irish DPC fined Meta Platforms Ireland €1.2 billion in May 2023 for exactly this, the largest GDPR fine to date.
• 72-hour notification failures: Discovering a breach on Monday and notifying the DPA on Thursday. DPAs cite delayed notification even where downstream harm was limited.
• Missing DPIAs: Running large-scale profiling or behavioral monitoring programs without completing a DPIA first, or completing one after deployment.
• Retention drift: Keeping personal data beyond stated retention periods with no documented legal justification. Common in HR systems, legacy marketing databases, and archived transaction records.
• Processor contract gaps: Using cloud services or analytics vendors without Article 28-compliant DPAs, or with contracts containing liability exclusions that DPAs treat as inadequate.

The WhatsApp Ireland fine of €225 million in September 2021 traced primarily to transparency failures. Users and non-users didn't receive adequate information about how their data was processed and shared with Facebook companies. No breach. No theft. Just inadequate disclosure.

Penalties for non-compliance

GDPR sets a two-tier penalty structure in Article 83.

Tier 1 (up to €10 million or 2% of global annual turnover, whichever is higher): Violations of obligations related to controllers and processors under Articles 8, 11, 25-39, 42, and 43. This covers failure to maintain a RoPA, failure to appoint a DPO, and failure to implement appropriate security measures under Article 32.

Tier 2 (up to €20 million or 4% of global annual turnover, whichever is higher): The most serious violations: processing without a lawful basis, violating data subject rights, unlawful international transfers, and non-compliance with supervisory authority orders.

For a bank with €10 billion in global revenue, 4% is €400 million. Enforcement has followed through on this math:

• Meta Platforms Ireland: €1.2 billion (May 2023, Irish DPC) for continued US data transfers after Schrems II invalidated the legal basis.
• Amazon Europe Core: €746 million (July 2021, Luxembourg CNPD) for targeted advertising without valid consent.
• WhatsApp Ireland: €225 million (September 2021, Irish DPC) for transparency violations.
• H&M: €35.3 million (October 2020, Hamburg Commissioner) for systematic monitoring of employee health and personal circumstances.
• British Airways: £20 million (October 2020, ICO) for a 2018 breach affecting 400,000 customers. The ICO's penalty notice was reduced from an initially proposed £183 million, partly due to COVID-19 financial impact.

The GDPR Enforcement Tracker maintained by law firm CMS tracked over 2,000 GDPR fines totaling more than €4.5 billion by early 2025. Beyond fines, DPA investigations generate compulsory remediation orders, mandatory audits, and processing bans that can shut down revenue-generating programs entirely.

Related regulations and frameworks

GDPR sits within a broader EU digital regulatory architecture that financial institutions must navigate simultaneously.

EU digital regulation stack: DORA (EU) requires ICT risk management for financial entities and mandates specific controls over third-party ICT providers. GDPR's Article 32 security obligations and DORA's ICT risk requirements overlap directly on incident response, vendor management, and audit trail requirements. Supervisors coordinating between DPAs and prudential regulators are now actively checking for consistency between GDPR incident logs and DORA incident reports.

The EU AI Act introduces obligations for high-risk AI systems, many of which process personal data. Article 10 of the AI Act requires data governance and quality controls for training datasets, which intersects with GDPR's accuracy, purpose limitation, and storage limitation principles. A fraud detection system classified as high-risk under the AI Act carries simultaneous documentation obligations under both frameworks. Compliance teams that treat these as separate workstreams will produce duplicated evidence with inconsistent claims.

AML/KYC tension: GDPR's data minimization and storage limitation principles create genuine friction with AML record-keeping requirements under 6AMLD (EU) and the EU AMLR (EU). GDPR Article 6(1)(c) provides a lawful basis for processing required by legal obligation, which covers AML/KYC data collection and prescribed retention. The answer is to retain exactly what AML law requires, document the legal basis explicitly, and delete once the retention period expires. Not earlier. Not later.

UK divergence: Post-Brexit, the UK retained GDPR as UK GDPR, incorporated through the Data Protection Act 2018. The ICO operates as the supervisory authority. UK-established firms processing EU resident data remain subject to EU GDPR in parallel with UK GDPR. The adequacy decision permitting EU-UK data flows was confirmed in June 2021 but faces periodic review by the European Commission.

Global comparators: Brazil's LGPD, California's CCPA/CPRA, and India's Digital Personal Data Protection Act 2023 each drew from GDPR's architecture. Institutions operating globally typically use GDPR compliance as the baseline.

How FluxForce supports GDPR compliance

FluxForce's AI agents help financial institutions operationalize the GDPR obligations that intersect with their risk and compliance programs. Nova Sentinel monitors data access patterns and flags anomalous activity that may indicate a personal data breach, supporting the 72-hour notification window before the clock runs out. Aiden Flux maintains structured audit trails across compliance workflows, generating the documented evidence records DPAs request during investigations. The platform's explainability layer produces full decision evidence for automated processing activities, directly supporting Article 22 human review obligations for credit and fraud decisions. Schedule a demo to see how FluxForce maps to your specific GDPR exposure.