Framework

GDPR (General Data Protection Regulation)

The EU regulation governing the processing of personal data of individuals within the European Economic Area. GDPR establishes strict rules for data collection, storage, processing, and transfer, with penalties of up to 4% of annual global turnover for violations.

The General Data Protection Regulation (GDPR) is one of the most comprehensive data protection laws in the world. Effective since May 25, 2018, it applies to any organization that processes personal data of EU residents, regardless of where the organization is based. GDPR establishes seven key principles: lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.

Key requirements include obtaining valid consent for data processing, appointing Data Protection Officers (DPOs) where required, conducting Data Protection Impact Assessments (DPIAs) for high-risk processing, implementing data breach notification procedures (72-hour reporting requirement), and ensuring data subject rights including access, rectification, erasure, and portability.

For financial institutions, GDPR compliance intersects significantly with DORA and other regulatory requirements. Organizations must ensure that their ICT systems and third-party providers meet GDPR standards for data protection, particularly when processing customer financial data across borders within the EU.

Learn More

Discover how Matproof can help you achieve GDPR (General Data Protection Regulation) compliance.

View framework page

GDPR compliance by city

Frankfurt Munich Berlin Hamburg Düsseldorf Stuttgart Cologne

Related Terms

Data Protection Officer (DPO)

A designated role within an organization responsible for overseeing data protection strategy and GDPR compliance. Under GDPR, certain organizations are required to appoint a DPO, particularly public bodies and organizations that process sensitive data at scale.

DPIA (Data Protection Impact Assessment)

A process designed to systematically analyze, identify, and minimize data protection risks of a project or plan. DPIAs are required under GDPR Article 35 when data processing is likely to result in a high risk to the rights and freedoms of individuals.

Encryption

The process of converting data into a coded form that can only be read by authorized parties with the correct decryption key. Encryption protects data both at rest and in transit, and is a fundamental requirement across all major compliance frameworks.

Access Control

The selective restriction of access to resources, systems, and data based on user identity and authorization. Access control is a fundamental security control required by ISO 27001, SOC 2, DORA, and GDPR to ensure that only authorized personnel can access sensitive information.

Automate compliance with Matproof

DORA, SOC 2, ISO 27001 — get audit-ready in weeks, not months.

Request a demo