> For the complete documentation index, see [llms.txt](https://docs.assenteo.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.assenteo.com/key-legislation/the-gdpr.md).
# The GDPR
### Contents
* [1. What is the GDPR?](#id-1.-what-is-the-gdpr)
* [2. How do I know if GDPR applies to my business?](#id-2.-how-do-i-know-if-gdpr-applies-to-my-business)
* [3. UK Users](#id-3.-uk-users)
* [4. Penalties for GDPR non-compliance](#id-4.-penalties-for-gdpr-non-compliance)
### 1. What is the GDPR?
The **GDPR**, or General Data Protection Regulation, is the key piece of legislation governing the use of **personal data in the EEA** (EU, Iceland, Liechtenstein and Norway). Coming into force in **2018**, the GDPR’s final purpose was to achieve uniform rules for businesses collecting and/or processing users’ personal data.
GDPR uses a **principles-based system** to regulate how individuals and organisations process data.
These **principles** include:
* lawful, fair and transparent processing;
* purpose limitation;
* data minimisation;
* accuracy;
* storage limitation;
* integrity and confidentiality; and
* accountability.
The GDPR introduces **some specific obligations** which coax businesses into alignment with these principles. For example, the regulation requires the appointment of a [Data Protection Officer (DPO)](/privacy-professionals-when-do-you-need-them/when-do-you-need-a-dpo.md) if your business meets certain conditions.
However, many compliance mechanisms are left up to the business itself to choose how to implement. This allows businesses **some flexibility** with how they ensure GDPR compliance, but does not remove the need to comply with the data protection principles outlined above as well as the more specific obligations detailed in the legislation.
### 2. How do I know if GDPR applies to my business?
In practice, GDPR is relevant to most startups.
GDPR is the strictest data protection regulation in the world. Therefore, although it is an EU regulation, compliance with GDPR eases your business’s compliance with US data protection regulations since many compliance mechanisms fulfil both.
Due to its multi-jurisdictional application and strictness, GDPR has also become a **golden standard**, often **expected by buyers and users**.
However, your business legally **must** comply with GDPR if:
* It has users or employees in the EEA (EU, Iceland, Liechtenstein or Norway)/ UK.
* It actively targets users in the EEA/ UK. This is suggested by elements including:
* Pricing services or products in the euro, pound or other european currency
* Translating documents or website pages into a European language
* It monitors the behaviour of people in the EEA/ UK, for example through cookies.
Note that GDPR applies regardless of where your company has a physical presence. Unlike some US data protection regulations, the size or revenue of your business does not affect whether it is subject to GDPR.
Conversely, your business can **more reasonably deprioritise** GDPR compliance if:
* It does not have users in the EEA/ UK.
* It does not actively target users in the EEA/ UK
* It does not price services or products in a European currency.
* It does not translate its documents or website into a European language.
* It does not monitor the behaviour of people in the EEA/ UK.
However, even in such instances, one-off sign-ups or purchases from EEA or UK residents technically pulls your business into the scope of GDPR. Therefore, most founders who we work with still choose to adopt GDPR-aligned working practices and data flows as a starting point.
### 3. UK Users
When the UK left the EU after Brexit, it adopted the GDPR into its own national law, the UK GDPR. Therefore, if your company processes the personal data of any UK residents, it will also be subject to the **UK GDPR**.
In practice, complying with EU GDPR will make your business compliant with UK GDPR in the majority of cases. However, since Brexit, the UK GDPR has been supplemented by the [Data Protection Act 2018](https://www.legislation.gov.uk/ukpga/2018/12/contents) and amended by the [Data (Use and Access) Act 2025](https://www.legislation.gov.uk/ukpga/2025/18/contents) (DUAA). Therefore, it is wise to keep an eye on the differences between these jurisdictions as the reforms of DUAA increasingly take effect.
### 4. Penalties for GDPR non-compliance
The penalties for not complying with GDPR are significant.
Fines for non-compliance go up to **4% of global turnover** or **€20 million**, whichever is higher.
* In line with this, in 2021 Luxembourg’s privacy regulator CNPD, imposed a fine of €746 million on Amazon and, in 2022, France’s regulator CNIL imposed a fine of €150 million on Google.
Penalties also extend beyond regulatory fines. Not complying with GDPR means a **lack of access to the EU market** for your business; you will not be able to sell to EU or EEA citizens.
Public non-compliance can also result in **severe reputational damage** and **loss of trust** for users and investors, due to public coverage of fines or non-compliance.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.assenteo.com/key-legislation/the-gdpr.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.