General Data Protection Regulation (GDPR)

A Stripe guide to the European privacy and data protection changes

Sára Gabriella Hoffman のアバターの写真
Sára Gabriella Hoffman

Sára Gabriella Hoffman works on privacy and data protection at Stripe.

  1. はじめに
  2. What is GDPR?
  3. The GDPR can apply to organizations located outside the EU
  4. Processing personal data is a broad concept under the GDPR
  5. Key concepts: data controllers and data processors
  6. Legal basis for processing personal data in the GDPR
  7. Individuals’ rights under the GDPR
  8. International data transfers
  9. Non-compliance
  10. Stripe and the GDPR
  11. The Accountability Principle
  12. GDPR tips for your business
    1. Get on the same page
    2. Get a clear picture of what is happening with personal data in your organization
    3. Legal basis mapping
    4. Know how to comply with an individual exercising their rights
    5. Data breach and incident response
  13. Additional resources

An overview of the privacy and data protection laws that entered into effect on May 25, 2018, and a few best practices toward GDPR compliance

The GDPR is the most important change in data privacy regulation in decades. Companies are working to implement sweeping changes to their systems and contracts, and those running on compliant and privacy-conscious platforms have a head start. This guide aims to help our users understand the GDPR’s widespread consequences, the opportunity it affords to improve data processing activities, and how to become and remain GDPR compliant.

The fine print: This GDPR guide is for informational purposes only. It is not legal advice. Please reach out to your legal counsel to receive tailored guidance on how the GDPR may impact your business.

What is GDPR?

The General Data Protection Regulation (GDPR) is a new, EU-wide privacy and data protection law. It calls for more granular privacy guardrails in an organization’s systems, more nuanced data protection agreements, and more consumer-friendly and detailed disclosures about an organization’s privacy and data protection practices.

The GDPR replaces the EU’s current data protection legal framework from 1995 (commonly known as the “Data Protection Directive”). The Data Protection Directive required transposition into EU member national law, which led to a fragmented EU data protection law landscape. The GDPR is an EU regulation that has direct legal effect in all EU member states; that is, it does not need to be transposed into an EU member state’s national law in order to become binding. This will enhance consistency and harmonious application of the law in the EU.

The GDPR can apply to organizations located outside the EU

Unlike the Data Protection Directive, the GDPR is relevant to any globally operating company, not just those located in the EU. Under the GDPR, organizations may be in scope if (i) the organization is established in the EU, or (ii) the organization is not established in the EU but the data processing activities are with regard to EU individuals and relate to the offering of goods and services to them or the monitoring of their behavior.

Processing personal data is a broad concept under the GDPR

The GDPR governs how personal data of EU individuals may be processed by organizations. “Personal data” and “processing” are frequently used terms in the legislation, and understanding their particular meanings under the GDPR illuminates the true reach of this law:

  • Personal data is any information relating to an identified or identifiable individual. This is a very broad concept because it includes any information that could be used on its own, or in combination with other pieces of information, to identify a person. Personal data is not just a person’s name or email address. It can also encompass information such as financial information or even, in some cases, an IP address. Moreover, certain categories of personal data are given a higher level of data protection because of their sensitive nature. These categories of data are information about an individual’s racial and ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data, health data, information about person’s sex life or sexual orientation, and criminal record information.

  • Processing of personal data is the key activity that triggers obligations under the GDPR. Processing means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. In practical terms, this means any process that stores or consults personal data is considered processing.

Key concepts: data controllers and data processors

In EU data protection law, there are two types of entities that can process personal data—the data controller and the data processor.

The data controller (“controller”) is the entity that, alone or jointly with others, determines the purposes and means of the processing of personal data. The data processor (“processor”) is the entity that processes personal data on behalf of the controller.

It is important to determine whether the entity processing personal data for each data processing activity is a controller or a processor. This mapping exercise enables an organization to understand what rights and obligations attach to each of its data processing operations.

Stripe has certain data processing activities for which it acts as a data controller, and others for which it acts as a data processor. A good illustration of this dual role is when Stripe processes credit card transactions. Facilitating a transaction requires the processing of personal data, such as the cardholder’s name, credit card number, the credit card expiry date, and CVC code. The cardholder’s data is sent from the Stripe user to Stripe via the Stripe API (or by some other integration method, such as Stripe Elements). Stripe then uses the data to complete the transaction within the systems of the credit card networks, which is a function that Stripe performs as a data processor. However, Stripe also uses the data to comply with its regulatory obligations, such as Know Your Customer (KYC) and Anti-Money Laundering (AML), and in this role Stripe is a data controller.

The next consideration is to determine whether or not a particular processing activity is GDPR compliant. Under the GDPR, every data processing activity, performed as a controller or processor, needs to rely on a legal basis. The GDPR recognizes a total of six legal bases for processing EU individuals’ personal data (in the GDPR, EU individuals are referred to as “data subjects”). Those six legal bases, in the order of Art. 6 (1) (a) to (f) GDPR, are:

  1. The data subject has given consent to the processing of their personal data for one or more specific purposes.

  2. The processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.

  3. The processing is necessary for the compliance with a legal obligation to which the controller is subject.

  4. The processing is necessary to protect a vital interest of the data subject.

  5. The data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

  6. The processing is necessary for the legitimate interests pursued by the entity, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require personal data protection.

There are similarities between the GDPR permitted processing list and the list contained in the Data Protection Directive. However, there are also significant divergences.

The most frequently discussed change made by the GDPR, when compared to the Data Protection Directive, is the tightening of the consent requirements (item 1 in the above list). The GDPR consent requirements include elements such as (i) the requirement that consent be verifiable, (ii) the request for consent must be clearly distinguishable from other matters, and (iii) the data subjects must be informed of their right to withdraw consent. It is also important to be mindful that an even higher consent requirement (“explicit consent”) is imposed with respect to the processing of sensitive data.

Another important item to highlight is the legitimate interest item (item 6 in the above list). When relying on “legitimate interest” as supporting the processing of personal data, an organization needs to be aware of the balancing test requirement associated with this legal basis. To satisfy the Accountability Principle under the GDPR, an organization must document its compliance with the balancing test, which includes its approach and the arguments that it considered prior to it concluding that the balancing test was satisfied.

Individuals’ rights under the GDPR

Under the Data Protection Directive, individuals were guaranteed certain basic rights with regard to their personal data. Individuals’ rights continue to apply under the GDPR, subject to some clarifying amendments. The below chart compares individuals’ rights under the Data Protection Directive and the GDPR.

個人には、自身の個人データについて、その処理状況、処理の対象となる個人データ、処理方法、データ処理作業の内容を知る権利がある。 GDPR では、この権利の範囲が拡大されている。たとえば、アクセス要求を行うとき、個人は追加情報を受け取る必要がある。これには、GDPR の下で追加された、以前は存在しなかったデータ保護に関する権利 (データポータビリティ権など) についての情報が含まれる。
個人は、説得力のある正当な理由があれば、特定のデータ処理操作を禁止できる。個人はまた、直接販売を目的とする個人データの処理に異議を唱えることもできる。 データ保護指令に比べ、GDPR ではこの権利の範囲が拡大されている。
個人は、適用されるデータ保護の原則に従って個人データの処理が行われるように、不完全なデータを完全にすることや、不正確なデータを修正することを要求できる。 GDPR の位置付けはデータ保護指令と実質的に同じだが、手続き上の保護については GDPR の下で部分的に強化されている。
処理を制限する権利はありませんが、データ保護指令では、処理操作がデータ保護の原則に従って行われていない場合 (たとえばデータが完全でない場合や不正確である場合)、個人データのブロックを要求する権利を個人に与えている。 GDPR では、特定の状況 (個人がデータの精度に異議を唱える場合が含む) において個人データの処理の制限を要求する権利を個人に与えている。
消去権利 (「忘れ去られる権利」)
個人には、処理操作がデータ保護の原則に従って行われなかった場合に、自身の個人データの消去を求める権利がある。したがって、この権利は非常に限定的である。 GDPR では、この権利が大幅に拡張されている。たとえば、消去する権利は、個人データが収集された目的に関して不要になった場合、または個人が処理に対する同意を取り消して、処理の継続を裏付ける法的根拠が他にない場合に行使できる。
データ保護指令は、「データポータビリティ」をデータ主体の権利として明示的に言及していない。EU 加盟国各国の法律には、データポータビリティ権に類似する権利が追加され、国レベルでの法整備が進んでいる可能性がある。 個人は、特定のデータ管理者が保持する個人データを本人または他の管理者に提供することを要求できる。

International data transfers

The topic of international data flows has been a hot topic in recent years, and there has been considerable debate and law reform in this area. It is also close to certain that the laws around international data flows will continue to evolve in the coming years. Today under EU data protection law, certain requirements need to be satisfied before EU individuals’ personal data may be transferred outside the EU, unless the organization receiving the personal data is located in a allowlisted jurisdiction (see here for allowlisted jurisdictions).

Under the GDPR, international data transfers are a challenging topic to manage because the law keeps evolving and there are only a handful of data transfer mechanisms available. While challenging, organizations need to keep current with the developments because the compliant flow of personal data is the backbone of any technology company.

We no longer rely on the Privacy Shield as a data transfer mechanism, given that the EU-US Privacy Shield and the Swiss-US Privacy Shield are longer valid as a result of the Schrems II decision issued by the European Court of Justice on July 16, 2020. We continue to commit to the principles of the Privacy Shield framework, given it can still provide privacy protections to users. For this reason, we continue to make a reference to the Privacy Shield in policies and agreements.

More generally, Stripe has international data transfer compliance measures in place governing all of Stripe’s global entities’ processing of the personal data of EU individuals. These measures are based on the EU Standard Contractual Clauses (SCCs).

As noted above, international data flows continue to be an area of potential future law reform. For this reason, we are following the legal developments around international data transfer compliance measures very closely and take every measure available to us to ensure a compliant international transfer of EU data subjects’ personal data. This also means that we have built redundancies into our data transfer compliance program to the fullest extent possible and are looking to expand these with the tools available to Stripe under the GDPR.


The most referenced consequence of non-compliance with the GDPR is the maximum fine that can be levied against a non-compliant organization. The maximum fine that may be levied is 4% of global revenue or 20 million EUR, whichever is higher. Certain other types of infringements carry a maximum fine of 2% of global revenue, or 10 million EUR, whichever is higher.

Less frequently referenced are the data protection authorities’ (DPAs’) powers under Art. 58 of the GDPR. These powers include the ability for the DPAs to impose corrective actions, such as a temporary or definitive limitation on data processing activities, including a complete ban on data processing, or to order the suspension of data flows to a recipient in a third country.

Stripe and the GDPR

At Stripe, privacy, data protection, and data security are at the very heart of everything we do. We’re continuously working to reset the bar for ourselves in the security and data privacy realm, and we view the GDPR as an opportunity for the entire industry to come together on this and improve.

Stripe started its efforts towards GDPR compliance back in 2016, and we are working to ensure that our services are GDPR compliant on the effective date of May 25, 2018.

GDPR compliance is comprised of many elements. Among others, we are updating our documentation and agreements to align with GDPR requirements. We are also revising our internal policies and procedures to ensure that they adhere to the GDPR standard.

Most of the GDPR compliance elements take place “under the hood” of an organization as they relate to updates on how an organization is processing personal data. These are some of the steps platforms like Stripe are performing for their users (and themselves) in anticipation of the GDPR:

  • Perform a gap analysis between the requirements imposed by the Data Protection Directive and the GDPR, as applicable to the company’s business operations.

  • Review and update internal tools, procedures, and policies where necessary.

  • Revise data mapping and data inventory practices, and update where necessary, to comply with record retention obligations under the GDPR.

  • Perform a dedicated gap analysis of privacy and data protection review tooling to meet the Data Protection Impact Assessment requirements.

  • Update approach to international data transfers.

  • Update contracts to reflect Art. 28 GDPR obligations as they relate to the company’s contracting parties.

  • Review and, where necessary, revise relationships with vendors to meet the requirements of the GDPR to ensure that those third parties receive and process personal data in a lawful way.

  • Update the company’s Privacy Compliance Program with continuous employee training to reflect the changes to be implemented for the GDPR.

The Accountability Principle

Stripe users should consult with their legal professionals to understand the full scope of their compliance obligations under GDPR. As a general rule, if you are an organization that is established in the EU, or if your organization is processing EU individuals’ personal data, the GDPR will be applicable to you.

One overriding GDPR principle to keep in mind is the Accountability Principle. The Accountability Principle states that the data controller has to be able to demonstrate that its processing activities are compliant with the data protection principles set forth in the GDPR. The easiest way to demonstrate compliance is by documenting and communicating your GDPR compliance approach.

At Stripe, compliance has been the product of a collaborative effort from many people across our organization, including User Operations, Sales, Engineering, Security, and Legal. In our experience, cross-functional partnerships and easy-to-read documentation are incredibly helpful to the overall GDPR compliance process.

GDPR tips for your business

With a few more weeks left to go until May 25, 2018, small- and medium-sized organizations may face particular challenges to get ready for the GDPR. With this in mind, we’ve put together some of the key elements of a GDPR compliance program in a set of tips for users.

Get on the same page

Get together with your technical, customer support, and legal colleagues, and bring each other up to speed on what the GDPR is and how it impacts your organization.

Get a clear picture of what is happening with personal data in your organization

A data mapping exercise may help you uncover how personal data is stored and processed by your systems. The following questions may guide you:

  • What categories of personal data are you processing (e.g., financial information, health information, marketing-related information, etc.)?
  • For what categories of individuals are you processing personal data (e.g., cardholders, children, patients, etc.)?
  • What is the reason for processing this information?
  • How and why did you collect this information?
  • How are you securing this data?
  • Are any third parties receiving this information? If so, are you disclosing such third-party recipients in your Privacy Policy or other forms of notification? Do you know who those third parties are? How long are you keeping information about individuals?

Consult the six legal bases mentioned above. For every processing operation identified in your data map, link it back to a legal basis. That connection will give you the legal basis map.

Know how to comply with an individual exercising their rights

  • Have the ability to use the information from the data mapping to answer a data subject access request.
  • From the data map, know where personal data resides in your system (and is cross-referenced with other systems) to comply with opt-out, modification, and erasure requests.
  • Know what data formats your systems use, and figure out how you are going to respond to data portability requests.

Data breach and incident response

When you are speaking to your colleagues on the technical/security side of the organization, make sure you know your incident response plan. Run a few table-top exercises so everyone involved in incident response knows what to do if a security incident happens. Ideally, your incident response team is a fine-tuned machine, ready to execute incident response plans when the situation occurs.

There are many more elements that could be added to this checklist, and you will need to work with your internal experts and external advisors to come up with a list that is customized for your needs. For example, you may need to do data protection impact assessments, appoint a data protection officer, manage and review marketing and other company communication practices, and revisit your vendor management and contracting processes, just to name a few.

If you have a solid foundation by mapping out your data processing activities, you are giving yourself a big advantage for any subsequent GDPR compliance question that you encounter.

Below, you will find some additional resources that we have consulted and found helpful, and we hope they will also be useful to you.

Additional resources

The GDPR is mentioned in many different places, and it is hard to keep track of the good resources that are available online. Here are some resources we consult to keep current with GDPR developments:

  • Everything starts with the legal text: The full legal text of the GDPR is here and the Data Protection Directive is linked here.

  • The Supervisory Authority: There is a Data Protection Authority (DPA) in each EU member state, and many of them have published helpful guidelines on GDPR implementation. You’ll find a list of DPAs here.

  • Article 29 Working Party (WP29), soon to be European Data Protection Board (EDPB): The WP29 is an advisory body made up of a representative from the DPA of each EU member state, the European Data Protection Supervisor, and the European Commission. As of May 25, 2018, the WP29 will become the EDPB. The EDPB will include the head of a DPA of each EU member state and the European Data Protection Supervisor. The WP29 has issued hundreds of guidelines and opinions and has opened up several topics for consultation. The most recent guidelines and opinions all focus on how to best implement GDPR elements into an organization’s compliance structure. The WP29 Newsroom is here.

  • GDPR-related events: Some DPAs, law firms, privacy organizations such as the IAPP, and many other organizations, NGOs, and companies are hosting GDPR-related events. It is very likely that other organizations have very similar questions to yours about GDPR implementation. These are great opportunities to reach out to the GDPR community and work through the questions together.