GDPR
General Data Protection Regulation
The EU's comprehensive data protection regulation. Applies to any organization processing personal data of EU residents, regardless of where the organization is based.
GDPR.eu — Official GuideUp to €20M or 4% of global annual revenue (whichever is higher)
2 to 4 months for consent management, data rights, and privacy documentation
Minutes — consent flows, erasure endpoints, data export, and privacy components generated automatically
GDPR went into effect on May 25, 2018 and fundamentally changed how organizations worldwide handle personal data. For healthcare apps, GDPR is especially relevant because health data is classified as a "special category" requiring explicit consent and additional safeguards. If even a single EU resident uses your app, GDPR applies — regardless of whether your company is in the US, India, or anywhere else. The regulation grants individuals extensive rights over their data and imposes strict obligations on data controllers and processors.
What It Covers
Lawful basis for processing — consent, contract, legal obligation, vital interests, public task, legitimate interest
Data subject rights — access, rectification, erasure, portability, objection, restriction
Data Protection Impact Assessment (DPIA) for high-risk processing
Data breach notification — 72 hours to supervisory authority
Data Protection Officer (DPO) requirement for large-scale processing
Cross-border data transfer restrictions (EU to non-EU countries)
Penalties & Enforcement
Lower tier: up to €10M or 2% of global revenue for process/record-keeping violations
Upper tier: up to €20M or 4% of global revenue for data processing/consent violations
Meta (Facebook): €1.2 billion fine (2023) for illegal data transfers to the US
Amazon: €746 million fine (2021) for non-compliant advertising data processing
Google: €50 million fine (2019) for lack of transparency and valid consent
Real Enforcement Examples
€1.2B
2023
Meta (Facebook)
Illegal transfer of EU personal data to the US without adequate safeguards.
€746M
2021
Amazon
Processing personal data for advertising without proper consent mechanisms.
€90M
2022
Google Ireland
Cookie consent mechanisms did not allow users to refuse cookies as easily as accepting them.
How VertiComply Helps
Granular consent management with opt-in/opt-out flows
Right to erasure — cascading data deletion endpoints
Data portability — user data export in JSON/CSV format
Privacy policy and cookie consent banner components
Data breach detection and notification workflows
Data processing records maintained automatically
Frequently Asked Questions
Does GDPR apply to US companies?
Yes — if you process personal data of EU residents. It does not matter where your company is located. If a single EU resident uses your healthcare app, GDPR applies.
What is a DPIA and when is it required?
A Data Protection Impact Assessment is required when processing is likely to result in high risk to individuals — which includes most healthcare data processing. It documents risks and mitigation measures.
How long do I have to report a breach under GDPR?
72 hours from when you become aware of a breach, you must notify the supervisory authority. Affected individuals must be notified without undue delay if the breach poses a high risk.
Do I need both HIPAA and GDPR?
If your app handles US patient data, HIPAA is mandatory. If any EU residents use it, GDPR also applies. The frameworks overlap about 60%, so building for both from the start is the most cost-effective approach.
Related Articles
Build GDPR-compliant from day one
VertiComply generates production-ready code with GDPR safeguards built in automatically.
Quick Facts
Region
European Union
Category
Data Protection
Max Penalty
Up to
Manual Timeline
2 to 4 months
With VertiComply
Minutes
Other Frameworks
HIPAA
SOC 2
ISO 27001
HITRUST CSF
FDA 21 CFR Part 11
NIST CSF 2.0
Free GDPR Checker
Answer a few questions to assess your GDPR compliance readiness.