EU customers.
GDPR applies - wherever you are.
GDPR applies based on where your customers are, not where your business is. If you have EU customers, you have GDPR obligations - regardless of whether you are in Australia, the US, the UK, or anywhere else. Kontractually reviews your privacy policy, DPAs, and consent mechanisms against GDPR requirements.
7-day free trial. Full platform access. No credit card required.
6 GDPR requirements businesses outside the EU frequently miss.
Kontractually checks your documents against these requirements and flags gaps before they become enforcement issues. If you share personal data with third-party processors, a data processing agreement is also required under Article 28.
What is a GDPR requirements check? A GDPR requirements check systematically reviews your privacy policies, data processing agreements, cookie notices, and consent mechanisms against General Data Protection Regulation (GDPR) requirements. It flags missing lawful basis statements, inadequate retention periods, and processor agreements that may not meet GDPR standards - so you can address gaps before they become enforcement issues.
The GDPR (Regulation (EU) 2016/679) applies to any organization processing the personal data of EU residents, regardless of where the organization is based. Maximum fines are €20 million or 4% of global annual turnover — whichever is higher — for the most serious violations. (Source: GDPR Article 83.) In 2023, the EU data protection authorities issued over €1.6 billion in GDPR fines (EDPB, 2024 Annual Report).
Yes, if you process personal data of EU residents, regardless of where your business is located. GDPR applies based on the location of data subjects, not the location of the business. An Australian SaaS company with EU customers, an Australian e-commerce store shipping to the EU, or an Australian business with EU employees is likely subject to GDPR.
Both regulate personal data handling, but with different requirements. Key differences: GDPR requires an explicit lawful basis for every processing activity (AU Privacy Act does not); GDPR has stricter consent requirements; GDPR includes data portability and erasure rights (AU APP access and correction rights are narrower); GDPR requires DPAs with all processors; GDPR's breach notification is 72 hours (AU NDB scheme is 30 days). If your business is subject to both, your privacy program must satisfy the stricter requirement in each area.
A DPO is mandatory under GDPR if you are a public authority, carry out large-scale systematic monitoring of individuals, or carry out large-scale processing of special categories of data (health, biometric, etc.). Most small and medium Australian businesses dealing with EU customers do not require a DPO, but should designate someone responsible for GDPR compliance.
A DPA is a contract between a data controller (you) and a data processor (a third party that processes personal data on your behalf). Under GDPR Article 28, a DPA is required for every third-party processor that handles EU personal data. This includes: cloud storage providers, email service providers, analytics tools, CRM systems, and payment processors. Kontractually can review DPAs against GDPR Article 28 requirements.
Kontractually reviews documents against your GDPR playbook. For privacy policies: checks for lawful basis disclosure, data subject rights information, cross-border transfer safeguards, and breach notification process. For DPAs: checks for Article 28 mandatory terms, sub-processor requirements, and security obligations. For consent forms: checks for GDPR-aligned consent language. Configure the playbook once; apply it to every document review.
Also useful
Check your documents against GDPR requirements today.
Set up your GDPR playbook in 10 minutes. See what Kontractually flags in your current privacy documents.
Start 7-day free trial