VDR glossary · Compliance

GDPR

The European Union regulation governing how personal data is collected, processed, and stored, with strict consent and residency rules.

The General Data Protection Regulation, or GDPR, is the European Union law that governs how any organization collects, processes, stores, and transfers the personal data of people in the EU and the European Economic Area. It applies to you whether or not your company sits in Europe: if a single employee record, customer contract, or investor detail in your deal relates to an EU resident, the regulation reaches you. It sets out lawful bases for processing, tight rules on consent, limits on moving data outside the EU, and a duty to protect that data with appropriate technical measures. In a virtual data room, where you deliberately gather the most sensitive records a company owns and open them to outside parties, GDPR stops being an abstract policy and becomes a concrete checklist about where the room is hosted, who can see each file, and how every access is logged.

How does GDPR apply inside a data room?

A data room is a processing environment in the GDPR sense: you, the deal owner, are usually the data controller, and the provider hosting the room is a data processor acting on your instructions. That relationship has to be pinned down in a data processing agreement, which the provider should offer as standard. From there, three obligations shape the room itself. First, hosting location: GDPR restricts transfers of personal data outside the EEA, so EU deals often require an EU data center, which ties directly to data residency. Second, data minimization and purpose limitation: you should only place personal data a counterparty genuinely needs, and redact the rest. Third, security of processing under Article 32, which expects encryption, access controls, and an audit trail so you can demonstrate who touched what.

GDPR roles and duties around a data roomThe deal owner as controller instructs the provider as processor under a data processing agreement, while EU-hosted personal data must satisfy lawful basis, minimization, security, and residency.Controllerdeal ownerDPAinstructsProcessordata room hostEU-hostedpersonal dataArt. 32 securedDuties: lawful basis, minimization, security of processing, residency, breach notice

Why does GDPR matter for M&A and due diligence?

During a merger, acquisition, or fundraising round, the target’s data room is stuffed with exactly the personal data GDPR protects: employee files, payroll, customer lists, board minutes naming individuals. A buyer’s counsel treats the seller’s GDPR posture as a diligence item in its own right, because inheriting a non-compliant data estate means inheriting the liability. Fines run up to the greater of twenty million euros or four percent of global annual turnover, so a sloppy data room is not a paperwork risk, it is a valuation risk. A room that keeps EU personal data in an EU region, enforces least-privilege access, and produces a complete audit trail lets the seller answer the privacy questions in the diligence questionnaire with evidence instead of assurances. For the deeper workflow, our guide on GDPR and virtual data rooms walks through the practical setup.

A concrete example

A US software company acquiring a Berlin startup opens a data room to review contracts and staff records. Because the target has EU employees, every HR file is GDPR personal data. The seller hosts the room in an EU data center, grants the buyer’s advisers view-only rights to a folder scoped to what they need, redacts national ID numbers that are not deal-relevant, and relies on the audit trail to show regulators, if ever asked, exactly who opened which record and when. When the buyer’s privacy counsel asks where the data lives and who can reach it, the answers are already documented. The deal closes without a data protection blocker.

How should you evaluate GDPR readiness in a provider?

Do not accept “GDPR compliant” as a badge; the phrase has no certifying body behind it. Test it against evidence.

SignalWeak answerStrong answer
Hosting location”Global cloud”, unspecifiedNamed EU region, confirmable
Legal agreementNone offeredStandard DPA with sub-processor list
Access modelBroad, all-or-nothingLeast-privilege, granular per folder
Audit evidenceBasic login logFull, exportable, tamper-evident trail
Independent proofSelf-declared onlyISO 27001 and SOC 2 audited

The common mistakes are assuming a US-based provider cannot serve EU deals, uploading raw personal data that should have been redacted, and treating GDPR as separate from security when Article 32 makes them the same conversation. GDPR sits alongside sector rules like HIPAA for health data, so a genuinely global deal may need to satisfy several regimes at once. When residency and compliance decide your shortlist, our side-by-side comparisons and hands-on provider reviews record what each vendor actually offers.

FAQ

Does GDPR apply if my company is not in the EU? Yes, if you process the personal data of people in the EU or EEA. A data room holding contracts or employee records tied to EU residents falls under GDPR regardless of where your business is registered, so hosting location, access control, and a data processing agreement still matter.

Does an EU data center make a data room GDPR compliant on its own? No. EU hosting handles the data residency piece, but GDPR also demands a lawful basis for processing, data minimization, appropriate security under Article 32, and breach notification. Residency is necessary, not sufficient; see our guide on data residency in virtual data rooms.

Who is responsible for GDPR in a data room, me or the provider? Usually both, in different roles. You are typically the controller deciding what data goes in and why; the provider is the processor hosting it under your instructions. A data processing agreement should set out each side’s duties in writing.