GDPR

GDPR applies if a vendor processes the personal data of EU residents, regardless of where the vendor is based. Key obligations include lawful basis for processing, data subject rights (access, deletion, portability), 72-hour breach notification, and cross-border transfer mechanisms (Standard Contractual Clauses or adequacy decisions). Fines can reach 4 percent of annual global revenue. Most U.S. SaaS vendors selling into Europe sign a Data Processing Addendum (DPA) and adopt the SCCs.