GDPR Compliance

In May 2018, the EU General Data Protection Regulation (GDPR) went into effect to establish a new framework for managing and protecting EU residents’ personal data. This applies to all companies that process or hold personal data of customers residing in the EU, regardless of the company’s location. If your company sells to EU residents, your store must be GDPR compliant.

FastSpring is fully GDPR-compliant. However, your company may have additional obligations under GDPR, for which FastSpring cannot provide legal advice.

Who does the GDPR affect?

GDPR compliance applies to organizations within the EU as well as organizations outside of the EU who sell to or collect data from EU residents. It varies by company depending on its size, the types of data processed, and current security measures.

Under the GDPR, businesses are required to:

  • Obtain explicit consent to access EU-based residents’ personally identifiable information (PII).
  • Notify customers in case of a hack or breach.
  • Appoint a dedicated data protection officer.

For noncompliance, businesses may be charged a fine.

Personal Data

Personal Data is constituted of any information regarding a person or data subject that can be used to identify them directly or indirectly. Examples include:

  • Name
  • Photos
  • Email addresses
  • Bank information
  • Medical information
  • IP addresses
  • Posts on social media

These are not the only forms of information that count as personal data.

FastSpring Compliance

FastSpring is fully compliant with the EU General Protection Regulation; our platform can conduct business with all EU-based consumers. The diagram below illustrates relationships between FastSpring, Sellers, and Buyers from the perspective of GDPR.


FastSpring also complies with the EU-U.S. Data Privacy Framework (DPF) regarding the collection, use, and retention of personal information from European Union countries.