You should review this document in conjunction with our Privacy Policy and potentially contact a specialist for legal advice.

Effective May 2018, the General Data Protection Regulation (GDPR) was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.

GDPR is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It’s primary aim is to enhance individuals' control and rights over their personal data and to simplify the regulatory environment for international business. Superseding the Data Protection Directive 95/46/EC, the regulation contains provisions and requirements related to the processing of personal data of individuals (formally called data subjects in the GDPR) who are located in the EEA, and applies to any enterprise—regardless of its location and the data subjects' citizenship or residence—that is processing the personal information of individuals inside the EEA.

Not necessarily. The requirements of the GDPR apply to the physical location of the person whose data is being used, rather than their citizenship. If an EU citizen purchases an item while traveling or living in the United States and their data is then stored by an American company, in U.S.-based computer servers — the GDPR would not apply.

Conversely, if an American citizen is living or staying in the EU for an extended period, the GDPR can apply to the usage of his or her data. U.S. citizens who are living in the United States are not subject to these requirements.

A data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Data controllers are key decision-makers. They have the overall say and control over the reason and purposes behind data collection and the means and method of any data processing.

Some data controllers may be governed by a statutory obligation to collect and process personal data. According to Section 6(2) of the 2018 Data Protection Act, if an organization is under such an obligation and processes personal data for compliance, it will be classed as a data controller.

A private company or any other legal entity – Including an incorporated association, incorporated partnership, or public authority.

An individual person – Such as a partner in an unincorporated partnership, a sole trader, or any self-employed professional.

Please see the GDPR checklist for data controllers.

A data processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

An organization that processes data on behalf of a data controller like cloud service providers. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Xano will typically act as the data processor for any person data made available by your customers.

The GDPR applies to all organizations based inside or outside the EU that processes personal data of EU individuals. According to the European Commission Personal data is any information relating to an identified or identifiable natural person.

Xano offers a GDPR compliant DPA - Data Processing Agreement, allowing customers with GDPR contractual obligations. GDPR compliant DPA is available for Scale, Enterprise & Agency Plans by filling out this request form.

Please note GDPR requirements will be covered only for the customers that sign the DPA and acquire a GDPR compliant plan. All other plans will not cover GDPR requirements.

Xano Subprocessors under the GDPR, is categorized as any business or contractor that customer data may pass through as a side effect of using Xano's service. See more.