Which platforms does GDPR apply to?

ConductAtlas tracks GDPR-relevant provisions across 100 platforms. Visit the regulation page to see all affected platforms and their specific provisions.

How does ConductAtlas monitor GDPR compliance?

ConductAtlas captures policy documents daily, classifies provisions by regulatory framework, and flags changes that affect GDPR obligations. Every change is archived with cryptographic verification.

Regulation (EU) 2016/679

General Data Protection Regulation

Regulation — European Union

Effective: May 25, 2018 100 platforms tracked 5976 provisions indexed Enforced by: European Data Protection Board (EDPB), National Data Protection Authorities (DPAs) Last reviewed May 9, 2026

Overview

The General Data Protection Regulation is the European Union's comprehensive data protection framework, replacing the 1995 Data Protection Directive. It establishes strict requirements for how organizations collect, process, store, and share personal data of individuals in the EU and EEA.

GDPR grants data subjects specific rights including the right to access, rectification, erasure ("right to be forgotten"), data portability, and the right to object to automated decision-making. Organizations must demonstrate a lawful basis for processing (consent, contractual necessity, legitimate interest, legal obligation, vital interest, or public task) and implement appropriate technical and organizational safeguards.

Enforcement is carried out by national Data Protection Authorities coordinated through the European Data Protection Board. Penalties can reach up to €20 million or 4% of global annual turnover, whichever is higher — making GDPR one of the most consequential regulatory frameworks for platform governance globally.

Penalties

Up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher. Lower-tier violations (e.g. record-keeping failures): up to €10 million or 2% of turnover.

Key Articles & Sections

Art. 5 Principles of Processing

Lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, accountability.
Read full text →
Art. 6 Lawfulness of Processing

Six lawful bases for processing: consent, contract, legal obligation, vital interests, public task, legitimate interests.
Read full text →
Art. 7 Conditions for Consent

Consent must be freely given, specific, informed, and unambiguous. Must be as easy to withdraw as to give.
Read full text →
Art. 13-14 Transparency Requirements

Controllers must provide detailed information at point of collection including purposes, legal basis, recipients, retention periods, and data subject rights.
Read full text →
Art. 15 Right of Access

Data subjects have the right to obtain confirmation of processing and access to their personal data.
Read full text →
Art. 17 Right to Erasure

The "right to be forgotten" — data subjects can request deletion when data is no longer necessary, consent is withdrawn, or processing is unlawful.
Read full text →
Art. 20 Right to Data Portability

Data subjects can receive their data in a structured, commonly used, machine-readable format and transmit it to another controller.
Read full text →
Art. 22 Automated Decision-Making

Data subjects have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects.
Read full text →
Art. 25 Data Protection by Design and Default

Controllers must implement appropriate technical and organizational measures at the time of design and by default.
Read full text →
Art. 32 Security of Processing

Controllers and processors must implement appropriate technical and organizational security measures including encryption and pseudonymization.
Read full text →
Art. 33-34 Breach Notification

Personal data breaches must be reported to supervisory authority within 72 hours. Data subjects must be notified if breach poses high risk.
Read full text →
Art. 44-49 International Transfers

Personal data transfers outside EU/EEA require adequacy decisions, standard contractual clauses, binding corporate rules, or other safeguards.
Read full text →

Platforms We Track Subject to GDPR

23andMe

36 relevant provisions

Activision

17 relevant provisions

Adobe

27 relevant provisions

Adyen

18 relevant provisions

Affirm

16 relevant provisions

Afterpay

14 relevant provisions

AI21 Labs

17 relevant provisions

Airbnb

20 relevant provisions

Airtable

16 relevant provisions

Allstate

0 relevant provisions

Amazon

14 relevant provisions

Amazon Marketplace

43 relevant provisions

American Airlines

13 relevant provisions

Amplitude

27 relevant provisions

Ancestry

25 relevant provisions

Anthropic

93 relevant provisions

Anyscale

24 relevant provisions

Apple

16 relevant provisions

Apple App Store

35 relevant provisions

Apple Pay

5 relevant provisions

Arlo

13 relevant provisions

Asana

17 relevant provisions

Atlassian

21 relevant provisions

AT&T

3 relevant provisions

Audible

21 relevant provisions

Auth0

16 relevant provisions

AWS

28 relevant provisions

AWS Bedrock

9 relevant provisions

BeReal

23 relevant provisions

Best Buy

12 relevant provisions

Showing 30 of 100 platforms. View all platforms →

Recent Changes Related to GDPR

Jun 6, 2026 Dun & Bradstreet Low

Dun & Bradstreet removed 7 sentences from their privacy policy that previously explained cookie preferences, chat functionality, and links to their Cookie Policy. The removed language included option…
View change record →
Jun 6, 2026 Dun & Bradstreet Medium

Dun & Bradstreet removed seven sentences from their Terms of Use that described cookie preferences, chat functionality, and related data handling disclosures. The removed language explained how users…
View change record →
Jun 6, 2026 American Airlines Medium

American Airlines removed 12 sentences from its Terms of Use that previously disclosed how cookies and personal data are collected on its website. The removed language explained what cookies do, what…
View change record →
Jun 6, 2026 Ideogram Low

Ideogram's Terms of Service on June 6, 2026 underwent formatting and structural updates rather than substantive operational changes. The detected revisions involved 2 sentences added, 76 sentences re…
View change record →
Jun 6, 2026 Ideogram Medium

Ideogram's updated privacy policy replaces a general reference statement with a detailed table that specifies which categories of personal information are collected and which parties receive each cat…
View change record →
Jun 6, 2026 Writer Low

Writer removed 21 sentences from its Terms of Service that previously described cookie usage, consent mechanisms, and user opt-out rights for targeted advertising. The updated terms no longer include…
View change record →
Jun 6, 2026 Kindle Low

The detected change consists of navigation and header elements on the Kindle Store Terms of Use page, including removal of 'Amazon Fresh' and 'FoodMaxx' from the category list, addition of 'Same-Day …
View change record →
Jun 6, 2026 Medium Low

Medium's privacy policy was updated on June 6, 2026 to add engagement metrics (53K views, 13 responses) to the policy document header. The change is purely editorial and adds visible article engageme…
View change record →
Jun 6, 2026 Medium Low

Medium's Terms of Service display was updated on June 6, 2026 to include engagement metrics (46K views, 11 shares) alongside the document header. This is a formatting and display change to the webpag…
View change record →
Jun 6, 2026 Ancestry Medium

Ancestry removed a single sentence from their Terms and Conditions footer on June 6, 2026. The removed text contained a link or reference to 'Do Not Sell or Share My Personal Information,' a disclosu…
View change record →

ⓘ

ConductAtlas maps governance language to potentially relevant regulatory frameworks. Regulatory applicability and enforceability may vary by jurisdiction, enforcement context, and individual circumstances. This page is informational and does not constitute legal advice. Methodology