GDPR-EDI
GDPR (EDI) is the EU Regulation 2016/679 (GDPR) applicable since 25 May 2018, mandating personal-data minimisation, consent, the right to erasure — including in B2B EDI flows carrying personal data.
Definition
The GDPR mandates six core principles: lawfulness, purpose limitation, minimisation, accuracy, storage limitation, integrity and confidentiality. In EDI, this translates to: no personal data in a B2B flow without a legal basis, deletion at retention-period end, encrypted logging of accesses.
Origin
Adopted on 27 April 2016, applicable from 25 May 2018 (no transition period). Replaces Directive 95/46/EC. Administered by national DPAs (CNIL in France, BfDI in Germany).
Use
An EDIFACT INVOIC between supplier and buyer only carries company data (GDPR-friendly). But a HIPAA 837 in Europe would carry medical data: forbidden as-is, except through HDS hosting and an Article 28 processor contract. Sanctions: up to 4% of worldwide turnover.
Related terms
- Audit trail — direct requirement.
- Trading partner — scope.
- DGE FR — national regulator.
- HIPAA — US counterpart.