GDPR and Trading Companies: Your Data Protection Obligations Explained

Five years after the GDPR came into force, many trading companies still have significant gaps in their data protection compliance. The regulation's requirements are genuinely broad — applying to any company that processes personal data of EU residents regardless of where the company itself is based — and the potential penalties (up to 4% of global annual turnover) are material.\n\nFor trading companies, the key personal data processing activities typically include: employee data (HR records, payroll, benefit management); client and counterparty contact data (business development, communications records); commercial counterparty data used for KYC and sanctions screening; website visitor data (cookies, analytics); and in some cases, supplier employee data collected during supply chain audits.\n\nThe six lawful bases for processing under GDPR are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. Most trading company data processing will rely on contract (processing necessary for contract performance), legal obligation (KYC, anti-money laundering, sanctions screening), or legitimate interests (business communications, fraud prevention).\n\nKEY OBLIGATIONS\nPrivacy notices: Every category of data subjects whose personal data you process must receive a privacy notice explaining what data you process, why, for how long, and their rights. Generic website privacy policies are insufficient; you need notices tailored to employees, counterparties, and other data subject categories.\n\nData subject rights: Individuals have rights to access their personal data, correct inaccuracies, request erasure in certain circumstances, and object to certain types of processing. You need processes to handle these requests within the statutory timeframes.