GDPR for Virtual Data Rooms

The EU General Data Protection Regulation (GDPR) is the single most important regulatory framework for virtual data rooms (VDRs) used in Europe. It defines who is legally responsible for personal data inside the room (the controller), what duties the VDR provider has (the processor), and what contractual safeguards must be in place between them.

GDPR compliance is rarely an obstacle to using a VDR for European deals — most professional providers are GDPR-aligned by default — but it does require disciplined contracting, sub-processor transparency, and breach-notification SLAs that are tighter than generic SaaS norms.

This page covers what GDPR specifically requires of a VDR provider, the standard contractual artifacts every European VDR engagement should produce, and a procurement-ready checklist for buyers.

Last updated: May 2026.

When Does GDPR Apply to a VDR?

Almost always in European deals. A VDR holds documents that contain personal data — employee records, customer names, supplier contacts, individual director information, signatory data, and so on. The moment a single piece of personal data of an EU/EEA data subject is uploaded, GDPR applies.

GDPR also applies when an EU controller uses a non-EU VDR provider to process EU personal data, even if the data is stored outside the EEA. Schrems II / Chapter V transfer rules then layer on top.

Controller and Processor — Who Is Who?

In a typical European M&A or fundraising scenario:

The seller (or capital-raising company) is usually the controller of the personal data uploaded to the VDR. It decides what data goes in and why.
The VDR provider is the processor — it stores, hosts, and provides access on the controller's instructions.
Bidders and their advisors become independent controllers (or joint controllers) once they receive personal data, with their own GDPR duties.
The VDR provider's sub-processors (data centre operator, monitoring provider, etc.) require contractual flow-down of GDPR obligations.

The Data Processing Agreement (Article 28)

Article 28 GDPR requires a written data processing agreement (DPA) between controller and processor. The DPA must cover:

Subject matter, duration, nature, purpose, and types of personal data and data subjects.
The processor's obligation to act only on documented instructions.
Confidentiality of personnel.
Security measures (Article 32).
Sub-processor authorization and flow-down.
Assistance with data-subject rights, breach notification, and DPIA support.
Deletion / return of data at end of services.
Audit and information rights for the controller.

Procurement note: Most European VDR providers publish their DPA on request or as part of the master subscription agreement. Read it before signing — and check the sub-processor list, the breach SLA, and the deletion clause.

Sub-processors and Transparency

Sub-processors include the underlying cloud infrastructure (AWS, Azure, GCP, OVH, IONOS), the email-delivery provider, the customer-support tooling, and any monitoring or analytics service that handles personal data on the provider's behalf.

GDPR requires controllers to be informed of new sub-processors and given the opportunity to object. Most VDR providers maintain a public sub-processor list and notify controllers of changes via email or through the customer portal.

International Transfers (Chapter V)

Transfers of personal data outside the European Economic Area require a lawful transfer mechanism under Chapter V GDPR — most commonly the European Commission Standard Contractual Clauses (SCCs) for transfers to non-adequate jurisdictions. Following the Schrems II ruling, controllers must also conduct a transfer impact assessment (TIA) and, where necessary, apply supplementary technical measures.

Practical recommendation: prefer EU-hosted VDR providers for European deals; if you must use a non-EU provider, contract through an EU entity, ensure SCCs are in place, and document a TIA. See the Schrems II for Data Rooms page for a procurement-ready TIA approach.

Breach Notification SLA

Article 33 requires controllers to notify the supervisory authority of a personal-data breach within 72 hours of awareness. The processor must notify the controller "without undue delay." Best practice is a contractual processor-to-controller SLA of 24 hours; some German and French buyers require 12 hours.

Procurement Checklist

Confirm the provider's primary EU/EEA data centre location.
Obtain and read the published DPA before signing.
Verify the public sub-processor list and the change-notification process.
Confirm breach SLA in writing (24 hours is the modern baseline).
Confirm deletion / return-of-data clause and the deletion certificate process.
Verify audit and information rights are proportionate to your industry.
Document a TIA for any non-EEA transfer.
Include the VDR in your record of processing activities (Article 30 ROPA).

Frequently Asked Questions

Does GDPR require a VDR to host in the EU?

No, but it requires a lawful transfer mechanism for non-EEA storage and a transfer impact assessment under Schrems II. EU hosting is the simplest answer.

Is the standard SaaS DPA sufficient for VDR use?

Usually yes for mid-market deals. For BaFin / FINMA / FCA / AMF-supervised counterparties, you may need additional audit-rights and sub-outsourcing transparency clauses.

What happens if a VDR provider has a breach?

It must notify you (the controller) without undue delay; you must then notify your supervisory authority within 72 hours of becoming aware, where the breach poses a risk to data subjects' rights.

Is Papermark GDPR-compliant?

Yes — Papermark is GDPR-compliant, hosts data in EU data centres (with US and UAE options for non-EU customers), and publishes a DPA. Self-hosting Papermark on your own EU infrastructure offers the strongest data sovereignty answer.

How do I document the TIA for a US VDR provider?

Use the European Data Protection Board's Recommendations 01/2020 as your template. Focus on (a) the legal context of the destination country, (b) supplementary measures (encryption with EU-held keys, pseudonymization), and (c) review periodicity.