General Data Protection Regulation (GDPR)

Learn about the EU and UK General Data Protection Regulation (GDPR), its history, and how Recurly enables compliance, ensuring privacy and security for your business data in the digital realm.


This feature or setting is available to all customers on any Recurly subscription plan.


While the General Data Protection Regulation (GDPR) provides extensive data protection measures, it is essential to recognize its limitations and constraints, both for businesses and consumers.

  • Geographical constraints: GDPR applies to the European Union and data transferred out of it. Therefore, data protection standards may vary for regions outside the EU and UK, even when dealing with the same multinational corporation.
  • Business size and scope: Smaller businesses and startups may face difficulties due to the cost and complexity of GDPR compliance. These organizations may lack the necessary resources to meet all GDPR requirements effectively.
  • Data transfer limitations: While Standard Contractual Clauses (SCCs) provide a legal basis for transferring data from the EU and UK to the US, it's not a one-size-fits-all solution. There are cases where other legal bases may be more suitable.
  • Enforcement challenges: Despite GDPR's extensive reach, enforcement can be challenging due to differences in interpretation and implementation among UK and EU member states.
  • End user awareness: For GDPR to be truly effective, end users need to be aware of their rights under this regulation. However, not all users fully understand their rights and how to exercise them.


Data Hosting with Recurly provides flexible options for your data storage across different geographic locations. Adhere to regional regulations with our uniformly compliant and high-performance data centers in the United States and Europe.

Key benefits

  • Ensure regional compliance: With data centers in the US and EU, Recurly enables you to meet regional data residency requirements.
  • Flexibility and control: When setting up your Recurly account, you can choose your preferred data hosting region. This offers a degree of control over where your data is stored. However, please note that data processing may still occur outside your chosen region, including regions outside the EU.
  • Comprehensive coverage: All data - from what's visible in the Recurly UI to APIs, webhooks, exports, and hosted pages - is processed and stored within your chosen region.
  • Uniform service quality: Enjoy consistent performance and GDPR compliance across all our data centers.

Key details

Privacy as a fundamental right in EU

Under the Charter of Fundamental Rights of the European Union, privacy of data is a fundamental right guaranteed to European citizens, making it legally obligatory for businesses in Europe to ensure adequate data protection.

Brief history of US-EU lawful data transfers

A series of legal frameworks have been established over the years to govern the transfer of data between the EU and the US, culminating in the use of Standard Contractual Clauses (SCCs) as a lawful basis for data transfer after the invalidation of Safe Harbor and the EU–US Privacy Shield.Over the years, several legal frameworks have been established to regulate the transfer of data between the EU and the US. After the invalidation of the Safe Harbor and the EU–US Privacy Shield, Standard Contractual Clauses (SCCs) have been utilized as a lawful basis for data transfer. Most recently, a new framework known as the Data Privacy Framework (DPF) has been introduced to further secure and regulate data transfers. Recurly continues to use SCCs but also acknowledges and is actively addressing the new provisions under the DPF.

Standard contractual clauses (SCCs)

SCCs are contractual terms approved by the European Commission that provide a lawful basis for data transfers between companies in Europe and those outside of it.

Data subject rights

GDPR outlines a set of fundamental rights for data subjects, protecting their interests and ensuring they have control over their personal data.

Recurly's support for EU merchants and customers

Recurly offers data hosting in the EU, has a registered privacy agent in Europe, and has established a Data Protection Agreement, including SCCs, to ensure lawful data transfers.