ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

GDPR-EDI

GDPR (EDI) is the EU Regulation 2016/679 (GDPR) applicable since 25 May 2018, mandating personal-data minimisation, consent, the right to erasure — including in B2B EDI flows carrying personal data.

Definition

The GDPR mandates six core principles: lawfulness, purpose limitation, minimisation, accuracy, storage limitation, integrity and confidentiality. In EDI, this translates to: no personal data in a B2B flow without a legal basis, deletion at retention-period end, encrypted logging of accesses.

Origin

Adopted on 27 April 2016, applicable from 25 May 2018 (no transition period). Replaces Directive 95/46/EC. Administered by national DPAs (CNIL in France, BfDI in Germany).

Use

An EDIFACT INVOIC between supplier and buyer only carries company data (GDPR-friendly). But a HIPAA 837 in Europe would carry medical data: forbidden as-is, except through HDS hosting and an Article 28 processor contract. Sanctions: up to 4% of worldwide turnover.

Last updated: May 14, 2026