GDPR ComplianceTwo-sided marketplace compliance strategy

GDPR Compliance Overview ​

As a two-sided wedding marketplace operating in the EU/UK, Wedissimo must comply with GDPR regulations for both couples (customers) and vendors (service providers). This creates unique compliance challenges due to cross-user data dependencies and business data retention requirements.

Key Challenges ​

Two-Sided Marketplace Complexity:

• Couples and vendors have interconnected data through bookings
• Reviews create cross-user dependencies
• Business records have 7-year tax/legal retention requirements
• User deletion requests may conflict with vendor retention needs

Data Processing Roles:

• Wedissimo - Data Controller for all user data
• Couples - Data Subjects (wedding planning, booking services)
• Vendors - Data Subjects + Business Users (professional profiles, client management)

Compliance Documents ​

1. Master Strategy (Strategic Planning) ​

Purpose: Comprehensive strategic framework for GDPR compliance

Covers:

• Legal requirements and compliance framework
• Two-sided marketplace challenges
• Implementation phases (3 phases over 3 weeks)
• Manual processes and team requirements
• Financial risk assessment (€20M+ potential fines)
• Technical architecture decisions

Audience: Leadership, legal team, technical architects

Read this first to understand the overall compliance strategy and business requirements.

View Master Strategy →

2. Implementation Checklist (Execution Guide) ​

Purpose: Actionable implementation checklist for developers and compliance officers

Covers:

• Specific tasks to complete (automated vs manual)
• Implementation priority matrix (Phase 1, 2, 3)
• Fine avoidance checklist
• Practical team assignments
• Response SLAs for user rights requests

Audience: Developers, project managers, compliance officers

Use this to track implementation progress and assign tasks.

View Implementation Checklist →

3. Policy Gap Analysis (Current State Assessment) ​

Purpose: Analysis of current privacy policy gaps and required updates

Covers:

• Critical gaps with high risk of fines
• Comparison of current policy vs GDPR requirements
• Missing user rights implementation
• Legal basis documentation gaps
• Data retention policy requirements
• Immediate action items and priorities

Audience: Legal team, compliance officers, leadership

Use this to understand what needs to be fixed in current policies and prioritize updates.

View Policy Gap Analysis →

4. Migration Compliance Verification (Technical Review) ​

Purpose: Technical verification that WordPress → Laravel migration meets GDPR requirements

Covers:

• Line-by-line code review of migration plans
• Verification of data structures (soft deletes, consent tracking, audit fields)
• Identification of implemented vs missing features
• Post-migration implementation tasks
• Domain-specific compliance checks

Audience: Developers, QA team

Use this to verify migration code and plan post-migration compliance work.

View Migration Compliance →

Compliance Status ​

Implementation Phases ​

Phase 1: Critical Legal Requirements (Week 1-2) ​

Focus: Mandatory features to avoid fines

• User data export APIs (couples + vendors)
• Consent management system
• Privacy policy and DPAs
• Cross-user dependency checks

Priority: HIGH - Required for legal compliance

Phase 2: Operational Compliance (Week 3) ​

Focus: Semi-automated systems and processes

• Account deletion with business logic
• Data retention automation
• Audit log system
• Quarterly consent audits

Priority: MEDIUM - Required for operational efficiency

Phase 3: Enhanced Compliance (Post-Launch) ​

Focus: Advanced features and optimization

• Privacy-preserving analytics
• Security monitoring
• Regular compliance reviews
• Staff training programs

Priority: LOW - Nice to have, continuous improvement

Risk Assessment ​

Non-Compliance Risks ​

Maximum Potential Fines: €20 million OR 4% of global annual turnover (whichever is higher)

High-Risk Scenarios:

• Unable to fulfill data subject requests (Article 15-22 violation)
• No valid legal basis documentation (Article 6 violation)
• Missing DPAs with processors (Article 28 violation)
• Data breach without proper notification (Article 33-34 violation)

Compliance Investment ​

Development Costs:

• Couple user rights APIs: 3-4 developer days
• Vendor user rights APIs: 4-5 developer days
• Cross-user dependency system: 3-4 developer days
• Consent management system: 4-5 developer days
• Audit logging: 2-3 developer days
• Data retention automation: 3-4 developer days

Total Estimated: 17-24 developer days (~3-4 weeks)

Next Steps ​

1. Review the Master Strategy to understand the overall compliance framework
2. Use the Implementation Checklist to track tasks and assign responsibilities
3. Verify migration compliance using the migration verification document
4. Implement Phase 1 features before launch (critical legal requirements)
5. Plan Phase 2 and 3 for post-launch implementation

Related Documentation ​

• WordPress Migration Guide - Overall migration process
• Security Strategy - Security implementation
• Database Architecture - Dual-database setup for legacy data