EU member state requirements
GDPR is the federal framework that applies in every EU member state, but member states add specifics. Koji accommodates the major variations as part of standard enterprise deployment; less-common requirements are configured per customer.
How EU member-state law works alongside GDPR
GDPR is a Regulation, not a Directive. That means it applies directly in every EU member state without national transposition. But GDPR also contains "opening clauses" that let member states add their own provisions in specific areas: most prominently employee data, age of consent for online services, sectoral regulation (healthcare, financial, education), and procedural rules for the national supervisory authority.
Member states also pass their own privacy-adjacent laws that intersect with data protection: cybersecurity laws like NIS2 (transposed nationally), financial regulation like DORA, public- sector procurement rules, and national rules on AI deployment in sensitive sectors.
Koji's coverage of member-state additions
Rather than ship a separate compliance program per country, Koji operates a single program calibrated to the strictest common denominator across the EU. The same controls that satisfy GDPR and the strictest member-state additions satisfy every other member state.
Where a specific country requires something beyond our standard offering (for example, a German BSI C5 attestation for a public- sector customer, or French SecNumCloud for a defense-adjacent deployment), we discuss the requirement during the enterprise contracting process. Some are in scope today; others require additional configuration; a few are out of scope and we say so.
Member states at a glance
| Country | National law | Regulator | Koji notes |
|---|---|---|---|
| Netherlands | Uitvoeringswet Algemene verordening gegevensbescherming (UAVG / AVG) | Autoriteit Persoonsgegevens (AP) | Koji B.V. is established in the Netherlands; the AP is our lead supervisory authority. SURF Model Verwerkersovereenkomst available for educational customers via the dedicated /edu/compliance hub. |
| Germany | Bundesdatenschutzgesetz (BDSG) + 16 state laws (Landesdatenschutzgesetze) | Federal: BfDI; State: 16 LfDIs (e.g. Bavaria BayLDA, NRW LDI) | Stricter employee data rules under §26 BDSG. Customers in regulated sectors (healthcare, financial, public) can request the C5 cloud-controls overview from our upstream provider AWS. |
| France | Loi Informatique et Libertés (as amended to align with GDPR) | Commission nationale de l'informatique et des libertés (CNIL) | CNIL guidance on cookie consent and AI follow ICO and EDPB closely. SecNumCloud (ANSSI) is on our longer-term roadmap as French defense-adjacent customer demand emerges; available on request for in-scope deployments. |
| Spain | Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD) | Agencia Española de Protección de Datos (AEPD) | Digital rights (Title X) considered as part of customer-deployment configuration where the customer is established in Spain. |
| Italy | Codice in materia di protezione dei dati personali (D.Lgs. 196/2003, as amended) | Garante per la protezione dei dati personali | Garante guidance applies on AI and cookies. Italian Decree 231 (organizational liability) covered by customer-side governance. |
| Ireland | Data Protection Act 2018 | Data Protection Commission (DPC) | Important for customers with EU HQ in Ireland; the DPC is the lead supervisory authority for many multinational tech vendors. Koji B.V.'s lead remains the Dutch AP. |
| Belgium | Loi du 30 juillet 2018 / Wet betreffende de bescherming van natuurlijke personen | Autorité de protection des données / Gegevensbeschermingsautoriteit (APD/GBA) | Standard GDPR baseline; no significant deviations affecting Koji's processor role. |
| Denmark | Lov om supplerende bestemmelser til forordningen om beskyttelse af fysiske personer | Datatilsynet | Standard GDPR baseline. Strict employee monitoring rules where applicable on customer side. |
| Sweden | Dataskyddslagen | Integritetsskyddsmyndigheten (IMY) | Standard GDPR baseline. |
| Poland | Ustawa o ochronie danych osobowych | Urząd Ochrony Danych Osobowych (UODO) | Standard GDPR baseline. Local representative arrangements available on request. |
| Austria | Datenschutzgesetz (DSG) | Datenschutzbehörde (DSB) | Standard GDPR baseline. |
| Portugal | Lei n.º 58/2019 | Comissão Nacional de Proteção de Dados (CNPD) | Standard GDPR baseline. |
EEA member states outside the EU (Norway, Iceland, Liechtenstein) apply GDPR through the EEA Agreement and have their own supervisory authorities. Coverage is equivalent.
Recurring themes Koji addresses by default
- Employee data protections. Stricter rules in Germany (BDSG §26) and France apply to the customer's own employees; where the customer uses Koji for internal employee research, the customer's lawful-basis selection and consent collection accommodate the stricter rules.
- Healthcare data. Article 9 special categories processing requires explicit member-state-recognized lawful basis on the customer side. Koji's platform supports the additional safeguards (data minimization, restricted access, enhanced retention controls); customer Article 9 processing should be discussed before deployment.
- Cookies and similar technologies. Member- state ePrivacy implementations (TTDSG in Germany, the CNIL deliberation in France, etc.) are honored by Koji's cookie consent banner. See Cookies.
- Public-sector rules. Customers in the EU public sector may have national security-baseline requirements (BSI C5 in Germany, ENS in Spain, ANSSI in France). National public-sector frameworks are on Koji's longer-term roadmap as customer demand emerges; meanwhile, deployments inherit the upstream cloud provider posture (Vercel, Supabase, AWS, Google Cloud), and Koji supports customer-side documentation for evaluations against these frameworks.
Where to start if your country is not listed
The table above lists the EU/EEA member states where Koji has already documented its position based on customer evaluation questions. If your country is missing, email [email protected] with the specific national framework you need to evaluate. We add coverage on a per-customer basis when requested, and we publish the resulting position on this page once it is reusable.
Where supervisory authority sits
Koji B.V. is established in the Netherlands, so the Dutch Autoriteit Persoonsgegevens (AP) is our lead supervisory authority. Customers established in other EU member states interact with their own national authority on customer-side compliance; the AP handles questions about Koji's processing as a processor.
Data subjects always retain the right to complain to their local supervisory authority, regardless of where Koji is established.
Contact
For country-specific contract or processing questions, email [email protected]. For consumer / data-subject questions, email [email protected].