Originally published at htpbe.tech. The version on htpbe.tech stays in sync with the latest detection algorithm — refer to it for the canonical text.
A fintech compliance lead at a Dutch lending platform asks this question in a DPIA workshop: “When we send a customer’s bank statement to the fraud detection API, who is the controller, who is the processor, and what personal data is being transferred?”
That is the right question. The answer depends entirely on what the API does with the document — and most GDPR document fraud detection API integrations do not explain this clearly. This article explains how structural PDF analysis differs from document reading, what the GDPR implications are in practice, and what your DPIA should cover when integrating a GDPR compliant document fraud detection API in Europe.
What the Compliance Question Is
When a customer uploads a bank statement, payslip, or contract to your platform, that document contains personal data: name, address, account number, transaction history, salary, employer details. Under the GDPR, your organisation is the controller of that data. You decide the purposes and means of processing.











