--- title: "EU GDPR Requirements (Regulation (EU) 2016/679)" canonical_url: "https://www.sorena.io/artifacts/eu/gdpr/requirements" source_url: "https://www.sorena.io/artifacts/eu/gdpr/requirements" author: "Sorena AI" description: "A practical GDPR requirements breakdown: scope (Articles 2-3), principles (Article 5), lawful basis (Article 6-7), transparency (Articles 12-14)." keywords: - "GDPR requirements" - "GDPR obligations" - "GDPR requirements checklist" - "GDPR evidence index" - "GDPR Article 30 RoPA" - "GDPR Article 28 processor contract" - "GDPR Chapter V transfers" - "GDPR DSAR requirements" - "obligations map" - "evidence index" - "DSAR" - "DPIA" - "transfers" - "vendors" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU GDPR Requirements (Regulation (EU) 2016/679) A practical GDPR requirements breakdown: scope (Articles 2-3), principles (Article 5), lawful basis (Article 6-7), transparency (Articles 12-14). *Requirements Guide* *EU* ## EU GDPR Requirements A requirements-to-controls map you can implement and prove. Focus: obligations, owners, evidence artifacts, and operational workflows. GDPR requirements become manageable when they are translated into controls and evidence tied to the real processing landscape. The core map should connect scope and roles, Article 5 principles, Article 6 lawful-basis choices, transparency and rights handling, accountability and RoPA maintenance, Article 28 vendor controls, Article 32 security, Article 33 and 34 breach handling, Article 35 DPIAs, and Chapter V transfers. Each requirement area should have an owner, a workflow, and an exportable proof set. ## Scope, principles, and legal basis The foundation is a coherent scope and purpose model. Without that, everything downstream drifts. Tie each purpose to the role, lawful basis, notice, retention, and key systems. - Article 2 to 4 applicability and definitions. - Article 5 principles and accountability evidence. - Article 6 lawful basis per purpose and Article 7 consent proof where relevant. - Article 27 representative analysis where territorial scope requires it. ## Rights, accountability, and operations GDPR is operational law. The requirements only become real when you can execute them at system level. This is where RoPA, DSAR workflows, and processor management connect. - Articles 12 to 22 rights workflows and logging. - Article 24 accountability and governance ownership. - Article 28 processor contracts and sub-processor controls. - Article 30 RoPA maintenance, including transfers and security measures. - Article 31 cooperation readiness for supervisory-authority requests. ## Security, risk, transfers, and enforcement The highest-pressure GDPR moments are usually incidents, DPIAs, and transfer escalations. Build those as disciplined systems, not ad hoc legal projects. Your evidence map should make those moments easier, not harder. - Article 32 security controls tied to risk and system design. - Articles 33 and 34 incident classification, timing, and communication rules. - Articles 35 and 36 DPIA and prior consultation workflow. - Articles 44 to 49 transfer mechanisms, adequacy, SCCs, TIAs, and derogations. - Articles 58, 83, and 84 enforcement and penalty context. *Recommended next step* *Placement: after the requirement breakdown* ## Turn EU GDPR Requirements into an operational assessment Assessment Autopilot can take EU GDPR Requirements from turning the requirements into assigned actions to a reusable workflow inside Sorena. Teams working on EU GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for EU GDPR Requirements](/solutions/assessment.md): Start from EU GDPR Requirements and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through EU GDPR](/contact.md): Review your current process, evidence gaps, and next steps for EU GDPR Requirements. ## Primary sources - [GDPR full text - Regulation (EU) 2016/679](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary source for the obligations map. - [EDPB Guidelines 07/2020 on controller and processor concepts](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en?ref=sorena.io) - Useful official interpretation for role allocation. - [European Commission: Standard Contractual Clauses overview](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Official source for current transfer-tool implementation. - [Irish DPC guidance on Records of Processing under Article 30](https://www.dataprotection.ie/en/dpc-guidance/records-of-processing-article-30-guidance?ref=sorena.io) - Useful official accountability guidance for RoPA design. ## Related Topic Guides - [EU GDPR Checklist (Regulation (EU) 2016/679) | Audit-Ready Controls, Owners, Evidence, and Common Pitfalls](/artifacts/eu/gdpr/checklist.md): An audit-ready GDPR checklist: scope and role mapping, lawful basis and consent, transparency and notices, DSAR workflows, DPIA governance, security measures. - [EU GDPR Compliance Guide | Build a Repeatable Program: Inventory, Controls, Evidence, and Operating Cadence](/artifacts/eu/gdpr/compliance.md): An execution-oriented GDPR compliance guide for Regulation (EU) 2016/679: program setup, governance, control design, evidence exports. - [EU GDPR FAQ | Practical Answers: Scope, Consent, DSAR, DPIA, Breach (72h), Transfers/SCCs, Vendor Contracts](/artifacts/eu/gdpr/faq.md): Frequently asked GDPR questions answered with practical implementation guidance: does GDPR apply (Article 3), what counts as personal data. - [GDPR Applicability Test (Article 2-3) | Territorial Scope, Establishment vs Targeting, Roles, and Edge Cases](/artifacts/eu/gdpr/applicability-test.md): A practical GDPR applicability test for Regulation (EU) 2016/679: check material scope (Article 2), territorial scope (Article 3), establishment vs targeting. - [GDPR Breach Notification (72 Hours) | Article 33-34 Workflow, Awareness Timestamp, Risk Test, and Evidence Pack](/artifacts/eu/gdpr/breach-notification-72-hours.md): An execution-ready guide to GDPR breach notification built on Articles 33 and 34, the EDPB breach-notification guidelines. - [GDPR Data Subject Rights + DSAR Workflow | Articles 12-22 Playbook: Intake, Identity, Search, Response, Exceptions, Evidence](/artifacts/eu/gdpr/data-subject-rights-and-dsar-workflow.md): A practical DSAR (data subject access request) playbook for GDPR Articles 12-22: build intake and identity verification, define system search scope. - [GDPR Deadlines and Compliance Calendar | DSAR 1-Month SLA, Breach 72 Hours, DPIA Cadence, Vendor Reviews, Transfer Monitoring](/artifacts/eu/gdpr/deadlines-and-compliance-calendar.md): A grounded GDPR compliance calendar that combines fixed legal milestones, 27 April 2016 adoption, 25 May 2018 application, the 2021 SCC overhaul. - [GDPR DPIA (Article 35) + Risk Management | Triggers, Template, Controls, Residual Risk Sign-off, and Prior Consultation (Article 36)](/artifacts/eu/gdpr/dpia-and-risk-management.md): A practical DPIA guide for GDPR Articles 35-36: how to screen for DPIA triggers, run a risk assessment focused on rights/freedoms. - [GDPR International Transfers (Chapter V) + SCCs | Transfer Map, Adequacy, SCC Packs, TIA, Supplementary Measures, and Monitoring](/artifacts/eu/gdpr/international-transfers-and-sccs.md): A practical guide to GDPR international transfers (Chapter V): how to build a transfer map, choose mechanisms (adequacy vs SCCs). - [GDPR Lawful Basis (Article 6) + Consent (Article 7) | How to Choose, Document, Implement, and Prove Compliance](/artifacts/eu/gdpr/lawful-basis-and-consent.md): A practical guide to GDPR lawful bases (Article 6) and consent (Article 7): how to select a lawful basis per purpose, when consent is appropriate vs risky. - [GDPR Penalties and Fines | Articles 83-84 Explained + Risk Reduction Controls and Evidence](/artifacts/eu/gdpr/penalties-and-fines.md): A practical penalties guide for GDPR enforcement: how administrative fines work under Articles 83-84, what factors drive exposure (purpose drift. - [GDPR Processor Contracts (Article 28) + Vendor Management | DPA Checklist, Sub-processors, Security Evidence, Transfers/SCCs](/artifacts/eu/gdpr/processor-contracts-and-vendor-management.md): A practical vendor management guide for GDPR: how to operationalize Article 28 processor contracts, define controller vs processor roles. - [GDPR RoPA Template (Article 30) | Record of Processing Activities: Fields, Examples, and Evidence Tips](/artifacts/eu/gdpr/record-of-processing-activities-template.md): A practical Record of Processing Activities (RoPA) template for GDPR Article 30: controller and processor fields. - [GDPR vs CCPA/CPRA | Key Differences in Scope, Rights, Legal Bases, and Operational Compliance (DSAR, Vendors, Transfers)](/artifacts/eu/gdpr/gdpr-vs-ccpa.md): A practical comparison of GDPR (EU) and CCPA/CPRA (California): differences in applicability triggers, roles, legal bases versus sale/share models. - [GDPR vs UK GDPR | Practical Differences for Scope, Enforcement, Transfers (EU SCCs vs UK IDTA/Addendum), and Evidence](/artifacts/eu/gdpr/gdpr-vs-uk-gdpr.md): A practical comparison of EU GDPR and UK GDPR: territorial scope triggers, regulator structure (one-stop-shop vs ICO), cross-border processing implications. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/gdpr/requirements