GDPRFree Resource
EU GDPR Scope, Roles, Rights, and Transfers
Use this hub to turn Regulation (EU) 2016/679 into a processing-by-processing compliance map: confirm material and territorial scope, assign controller, joint-controller, and processor roles, record the Article 6 lawful basis, and connect each processing activity to rights handling, security, DPIA, breach, transfer, and evidence obligations.
This is operational guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. The root page stays within GDPR-level rules and official guidance; member-state derogations, authority-specific procedures, and case-specific interpretations must be validated separately before use.
Start with the GDPR checklistPublication details
Editorial metadata for this artifact
Author
Sorena AI
Published
Feb 21, 2026
Updated
May 26, 2026
GDPR questions this hub helps resolve
Scope and roles
Check whether the processing falls within GDPR Articles 2 and 3, then name the controller, joint controllers, processors, recipients, EU representative, and supervisory-authority touchpoints for that processing activity.
Lawful basis and rights
Tie each purpose to an Article 6 lawful basis, special-category or criminal-offence conditions where relevant, privacy notice content, Article 12 response timing, and the rights that apply to access, rectification, erasure, restriction, portability, objection, and automated decisions.
Risk, incidents, and transfers
Decide whether Article 35 DPIA work is required, prepare Article 33 breach notification evidence, and document Chapter V transfer routes such as adequacy decisions, SCCs, supplementary measures, or narrow Article 49 derogations.
By Sorena AIUpdated 2026No signup required
Quick scan
GDPRProcessing inventory
Start from Article 30-style records: purposes, categories of data subjects and personal data, recipients, retention periods, transfer destinations, and security measures.
Operational controls
For each processing activity, connect the lawful basis to privacy notices, consent or legitimate-interest evidence, rights intake, processor contracts, access controls, and DPIA triggers.
Regulator-ready evidence
Keep signed role decisions, Article 28 processor terms, DSAR logs, breach assessments, DPIAs, transfer assessments, SCC modules, and remediation records together.
Use the linked GDPR subpages to move from scope and role mapping into concrete checklists, rights workflows, DPIA records, breach handling, SCC transfer work, and penalties analysis.
Art. 2-3
Scope
Art. 6
Lawful basis
72h
Breach notice
Art. 83
Fines
Map processing
Name roles
Document evidence
GDPR Timeline
Key operating clocks for GDPR privacy programs
Track GDPR work that has legal or operational timing pressure: one-month rights responses under Article 12, 72-hour supervisory-authority breach notification where feasible under Article 33, DPIA and prior-consultation gates before high-risk processing, processor-contract reviews, and recurring transfer reassessments.
Loading timeline...
Topic guides
Deep dive pages for implementation planning, controls, reporting, and evidence.
1
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
Read Guide
2
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
Read Guide
3
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
Read Guide
4
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
Read Guide
5
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
Read Guide
6
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
Read Guide
7
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
Read Guide
8
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
Read Guide
9
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
Read Guide
10
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
Read Guide
11
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
Read Guide
12
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
Read Guide
13
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
Read Guide
14
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
Read Guide
15
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
Read Guide
16
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
Read Guide
17
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
Read Guide
18
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
Read Guide
19
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
Read Guide
20
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
Read Guide
21
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
Read Guide
22
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
Read Guide
23
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
Read Guide
24
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
Read Guide
25
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
Read Guide
26
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
Read Guide
27
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
Read Guide
28
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
Read Guide
29
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
Read Guide
30
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
Read Guide
31
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
Read Guide
32
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
Read Guide
33
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
Read Guide
Next step
Turn GDPR scope decisions into owned privacy work
Use this GDPR hub as the shared entry point for processing inventory, role mapping, lawful-basis records, rights operations, DPIA triage, breach readiness, transfer governance, and accountability evidence.
What this unlocks
- Start from one processing activity and record the purpose, data categories, data subjects, recipients, retention period, transfer destination, and security controls.
- Use Research Copilot for cited questions about scope, controller and processor status, lawful basis, rights, DPIA triggers, breach notification, SCCs, adequacy, and Article 83 penalty exposure.
- Use SSOT to keep RoPA records, Article 28 contracts, DSAR logs, breach assessments, DPIAs, transfer assessments, SCCs, and remediation evidence connected to owners and review dates.
- Route unsupported national-law questions, authority-specific procedures, and case-specific transfer risks to counsel instead of treating this root artifact as a complete legal opinion.
Recommended route
Open Research Copilot
Answer GDPR scope, role, lawful-basis, rights, breach, DPIA, transfer, and penalty questions with cited official sources.
Supporting route
Open SSOT
Keep processing records, contracts, assessments, incident logs, SCCs, and control evidence in one governed system.
Talk to Sorena
Talk through GDPR implementation
Review your processing map, evidence model, transfer posture, and next implementation steps.
Discuss your setup
Share it internally
Download the timeline export to align legal, product, engineering, and commercial teams on milestones and deadlines.