GDPRFree Resource
EU GDPR Compliance Hub
Turn Regulation (EU) 2016/679 into an execution plan: scope your processing, choose lawful bases, operationalize DSAR and breach workflows, engineer transfer safeguards, and keep audit-ready evidence.
This is a practical reference, not legal advice. GDPR interpretation and supervisory authority expectations can vary by case and jurisdiction-validate against your processing context and relevant guidance.
Start with the checklistPublication details
Editorial metadata for this artifact
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
What you can decide faster
Scope and roles
Territorial scope, establishment/targeting, and controller vs processor boundaries.
Transfers
When Chapter V applies and how to operationalize SCCs + supplementary measures.
Operational workflows
DSAR, breach response, DPIAs, and vendor governance with evidence.
By Sorena AIUpdated Mar 2026No signup required
Quick scan
GDPRApplicability
Run the Article 2-3 applicability test and role mapping.
Controls
Implement lawful basis, DSAR, breach, DPIA, and vendor controls.
Evidence
Build an exportable evidence index for audits and regulators.
Use the decision flow to scope applicability, then follow the subpages to implement controls and evidence that hold up under scrutiny.
2016
Regulation
2018
Applies
72h
Breach notify
1m
DSAR target
Scope first
Transfers matter
Evidence wins
GDPR Timeline
Key dates and moments for privacy programs
Use the timeline to align your GDPR operating rhythm: DSAR SLAs, breach response, DPIA governance, and transfer safeguards.
Loading timeline...
GDPR Decision Flow
Does the GDPR apply to your processing
Follow a structured path to clarify scope and role assumptions, then turn outcomes into prioritized obligations and evidence work.
Loading decision map...
Topic guides
Deep dive pages for implementation planning, controls, reporting, and evidence.
1
EU GDPR Checklist (Regulation (EU) 2016/679) | Audit-Ready Controls, Owners, Evidence, and Common Pitfalls
An audit-ready GDPR checklist: scope and role mapping, lawful basis and consent, transparency and notices, DSAR workflows, DPIA governance, security measures.
Read Guide
2
EU GDPR Compliance Guide | Build a Repeatable Program: Inventory, Controls, Evidence, and Operating Cadence
An execution-oriented GDPR compliance guide for Regulation (EU) 2016/679: program setup, governance, control design, evidence exports.
Read Guide
3
EU GDPR FAQ | Practical Answers: Scope, Consent, DSAR, DPIA, Breach (72h), Transfers/SCCs, Vendor Contracts
Frequently asked GDPR questions answered with practical implementation guidance: does GDPR apply (Article 3), what counts as personal data.
Read Guide
4
EU GDPR Requirements (Regulation (EU) 2016/679) | Obligations Map: Scope, Rights, Security, DPIA, Vendors, Transfers + Evidence Index
A practical GDPR requirements breakdown: scope (Articles 2-3), principles (Article 5), lawful basis (Article 6-7), transparency (Articles 12-14).
Read Guide
5
GDPR Applicability Test (Article 2-3) | Territorial Scope, Establishment vs Targeting, Roles, and Edge Cases
A practical GDPR applicability test for Regulation (EU) 2016/679: check material scope (Article 2), territorial scope (Article 3), establishment vs targeting.
Read Guide
6
GDPR Breach Notification (72 Hours) | Article 33-34 Workflow, Awareness Timestamp, Risk Test, and Evidence Pack
An execution-ready guide to GDPR breach notification built on Articles 33 and 34, the EDPB breach-notification guidelines.
Read Guide
7
GDPR Data Subject Rights + DSAR Workflow | Articles 12-22 Playbook: Intake, Identity, Search, Response, Exceptions, Evidence
A practical DSAR (data subject access request) playbook for GDPR Articles 12-22: build intake and identity verification, define system search scope.
Read Guide
8
GDPR Deadlines and Compliance Calendar | DSAR 1-Month SLA, Breach 72 Hours, DPIA Cadence, Vendor Reviews, Transfer Monitoring
A grounded GDPR compliance calendar that combines fixed legal milestones, 27 April 2016 adoption, 25 May 2018 application, the 2021 SCC overhaul.
Read Guide
9
GDPR DPIA (Article 35) + Risk Management | Triggers, Template, Controls, Residual Risk Sign-off, and Prior Consultation (Article 36)
A practical DPIA guide for GDPR Articles 35-36: how to screen for DPIA triggers, run a risk assessment focused on rights/freedoms.
Read Guide
10
GDPR International Transfers (Chapter V) + SCCs | Transfer Map, Adequacy, SCC Packs, TIA, Supplementary Measures, and Monitoring
A practical guide to GDPR international transfers (Chapter V): how to build a transfer map, choose mechanisms (adequacy vs SCCs).
Read Guide
11
GDPR Lawful Basis (Article 6) + Consent (Article 7) | How to Choose, Document, Implement, and Prove Compliance
A practical guide to GDPR lawful bases (Article 6) and consent (Article 7): how to select a lawful basis per purpose, when consent is appropriate vs risky.
Read Guide
12
GDPR Penalties and Fines | Articles 83-84 Explained + Risk Reduction Controls and Evidence
A practical penalties guide for GDPR enforcement: how administrative fines work under Articles 83-84, what factors drive exposure (purpose drift.
Read Guide
13
GDPR Processor Contracts (Article 28) + Vendor Management | DPA Checklist, Sub-processors, Security Evidence, Transfers/SCCs
A practical vendor management guide for GDPR: how to operationalize Article 28 processor contracts, define controller vs processor roles.
Read Guide
14
GDPR RoPA Template (Article 30) | Record of Processing Activities: Fields, Examples, and Evidence Tips
A practical Record of Processing Activities (RoPA) template for GDPR Article 30: controller and processor fields.
Read Guide
15
GDPR vs CCPA/CPRA | Key Differences in Scope, Rights, Legal Bases, and Operational Compliance (DSAR, Vendors, Transfers)
A practical comparison of GDPR (EU) and CCPA/CPRA (California): differences in applicability triggers, roles, legal bases versus sale/share models.
Read Guide
16
GDPR vs UK GDPR | Practical Differences for Scope, Enforcement, Transfers (EU SCCs vs UK IDTA/Addendum), and Evidence
A practical comparison of EU GDPR and UK GDPR: territorial scope triggers, regulator structure (one-stop-shop vs ICO), cross-border processing implications.
Read Guide
Next step
Turn EU GDPR Compliance Hub into a cited research workflow
EU GDPR Compliance Hub should be the shared entry point for your team. Route execution into Research Copilot for live work and into SSOT when the artifact needs deeper research, evidence governance, or supporting analysis.
What this unlocks
- Start from EU GDPR Compliance Hub and route the work by entity, product, team, or control owner.
- Use Research Copilot to answer scope, timing, and interpretation questions with cited outputs.
- Use SSOT to keep documents, evidence, and control records in one governed system.
- Move from artifact reading to accountable execution without rebuilding the guidance in separate files.
Recommended route
Open Research Copilot
Answer scope, timing, and interpretation questions with cited outputs for EU GDPR Compliance Hub.
Supporting route
Open SSOT
Keep documents, evidence, and control records in one governed system from the same artifact.
Talk to Sorena
Talk through EU GDPR Compliance Hub
Review your current process, evidence model, and next steps for EU GDPR Compliance Hub.
Discuss your setup
Share it internally
Download the artifact exports to align legal, product, engineering, and commercial teams.