--- title: "EU GDPR (Regulation (EU) 2016/679) Compliance Hub" canonical_url: "https://www.sorena.io/artifacts/eu/gdpr" source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation" author: "Sorena AI" description: "A practical GDPR compliance hub for Regulation (EU) 2016/679: run Article 2 to 3 scope analysis, choose and document lawful bases." published_at: "2026-02-21" updated_at: "2026-02-21" keywords: - "GDPR compliance" - "Regulation (EU) 2016/679" - "GDPR applicability test" - "GDPR checklist" - "GDPR DSAR workflow" - "GDPR DPIA" - "GDPR breach notification 72 hours" - "GDPR international transfers SCCs" - "GDPR processor contract Article 28" - "GDPR lawful basis Article 6" - "GDPR consent Article 7" - "GDPR" - "DSAR" - "international transfers" - "SCCs" - "DPIA" - "breach notification" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU GDPR (Regulation (EU) 2016/679) Compliance Hub A practical GDPR compliance hub for Regulation (EU) 2016/679: run Article 2 to 3 scope analysis, choose and document lawful bases. ![EU GDPR artifact preview](https://cdn.sorena.io/cdn-cgi/image/format=auto/cheatsheets/prod/sorena-ai-eu-gdpr-timeline-small.jpg?v=cheatsheets%2Fprod) *GDPR* *Free Resource* ## EU GDPR Compliance Hub Turn Regulation (EU) 2016/679 into an execution plan: scope your processing, choose lawful bases, operationalize DSAR and breach workflows, engineer transfer safeguards, and keep audit-ready evidence. This is a practical reference, not legal advice. GDPR interpretation and supervisory authority expectations can vary by case and jurisdiction-validate against your processing context and relevant guidance. [Start with the checklist](/artifacts/eu/gdpr/checklist.md) ## What you can decide faster - **Scope and roles**: Territorial scope, establishment/targeting, and controller vs processor boundaries. - **Transfers**: When Chapter V applies and how to operationalize SCCs + supplementary measures. - **Operational workflows**: DSAR, breach response, DPIAs, and vendor governance with evidence. By Sorena AI | Updated Mar 2026 | No signup required ### Quick scan *GDPR* - **Applicability**: Run the Article 2-3 applicability test and role mapping. - **Controls**: Implement lawful basis, DSAR, breach, DPIA, and vendor controls. - **Evidence**: Build an exportable evidence index for audits and regulators. Use the decision flow to scope applicability, then follow the subpages to implement controls and evidence that hold up under scrutiny. | Value | Metric | | --- | --- | | 2016 | Regulation | | 2018 | Applies | | 72h | Breach notify | | 1m | DSAR target | **Key highlights:** Scope first | Transfers matter | Evidence wins ## Topic Guides - [EU GDPR Checklist (Regulation (EU) 2016/679) | Audit-Ready Controls, Owners, Evidence, and Common Pitfalls](/artifacts/eu/general-data-protection-regulation/checklist.md): An audit-ready GDPR checklist: scope and role mapping, lawful basis and consent, transparency and notices, DSAR workflows, DPIA governance, security measures. - [EU GDPR Compliance Guide | Build a Repeatable Program: Inventory, Controls, Evidence, and Operating Cadence](/artifacts/eu/general-data-protection-regulation/compliance.md): An execution-oriented GDPR compliance guide for Regulation (EU) 2016/679: program setup, governance, control design, evidence exports. - [EU GDPR FAQ | Practical Answers: Scope, Consent, DSAR, DPIA, Breach (72h), Transfers/SCCs, Vendor Contracts](/artifacts/eu/general-data-protection-regulation/faq.md): Frequently asked GDPR questions answered with practical implementation guidance: does GDPR apply (Article 3), what counts as personal data. - [EU GDPR Requirements (Regulation (EU) 2016/679) | Obligations Map: Scope, Rights, Security, DPIA, Vendors, Transfers + Evidence Index](/artifacts/eu/general-data-protection-regulation/requirements.md): A practical GDPR requirements breakdown: scope (Articles 2-3), principles (Article 5), lawful basis (Article 6-7), transparency (Articles 12-14). - [GDPR Applicability Test (Article 2-3) | Territorial Scope, Establishment vs Targeting, Roles, and Edge Cases](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A practical GDPR applicability test for Regulation (EU) 2016/679: check material scope (Article 2), territorial scope (Article 3), establishment vs targeting. - [GDPR Breach Notification (72 Hours) | Article 33-34 Workflow, Awareness Timestamp, Risk Test, and Evidence Pack](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): An execution-ready guide to GDPR breach notification built on Articles 33 and 34, the EDPB breach-notification guidelines. - [GDPR Data Subject Rights + DSAR Workflow | Articles 12-22 Playbook: Intake, Identity, Search, Response, Exceptions, Evidence](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): A practical DSAR (data subject access request) playbook for GDPR Articles 12-22: build intake and identity verification, define system search scope. - [GDPR Deadlines and Compliance Calendar | DSAR 1-Month SLA, Breach 72 Hours, DPIA Cadence, Vendor Reviews, Transfer Monitoring](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): A grounded GDPR compliance calendar that combines fixed legal milestones, 27 April 2016 adoption, 25 May 2018 application, the 2021 SCC overhaul. - [GDPR DPIA (Article 35) + Risk Management | Triggers, Template, Controls, Residual Risk Sign-off, and Prior Consultation (Article 36)](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): A practical DPIA guide for GDPR Articles 35-36: how to screen for DPIA triggers, run a risk assessment focused on rights/freedoms. - [GDPR International Transfers (Chapter V) + SCCs | Transfer Map, Adequacy, SCC Packs, TIA, Supplementary Measures, and Monitoring](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): A practical guide to GDPR international transfers (Chapter V): how to build a transfer map, choose mechanisms (adequacy vs SCCs). - [GDPR Lawful Basis (Article 6) + Consent (Article 7) | How to Choose, Document, Implement, and Prove Compliance](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): A practical guide to GDPR lawful bases (Article 6) and consent (Article 7): how to select a lawful basis per purpose, when consent is appropriate vs risky. - [GDPR Penalties and Fines | Articles 83-84 Explained + Risk Reduction Controls and Evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): A practical penalties guide for GDPR enforcement: how administrative fines work under Articles 83-84, what factors drive exposure (purpose drift. - [GDPR Processor Contracts (Article 28) + Vendor Management | DPA Checklist, Sub-processors, Security Evidence, Transfers/SCCs](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): A practical vendor management guide for GDPR: how to operationalize Article 28 processor contracts, define controller vs processor roles. - [GDPR RoPA Template (Article 30) | Record of Processing Activities: Fields, Examples, and Evidence Tips](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): A practical Record of Processing Activities (RoPA) template for GDPR Article 30: controller and processor fields. - [GDPR vs CCPA/CPRA | Key Differences in Scope, Rights, Legal Bases, and Operational Compliance (DSAR, Vendors, Transfers)](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): A practical comparison of GDPR (EU) and CCPA/CPRA (California): differences in applicability triggers, roles, legal bases versus sale/share models. - [GDPR vs UK GDPR | Practical Differences for Scope, Enforcement, Transfers (EU SCCs vs UK IDTA/Addendum), and Evidence](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): A practical comparison of EU GDPR and UK GDPR: territorial scope triggers, regulator structure (one-stop-shop vs ICO), cross-border processing implications. ## Key dates and moments for privacy programs *GDPR Timeline* Use the timeline to align your GDPR operating rhythm: DSAR SLAs, breach response, DPIA governance, and transfer safeguards. ## Does the GDPR apply to your processing *GDPR Decision Flow* Follow a structured path to clarify scope and role assumptions, then turn outcomes into prioritized obligations and evidence work. *Next step* ## Turn EU GDPR Compliance Hub into a cited research workflow EU GDPR Compliance Hub should be the shared entry point for your team. Route execution into Research Copilot for live work and into SSOT when the artifact needs deeper research, evidence governance, or supporting analysis. - Start from EU GDPR Compliance Hub and route the work by entity, product, team, or control owner. - Use Research Copilot to answer scope, timing, and interpretation questions with cited outputs. - Use SSOT to keep documents, evidence, and control records in one governed system. - Move from artifact reading to accountable execution without rebuilding the guidance in separate files. - [Open Research Copilot](/solutions/research-copilot.md): Answer scope, timing, and interpretation questions with cited outputs for EU GDPR Compliance Hub. - [Open SSOT](/solutions/ssot.md): Keep documents, evidence, and control records in one governed system from the same artifact. - **Download decision flow**: Share the scope logic with your team. - **Download timeline**: Align your plan with key dates. - [Talk through EU GDPR Compliance Hub](/contact.md): Review your current process, evidence model, and next steps for EU GDPR Compliance Hub. ## Decision Steps ### STEP 1: Do you process personal data? *Reference: Art. 2(1) & Art. 4(1)-(2)* - Personal data = any information relating to an identified or identifiable natural person. - Processing = any operation performed on personal data (collection, recording, storage, use, disclosure, erasure, etc.). - If yes: check if GDPR applies to your processing activity. - If no: GDPR does not apply. - **NO** GDPR Does Not Apply - **YES** Is your processing within the material scope of GDPR? ### STEP 2: Is your processing within the material scope of GDPR? *Reference: Art. 2(1)-(2)* - GDPR applies to processing of personal data wholly or partly by automated means, or other processing that forms part of a filing system (Art. 2(1)). - GDPR does NOT apply to: processing outside the scope of Union law; Member State activities under TEU Title V Chapter 2 (CFSP); purely personal or household activities; processing for law enforcement purposes covered by LED (Directive (EU) 2016/680) (Art. 2(2)). - If excluded: GDPR does not apply to this specific processing activity. - **NO** GDPR Does Not Apply - **YES** Does GDPR apply to your processing based on territorial scope? ### STEP 3: Does GDPR apply to your processing based on territorial scope? *Reference: Art. 3* - GDPR applies if ANY of the following criteria are met: - 1. Establishment criterion (Art. 3(1)): processing in the context of activities of an establishment of controller or processor in the Union, regardless of where processing takes place. - 2. Targeting criterion (Art. 3(2)): processing of personal data of data subjects who are in the Union by a controller/processor not established in the Union, where activities relate to (a) offering goods/services to such data subjects in the Union, or (b) monitoring their behavior as far as it takes place within the Union. - 3. Public international law (Art. 3(3)): processing by a controller not established in the Union but in a place where Member State law applies by virtue of public international law. - If yes to any: GDPR applies. If no to all: GDPR does not apply. - **NO** GDPR Does Not Apply - **YES** Do you determine the purposes and means of processing (i.e., are you a controller)? ### STEP 4: Do you determine the purposes and means of processing (i.e., are you a controller)? *Reference: Art. 4(7)-(8)* - If yes: you are a controller (Art. 4(7)) and controller obligations apply. - If no: you may be a processor processing personal data on behalf of a controller (Art. 4(8)) - processor obligations apply. - Joint controllers (Art. 26): two or more controllers may jointly determine purposes and means; allocate responsibilities via an arrangement. - A single organization can be controller for some processing and processor for other processing. - **YES** You are a controller - GDPR applies to your processing - **NO** Are you not established in the Union and subject to GDPR under the targeting criterion (Art. 3(2))? ### CONTROLLER TRACK: You are a controller - GDPR applies to your processing *Reference: Art. 4(7)* - As controller, you determine the purposes and means of processing. - You must comply with all GDPR principles, lawful bases, data subject rights, controller obligations, security, breach notification, DPIA (if required), DPO (if required), and international transfer rules. - Proceed to determine your key obligations. - -> Do you have a lawful basis for processing? ### ART. 3(2) CHECK: Are you not established in the Union and subject to GDPR under the targeting criterion (Art. 3(2))? *Reference: Art. 3(2) & Art. 27* - This check determines whether you may need to designate an EU representative (Art. 27). - Answer yes only if: (1) you are not established in the Union, and (2) your processing relates to offering goods/services to data subjects who are in the Union or monitoring their behavior within the Union (Art. 3(2)). - **YES** If Art. 3(2) applies and you are not established in the Union, must you designate a representative in the Union? - **NO** GDPR Applies (Processor Obligations) ### ART. 27 (PROCESSOR): If Art. 3(2) applies and you are not established in the Union, must you designate a representative in the Union? *Reference: Art. 27* - Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union (Art. 27(1)). - Exceptions (Art. 27(2)): (a) occasional processing, unlikely to result in risk, not including special categories or criminal data on a large scale; (b) public authority or body. - Representative must be established in one of the Member States where data subjects are located whose personal data are processed in relation to offering goods/services to them, or whose behavior is monitored (Art. 27(3)). - Representative acts as contact point for supervisory authorities and data subjects on all issues related to processing (Art. 27(4)). - Designating a representative does not affect controller/processor liability (Art. 27(5)). - Provide the representative's identity and contact details to data subjects (Arts. 13-14). - **YES** GDPR Applies (Processor, designate EU representative) - **NO** GDPR Applies (Processor Obligations) ### STEP 5: Do you have a lawful basis for processing? *Reference: Art. 6(1)* - Processing is lawful only if at least one of the following applies (Art. 6(1)): - (a) Consent: data subject has given consent for specific purpose(s). - (b) Contract: processing necessary for performance of contract with data subject, or to take pre-contractual steps. - (c) Legal obligation: processing necessary for compliance with a legal obligation. - (d) Vital interests: processing necessary to protect vital interests of data subject or another person. - (e) Public task: processing necessary for performance of a task in the public interest or in exercise of official authority. - (f) Legitimate interests: processing necessary for purposes of legitimate interests of controller or third party (except where overridden by data subject's interests/rights, especially for children). Not available for public authorities in performance of their tasks. - You must identify and document your lawful basis before processing. - -> Do you process special categories of personal data? ### STEP 6: Do you process special categories of personal data? *Reference: Art. 9* - Special categories (Art. 9(1)): racial/ethnic origin, political opinions, religious/philosophical beliefs, trade union membership, genetic data, biometric data (for unique identification), health data, data concerning sex life or sexual orientation. - Processing special categories is PROHIBITED unless an Art. 9(2) exception applies (Art. 9(1)). - If you process special categories: you must identify an Art. 9(2) exception AND an Art. 6(1) lawful basis. - If you process data on criminal convictions/offences: Art. 10 applies (processing only under official authority control or when authorized by Union/Member State law). - -> Is a Data Protection Impact Assessment (DPIA) required? ### STEP 7: Is a Data Protection Impact Assessment (DPIA) required? *Reference: Art. 35* - DPIA required when processing is likely to result in high risk to rights/freedoms, in particular when using new technologies (Art. 35(1)). - DPIA always required for (Art. 35(3)): (a) systematic and extensive evaluation of personal aspects based on automated processing (including profiling) on which decisions are based that produce legal/similarly significant effects; (b) large-scale processing of special categories (Art. 9(1)) or criminal convictions/offences (Art. 10); (c) systematic monitoring of publicly accessible area on a large scale. - Supervisory authorities may publish lists of processing requiring DPIA (Art. 35(4)) and processing NOT requiring DPIA (Art. 35(5)). - If DPIA shows high risk in absence of mitigation measures: must consult supervisory authority before processing (Art. 36). - DPIA not required if: processing has legal basis in Union/Member State law regulating the specific operation and a DPIA was already done as part of general impact assessment (Art. 35(10)); or processing is on the supervisory authority's 'not required' list (Art. 35(5)). - -> Must you designate a Data Protection Officer (DPO)? ### STEP 8: Must you designate a Data Protection Officer (DPO)? *Reference: Art. 37* - DPO mandatory in the following cases (Art. 37(1)): - (a) Processing by public authority or body (except courts acting in judicial capacity). - (b) Core activities consist of processing operations which, by their nature/scope/purposes, require regular and systematic monitoring of data subjects on a large scale. - (c) Core activities consist of large-scale processing of special categories (Art. 9) or criminal convictions/offences (Art. 10). - In other cases, DPO designation is optional but may be required by Union or Member State law (Art. 37(4)). - A group of undertakings may appoint a single DPO if easily accessible from each establishment (Art. 37(2)). - If DPO not required: no obligation to designate, but you may do so voluntarily. - -> Do you transfer personal data to third countries or international organizations? ### STEP 9: Do you transfer personal data to third countries or international organizations? *Reference: Chapter V (Arts. 44-50)* - Chapter V applies to any transfer of personal data to a third country (outside EU/EEA) or international organization. - General principle (Art. 44): Level of protection must not be undermined. - Transfers permitted only if conditions in Chapter V are met. - Main transfer mechanisms: (1) Adequacy decision (Art. 45); (2) Appropriate safeguards (Art. 46); (3) Derogations for specific situations (Art. 49). - If you transfer to third countries: identify and implement appropriate transfer mechanism. - -> Are you not established in the Union and subject to GDPR under the targeting criterion (Art. 3(2))? ### ART. 3(2) CHECK: Are you not established in the Union and subject to GDPR under the targeting criterion (Art. 3(2))? *Reference: Art. 3(2) & Art. 27* - This check determines whether you may need to designate an EU representative (Art. 27). - Answer yes only if: (1) you are not established in the Union, and (2) your processing relates to offering goods/services to data subjects who are in the Union or monitoring their behavior within the Union (Art. 3(2)). - **YES** If Art. 3(2) applies and you are not established in the Union, must you designate a representative in the Union? - **NO** GDPR Applies (Controller) ### ART. 3(2) TRACK: If Art. 3(2) applies and you are not established in the Union, must you designate a representative in the Union? *Reference: Art. 27* - Where Article 3(2) applies, the controller or the processor shall designate in writing a representative in the Union (Art. 27(1)). - Exceptions (Art. 27(2)): (a) occasional processing, unlikely to result in risk, not including special categories or criminal data on large scale; (b) public authority or body. - Representative must be established in one of the Member States where data subjects are located whose personal data are processed in relation to offering goods/services to them, or whose behavior is monitored (Art. 27(3)). - Representative acts as contact point for supervisory authorities and data subjects on all GDPR-related issues (Art. 27(4)). - Designating a representative does not affect controller/processor liability or data subjects' rights (Art. 27(5)). - Provide representative's identity and contact details to data subjects (Arts. 13-14). - **YES** GDPR Applies (Designate EU Representative) - **NO** GDPR Applies (Controller) ## Reference Information ### What is Personal Data? - Personal data = any information relating to an identified or identifiable natural person ('data subject') (Art. 4(1)). - Examples: name, ID number, location data, online identifier, IP address, cookie identifier, biometric data, genetic data, health data, etc. - Special categories (Art. 9): racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data (for unique identification), health data, sex life/sexual orientation. - Data on criminal convictions and offences (Art. 10) subject to special rules. ### Material Scope Exclusions - Processing outside Union law scope (Art. 2(2)(a)). - Member State activities under Common Foreign and Security Policy (TEU Title V Chapter 2) (Art. 2(2)(b)). - Purely personal or household activities (Art. 2(2)(c)). - Law enforcement processing (prevention, investigation, detection, prosecution of criminal offences; execution of criminal penalties; safeguarding against threats to public security) - covered by Law Enforcement Directive (EU) 2016/680 (Art. 2(2)(d)). - EU institutions/bodies: covered by Regulation (EC) No 45/2001 until adapted to GDPR (Art. 2(3) & Art. 98). ### Territorial Scope (Art. 3) Explained - Establishment criterion (Art. 3(1)): 'Establishment' = effective and real exercise of activity through stable arrangements in the EU (Recital 22). Legal form (branch, subsidiary) not determinative. Applies even if processing takes place outside EU. - Targeting criterion - offering goods/services (Art. 3(2)(a)): Mere website accessibility in the Union not sufficient. Look for: use of EU language/currency, mention of EU customers, intent to offer to data subjects who are in the Union (Recital 23). - Targeting criterion - monitoring behavior (Art. 3(2)(b)): Tracking/profiling to analyze or predict behavior (Recital 24). Examples: behavioral advertising, location tracking, health/fitness tracking. - If Art. 3(2) applies and you are not established in the Union: you must designate a representative in the Union (Art. 27), unless exempt. ### Lawful Bases for Processing - Consent (Art. 6(1)(a) & Art. 7): Must be freely given, specific, informed, unambiguous indication of wishes by statement or clear affirmative action. Must be as easy to withdraw as to give. Controller must be able to demonstrate consent. - Contract (Art. 6(1)(b)): Processing must be objectively necessary for contract performance or pre-contractual steps at data subject's request. - Legal obligation (Art. 6(1)(c)): Legal basis must be laid down in Union or Member State law (Art. 6(3)). - Vital interests (Art. 6(1)(d)): Only when no other lawful basis is available (typically life-or-death situations). - Public task (Art. 6(1)(e)): Legal basis laid down in Union or Member State law; purpose must be necessary for public interest or official authority (Art. 6(3)). - Legitimate interests (Art. 6(1)(f)): Requires balancing test - controller's legitimate interests vs. data subject's rights/interests. Document the balancing test. Not available for public authorities performing tasks. ### Special Categories - Art. 9(2) Exceptions - (a) Explicit consent (unless Union/MS law prohibits lifting the prohibition by consent). - (b) Employment, social security, social protection law (with appropriate safeguards). - (c) Vital interests (where data subject physically/legally incapable of giving consent). - (d) Legitimate activities of foundation/association/not-for-profit body with political/philosophical/religious/trade union aim (with appropriate safeguards; members/former members/regular contacts only; no disclosure without consent). - (e) Data manifestly made public by data subject. - (f) Legal claims or courts acting in judicial capacity. - (g) Substantial public interest (on basis of Union/MS law; proportionate; respects essence of right to data protection; suitable and specific safeguards). - (h) Preventive/occupational medicine, medical diagnosis, health/social care (on basis of Union/MS law or contract with health professional; subject to professional secrecy). - (i) Public health (on basis of Union/MS law; suitable and specific safeguards, including professional secrecy). - (j) Archiving/research/statistics (Art. 89(1); proportionate; respects essence; suitable and specific safeguards). - Member States may maintain/introduce further conditions or limitations for genetic, biometric, or health data (Art. 9(4)). ### GDPR Principles (Art. 5) - Lawfulness, fairness, transparency (Art. 5(1)(a)): Process lawfully, fairly, transparently. - Purpose limitation (Art. 5(1)(b)): Collect for specified, explicit, legitimate purposes; no incompatible further processing (except archiving/research/statistics under Art. 89(1)). - Data minimization (Art. 5(1)(c)): Adequate, relevant, limited to what is necessary. - Accuracy (Art. 5(1)(d)): Accurate and kept up to date; inaccurate data must be erased or rectified without delay. - Storage limitation (Art. 5(1)(e)): Keep only as long as necessary for purposes (except archiving/research/statistics under Art. 89(1) with appropriate safeguards). - Integrity and confidentiality (Art. 5(1)(f)): Ensure appropriate security (including protection against unauthorized/unlawful processing, accidental loss/destruction/damage). - Accountability (Art. 5(2)): Controller responsible for and must be able to demonstrate compliance with principles. ### Data Subject Rights (Chapter III) - Transparency & information (Arts. 12-14): Provide clear information at collection; respond to requests within 1 month (extendable by 2 months). - Right of access (Art. 15): Confirm if processing; provide copy of data and information on processing. - Right to rectification (Art. 16): Rectify inaccurate data; complete incomplete data. - Right to erasure / 'right to be forgotten' (Art. 17): Erase data in specific circumstances (no longer necessary; consent withdrawn; objection; unlawful processing; legal obligation; child's consent for information society services). Exceptions apply (e.g., freedom of expression, legal obligation, legal claims). - Right to restriction (Art. 18): Restrict processing in specific circumstances (accuracy contested; unlawful processing; no longer needed by controller but needed by data subject for legal claims; objection pending). - Right to data portability (Art. 20): Receive data in structured, machine-readable format and transmit to another controller (where processing based on consent or contract and carried out by automated means). - Right to object (Art. 21): Object to processing based on legitimate interests or public task (controller must stop unless compelling legitimate grounds override); absolute right to object to direct marketing. - Automated decision-making (Art. 22): Right not to be subject to decisions based solely on automated processing (including profiling) that produce legal/similarly significant effects, unless necessary for contract, authorized by law, or based on explicit consent (with safeguards). ### Controller Obligations (Chapter IV) - Responsibility & accountability (Art. 24): Implement appropriate measures to ensure and demonstrate GDPR compliance, taking into account nature/scope/context/purposes and risks. - Data protection by design & by default (Art. 25): Implement appropriate technical/organizational measures at design stage and at processing stage; by default, process only data necessary for each specific purpose. - Joint controllers (Art. 26): Determine respective responsibilities by transparent arrangement; designate point of contact for data subjects. - Representatives (Art. 27): Controllers/processors not established in the Union but subject to Art. 3(2) must designate a representative in the Union (unless: public authority/body; occasional processing; unlikely to result in risk; or special categories/criminal data). Representative acts as contact point. - Processor requirements (Art. 28): Use only processors with sufficient guarantees; written contract required (Art. 28(3) mandatory clauses); processor must not engage sub-processor without authorization. - Processing under authority (Art. 29): Processor and persons acting under controller/processor authority must process only on controller instructions (unless required by law). - Records of processing (Art. 30): Controllers and processors must maintain records of processing activities (exceptions for organizations <250 employees unless processing is not occasional, or involves special categories/criminal data, or likely to result in risk). Records must be available to supervisory authority on request. - Cooperation with supervisory authority (Art. 31): Cooperate on request. ### Security & Breach Notification (Arts. 32-34) - Security of processing (Art. 32): Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Measures may include: pseudonymization; encryption; confidentiality/integrity/availability/resilience; ability to restore availability/access; regular testing/assessment. Take into account state of the art, costs, nature/scope/context/purposes, and risks. - Breach notification to supervisory authority (Art. 33): In case of personal data breach, notify supervisory authority without undue delay and where feasible within 72 hours of becoming aware, unless unlikely to result in risk to rights/freedoms. Processor must notify controller without undue delay. Notification must include: nature of breach, categories/approximate numbers affected, contact details of DPO (or point of contact), likely consequences, measures taken/proposed. Document all breaches. - Breach communication to data subject (Art. 34): If breach likely to result in high risk to rights/freedoms, communicate to data subject without undue delay in clear and plain language. Exceptions: if appropriate technical/organizational measures applied (e.g., encryption); controller has taken subsequent measures ensuring high risk no longer likely; communication would involve disproportionate effort (then public communication or similar effective measure). ### DPIA Contents & Process (Art. 35) - DPIA must contain at least (Art. 35(7)): (a) systematic description of processing operations and purposes (including legitimate interests if applicable); (b) assessment of necessity and proportionality of processing; (c) assessment of risks to rights/freedoms; (d) measures to address risks (safeguards, security, mechanisms to ensure protection and demonstrate compliance, taking into account rights/interests of data subjects and others). - Seek views of data subjects or their representatives where appropriate (Art. 35(9)). - Consult DPO if designated (Art. 35(2)). - Review DPIA at least when there is change of risk (Art. 35(11)). - Prior consultation with supervisory authority (Art. 36): If DPIA indicates high risk in absence of mitigation measures, consult supervisory authority before processing. Supervisory authority provides written advice within 8 weeks (extendable by 6 weeks). If supervisory authority finds processing would infringe GDPR, it may use its Art. 58 powers. ### DPO Requirements & Tasks (Arts. 37-39) - Designation (Art. 37): Based on professional qualities, expert knowledge of data protection law/practices, ability to fulfill tasks. May be staff member or external (service contract). Publish contact details and communicate to supervisory authority. - Position (Art. 38): Involve properly and timely in all data protection issues. Provide resources, access to data/processing operations, support to maintain expert knowledge. DPO must not receive instructions regarding tasks; must not be dismissed/penalized for performing tasks; reports directly to highest management. Data subjects may contact DPO. DPO bound by secrecy/confidentiality. May fulfill other tasks if no conflict of interest. - Tasks (Art. 39): (a) Inform and advise controller/processor and employees of obligations; (b) monitor compliance with GDPR and controller/processor policies (including assignment of responsibilities, awareness-raising, training, audits); (c) provide advice on DPIA and monitor performance; (d) cooperate with supervisory authority; (e) act as contact point for supervisory authority on processing issues (including prior consultation). DPO has due regard to risk (nature, scope, context, purposes). ### International Transfer Mechanisms (Chapter V) - Adequacy decision (Art. 45): Commission decides third country/territory/sector/international organization ensures adequate level of protection. No specific authorization required. Commission publishes list in OJ and on website. Examples: UK, Switzerland, Japan, Canada (commercial organizations), EU-US Data Privacy Framework participants (as of 2023 adequacy decision). - Appropriate safeguards (Art. 46): Legally binding instrument between public authorities; Binding Corporate Rules (BCRs); Standard Contractual Clauses (SCCs); approved code of conduct (with binding enforceable commitments); approved certification mechanism (with binding enforceable commitments); contractual clauses/administrative arrangements authorized by supervisory authority. Must provide enforceable data subject rights and effective legal remedies. Supplementary measures may be required (Schrems II principle). - Derogations (Art. 49): Only in absence of adequacy/safeguards and for specific situations: explicit consent (after being informed of risks); necessary for contract performance or pre-contractual measures; necessary for important public interest; necessary for legal claims; necessary to protect vital interests; transfer from public register; compelling legitimate interests (not repetitive; limited number of data subjects; supplementary safeguards; documented assessment; information to supervisory authority and data subject). - Note: Schrems II (CJEU C-311/18, July 2020) invalidated EU-US Privacy Shield and requires case-by-case assessment of third country law for transfers under Art. 46. ### Supervisory Authorities (Chapter VI) - Each Member State establishes independent supervisory authority (Art. 51-52). - Competence (Art. 55): Each supervisory authority is competent on its territory and for public authorities/bodies in its Member State. - Lead supervisory authority (Art. 56): For cross-border processing, the supervisory authority of the main establishment is the lead authority (one-stop-shop mechanism). - Tasks (Art. 57): Monitor and enforce GDPR; promote awareness; advise parliament/government/institutions; handle complaints; conduct investigations; authorize contractual clauses; issue opinions; report infringements; etc. - Powers (Art. 58): Investigative (e.g., order controller/processor to provide information, conduct audits); corrective (e.g., issue warnings/reprimands, order compliance, impose processing limitations, order erasure, impose administrative fines); authorization and advisory powers. - European Data Protection Board (EDPB) (Arts. 68-76): Independent EU body ensuring consistent GDPR application. Issues guidelines, recommendations, best practices. Composed of head of each Member State supervisory authority and EDPS. ### Remedies, Liability & Penalties (Chapter VIII) - Right to lodge complaint (Art. 77): Data subjects may lodge complaint with supervisory authority (in Member State of habitual residence, place of work, or place of alleged infringement). - Right to effective judicial remedy against supervisory authority (Art. 78): Against binding decisions or failure to handle complaint within 3 months. - Right to effective judicial remedy against controller or processor (Art. 79): Data subjects may bring court proceedings if they consider their rights infringed. - Representation (Art. 80): Data subjects may mandate not-for-profit bodies/organizations to lodge complaints, exercise rights, receive compensation on their behalf. Member States may allow such bodies to act independently of mandate. - Compensation & liability (Art. 82): Any person who suffered material or non-material damage due to GDPR infringement has right to compensation. Controllers and processors liable for damages. Each liable for entire damage (effective compensation). Exempt from liability if prove not in any way responsible. Can claim back from other controllers/processors involved their share of responsibility. - Administrative fines (Art. 83): Up to EUR 10M or 2% of total worldwide annual turnover (whichever higher) for certain infringements (e.g., processor obligations, DPO, certification body, monitoring body). Up to EUR 20M or 4% of turnover (whichever higher) for other infringements (e.g., principles, lawful basis, data subject rights, international transfers, supervisory authority orders). Fines must be effective, proportionate, dissuasive. Factors: nature/gravity/duration; intentional/negligent; mitigating actions; degree of responsibility; previous infringements; cooperation; categories of data; notification; adherence to codes/certification; other aggravating/mitigating factors. - Other penalties (Art. 84): Member States may lay down rules on other penalties (effective, proportionate, dissuasive). ### Consent Requirements (Art. 7) - Controller must be able to demonstrate data subject consented (Art. 7(1)). - If consent given in written declaration covering other matters, consent request must be clearly distinguishable, intelligible, easily accessible, clear and plain language. Infringing parts not binding (Art. 7(2)). - Data subject has right to withdraw consent at any time. Withdrawal does not affect lawfulness of processing before withdrawal. Must be as easy to withdraw as to give. Data subject must be informed of right to withdraw before giving consent (Art. 7(3)). - When assessing if consent is freely given, utmost account taken of whether contract performance (including service provision) is conditional on consent to processing not necessary for performance (Art. 7(4)). - Child's consent for information society services (Art. 8): If child below 16 years (Member States may lower to 13), consent must be given/authorized by holder of parental responsibility. Controller must make reasonable efforts to verify, taking into account available technology. ### Codes of Conduct & Certification (Arts. 40-43) - Codes of conduct (Art. 40): Voluntary; encourage drawing up by associations/bodies representing controllers/processors; can specify application of GDPR (e.g., fair/transparent processing, legitimate interests, collection, pseudonymization, information to public/data subjects, data subject rights, breach notification, transfers). Codes with general validity may provide appropriate safeguards for international transfers. Approved by supervisory authority (or Board for cross-border codes). Commission may give codes general EU validity. Adherence to code considered when assessing compliance. - Monitoring of codes (Art. 41): May be carried out by accredited bodies with appropriate expertise, independence, procedures, and no conflicts of interest. - Certification (Art. 42): Voluntary; mechanisms/seals/marks to demonstrate GDPR compliance. May provide appropriate safeguards for international transfers. Issued by certification bodies or supervisory authority for max 3 years (renewable). Withdrawal if criteria not met. Does not reduce controller/processor responsibility. Board maintains public register. - Certification bodies (Art. 43): Accredited by supervisory authority or national accreditation body (per Regulation (EC) No 765/2008 and EN-ISO/IEC 17065/2012). Must demonstrate independence, expertise, procedures, no conflicts of interest. Accreditation for max 5 years (renewable). Provide reasons for granting/withdrawing certification to supervisory authority. ### Binding Corporate Rules (BCRs) (Art. 47) - BCRs = personal data protection policies adhered to by controller/processor in EU for transfers within a group of undertakings/enterprises to controller/processor in third countries (Art. 4(20)). - BCRs are an appropriate safeguard for international transfers (Art. 46(2)(b)). - BCRs must be legally binding and enforced by all group members (Art. 47(1)). - Must expressly confer enforceable rights on data subjects (Art. 47(2)). - Minimum content (Art. 47(2)): structure/contact details of group; data transfers; legally binding nature; data protection principles; data subject rights; complaint/redress mechanisms; cooperation with supervisory authorities; mechanisms for ensuring compliance; liability; data protection training; monitoring mechanisms; update mechanisms; verification; etc. - Competent supervisory authority approves BCRs (Art. 47(1)). Consistency mechanism applies (Art. 63). - BCRs considered when imposing administrative fines (Art. 83(2)(j)). ### Records of Processing Activities (Art. 30) - Controllers must maintain records including: controller/representative/DPO contact details; purposes of processing; categories of data subjects and personal data; categories of recipients (including third countries/international organizations and safeguards); where applicable, transfers to third countries (including identification of country/international organization and documentation of safeguards); envisaged time limits for erasure; general description of technical and organizational security measures (Art. 30(1)). - Processors must maintain records including: processor/representative/DPO contact details; categories of processing carried out on behalf of each controller; where applicable, transfers to third countries (including identification and documentation of safeguards); general description of technical and organizational security measures (Art. 30(2)). - Records must be in writing (including electronic form) (Art. 30(3)). - Records must be made available to supervisory authority on request (Art. 30(4)). - Exception (Art. 30(5)): Obligations do not apply to organizations with <250 employees, UNLESS: processing is not occasional; OR processing likely to result in risk to rights/freedoms; OR processing includes special categories (Art. 9(1)) or criminal convictions/offences (Art. 10). ## Possible Outcomes ### [PROCESSOR] GDPR Applies (Processor Obligations) Process only on controller instructions - Processors must: process only on documented instructions from controller (Art. 28(3)(a)); ensure persons authorized to process are under confidentiality (Art. 28(3)(b)); implement appropriate security measures (Art. 28(3)(c) & Art. 32); respect sub-processor conditions (Art. 28(2)-(4)); assist controller with security, breach notification, DPIA, and data subject rights (Art. 28(3)(e)-(f)); delete or return data after services end (Art. 28(3)(g)); make available information to demonstrate compliance and allow audits (Art. 28(3)(h)). - Processor must have written contract or legal act with controller (Art. 28(3) & (9)). - Processor liable for damages if it fails to comply with processor-specific obligations or acts outside/contrary to lawful controller instructions (Art. 82(2)). ### [PROCESSOR] GDPR Applies (Processor, designate EU representative) Art. 3(2) and not established in the Union - You are subject to GDPR under the targeting criterion (Art. 3(2)) and are not established in the Union. - Designate a representative in the Union if required under Art. 27 (including considering Art. 27(2) exemptions). - Comply with all processor obligations under Art. 28 and other applicable GDPR requirements. ### [IN SCOPE] GDPR Applies (Controller) Comply with all controller obligations - Ensure lawful basis for all processing (Art. 6); additional lawful basis for special categories (Art. 9) if applicable. - Comply with all principles: lawfulness/fairness/transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability (Art. 5). - Respect data subject rights: transparency/information, access, rectification, erasure, restriction, data portability, objection, automated decision-making (Arts. 12-22). - Implement controller obligations: accountability, data protection by design/by default, records of processing, cooperation with supervisory authority (Arts. 24-31). - Ensure security and breach notification (Arts. 32-34). - Conduct DPIA if required (Art. 35); prior consultation if high risk (Art. 36). - Designate DPO if required (Arts. 37-39). - Comply with international transfer rules if transferring to third countries (Chapter V). - Designate representative in EU if required under Art. 27. - Be prepared for supervisory authority enforcement and potential administrative fines (up to EUR 20M or 4% of global turnover). ### [IN SCOPE] GDPR Applies (Designate EU Representative) Art. 3(2) and not established in the Union - You are subject to GDPR under the targeting criterion (Art. 3(2)) but not established in the Union. - Designate a representative in the Union (Art. 27(1) & (3)). Representative must be established in one of the Member States where relevant data subjects are located (Art. 27(3)). - Comply with all GDPR obligations as controller or processor (same as if established in the Union). - Representative acts as contact point for supervisory authorities and data subjects. - Provide representative's contact details in privacy notices (Arts. 13-14). - You remain fully responsible for compliance; representative designation does not affect your liability. ### [OUT OF SCOPE] GDPR Does Not Apply Outside GDPR scope - Your processing does not fall within GDPR scope (either material scope or territorial scope). - You are not required to comply with GDPR for this specific processing activity. - Note: You may still be subject to other data protection laws (e.g., national laws, Law Enforcement Directive (EU) 2016/680, or third country laws). - Reassess if circumstances change (e.g., if you start offering goods/services to data subjects who are in the Union or monitoring their behavior within the Union). ## GDPR Timeline | Date | Event | Reference | | --- | --- | --- | | 2016-04-27 | GDPR adopted by EU Parliament and Council | Reg. (EU) 2016/679 | | 2016-05-04 | GDPR published in Official Journal (OJ L 119) | Reg. (EU) 2016/679 | | 2016-05-24 | GDPR enters into force (20 days after publication) | Art. 99(1) | | 2018-05-25 | GDPR becomes applicable (replaces Directive 95/46/EC) | Art. 99(2) & Art. 94 | | 2020-05-25 | First Commission review report due (then every 4 years) | Art. 97 | ## Compliance Timeline | Date | Event | Category | Reference | | --- | --- | --- | --- | | 2015-10-06 | Schrems I press release (Safe Harbour invalidated) | CJEU Case Law | | | 2015-11-06 | Commission communication after Schrems I (data transfers EU-US) | International Transfers | | | 2016-02-29 | Commission communication on transatlantic data flows (Restoring Trust) | International Transfers | | | 2016-04-27 | GDPR adopted (date of Regulation) | Legislative History | | | 2016-05-04 | GDPR published (OJ L 119) | Legislative History | | | 2016-05-20 | EU-US Data Protection Umbrella Agreement published | International Transfers | | | 2016-05-24 | GDPR enters into force | Legislative History | | | 2016-07-12 | EU-US Privacy Shield adopted | International Transfers | | | 2016-12-01 | EU-US Data Protection Umbrella Agreement concluded | International Transfers | | | 2017-10-18 | First Privacy Shield review press release | International Transfers | | | 2017-12-01 | ENISA handbook on security of personal data processing (published) | EDPB Guidelines | | | 2018-02-01 | CNIL PIA methodology (February 2018 edition) | EDPB Guidelines | | | 2018-05-23 | GDPR corrigendum (OJ L 127) | Legislative History | | | 2018-05-25 | GDPR applies (application date) | Legislative History | | | 2018-05-25 | EDPB endorses WP29 documents (Endorsement 1/2018) | EDPB Guidelines | | | 2018-12-19 | Second Privacy Shield review press release | International Transfers | | | 2019-01-14 | EU-Japan adequacy decision factsheet | Adequacy Decisions | | | 2019-10-23 | Third Privacy Shield annual review report | International Transfers | | | 2020-05-04 | EDPB Guidelines 05/2020 on consent adopted | EDPB Guidelines | | | 2020-05-25 | First GDPR evaluation report due | Legislative History | | | 2020-07-16 | Schrems II press release (Privacy Shield invalidated) | CJEU Case Law | | | 2020-08-10 | EU-US joint press statement listed (data transfers) | International Transfers | | | 2021-06-04 | New Standard Contractual Clauses adopted | International Transfers | | | 2021-06-18 | EDPB Recommendations 01/2020 supplementary measures (Version 2.0) adopted | EDPB Guidelines | | | 2021-06-28 | UK adequacy decision (GDPR) adopted | Adequacy Decisions | | | 2021-07-07 | EDPB Guidelines 07/2020 on controller and processor (Version 2.0) adopted | EDPB Guidelines | | | 2021-09-27 | New SCCs required for new transfer agreements | International Transfers | | | 2021-12-17 | South Korea adequacy decision (17 December 2021) | Adequacy Decisions | | | 2022-10-07 | US Executive Order 14086 adopted | International Transfers | | | 2022-12-27 | Transition ends: old SCCs can no longer be relied upon | International Transfers | | | 2023-03-28 | EDPB Guidelines 01/2022 right of access (Version 2.0) adopted | EDPB Guidelines | | | 2023-03-28 | EDPB Guidelines 09/2022 on personal data breach notification (Version 2.0) adopted | EDPB Guidelines | | | 2023-04-01 | Irish DPC RoPA guidance note (April 2023) published | EDPB Guidelines | | | 2023-04-04 | Report on first periodic review of Japan adequacy decision | Adequacy Decisions | | | 2023-07-10 | EU-US Data Privacy Framework adequacy decision adopted | Adequacy Decisions | | | 2024-01-15 | Report on first review of 11 adequacy decisions (Directive 95/46/EC) | Adequacy Decisions | | | 2024-03-04 | First high-level meeting on safe data flows | Adequacy Decisions | | | 2024-07-18 | EU-US Data Privacy Framework review meeting starts (18-19 July 2024) | Adequacy Decisions | | | 2024-10-09 | First periodic review report of the EU-US Data Privacy Framework (DPF) dated | Adequacy Decisions | | | 2025-07-01 | European Patent Organisation adequacy decision (July 2025) | Adequacy Decisions | | | 2025-07-15 | UK adequacy decision (LED) renewal published | Adequacy Decisions | | | 2025-12-19 | UK adequacy decisions renewed (GDPR and LED) | Adequacy Decisions | | | 2026-02-10 | EU-Japan joint press statement listed (10 February 2026) | Adequacy Decisions | | **Event details:** - **2015-10-06 - Schrems I press release (Safe Harbour invalidated)**: CJEU press release (6 October 2015) on Case C-362/14 declaring the Safe Harbour Decision invalid. - **2015-11-06 - Commission communication after Schrems I (data transfers EU-US)**: Commission communication on the transfer of personal data from the EU to the US following the Schrems I judgment (listed on the Commission EU-US data transfers timeline). - **2016-02-29 - Commission communication on transatlantic data flows (Restoring Trust)**: Commission communication on transatlantic data flows and safeguards, published 29 February 2016 (listed on the Commission EU-US data transfers timeline). - **2016-04-27 - GDPR adopted (date of Regulation)**: Regulation (EU) 2016/679 is dated 27 April 2016. - **2016-05-04 - GDPR published (OJ L 119)**: Regulation (EU) 2016/679 published in the Official Journal (OJ L 119, 4.5.2016). - **2016-05-20 - EU-US Data Protection Umbrella Agreement published**: Publication date shown for the EU-US Data Protection Umbrella Agreement: 20 May 2016 (as shown on the Commission EU-US data transfers page timeline). - **2016-05-24 - GDPR enters into force**: GDPR enters into force (timeline reference date: 24 May 2016). - **2016-07-12 - EU-US Privacy Shield adopted**: EU-US Privacy Shield decision and annexes dated 12 July 2016. - **2016-12-01 - EU-US Data Protection Umbrella Agreement concluded**: EU-US Data Protection Umbrella Agreement concluded in December 2016 (Commission EU-US data transfers page timeline). - **2017-10-18 - First Privacy Shield review press release**: Press release on the first review of the EU-US Privacy Shield dated 18 October 2017. - **2017-12-01 - ENISA handbook on security of personal data processing (published)**: ENISA handbook on security of personal data processing, cover date December 2017. - **2018-02-01 - CNIL PIA methodology (February 2018 edition)**: CNIL Privacy Impact Assessment (PIA) methodology published (February 2018 edition). - **2018-05-23 - GDPR corrigendum (OJ L 127)**: Corrigendum published in OJ L 127, 23.5.2018, p. 2. - **2018-05-25 - GDPR applies (application date)**: GDPR applies from 25 May 2018; Directive 95/46/EC is repealed with effect from that date. - **2018-05-25 - EDPB endorses WP29 documents (Endorsement 1/2018)**: EDPB endorsement dated 25 May 2018 endorsing key Article 29 Working Party documents. - **2018-12-19 - Second Privacy Shield review press release**: Press release on the second review of the EU-US Privacy Shield dated 19 December 2018. - **2019-01-14 - EU-Japan adequacy decision factsheet**: EU Japan adequacy decision factsheet dated 14 January 2019 (as listed on the Commission adequacy decisions page timeline). - **2019-10-23 - Third Privacy Shield annual review report**: Report on the third annual review of the EU-US Privacy Shield dated 23 October 2019 (as listed on the Commission EU-US transfers page timeline). - **2020-05-04 - EDPB Guidelines 05/2020 on consent adopted**: EDPB Guidelines 05/2020 on consent under Regulation 2016/679 adopted on 4 May 2020. - **2020-05-25 - First GDPR evaluation report due**: Commission deadline to submit the first report on the evaluation and review of the GDPR by 25 May 2020, with subsequent reports every four years. - **2020-07-16 - Schrems II press release (Privacy Shield invalidated)**: CJEU press release dated 16 July 2020 on Case C-311/18 (Schrems II), invalidating the EU-US Privacy Shield. - **2020-08-10 - EU-US joint press statement listed (data transfers)**: Joint press statement by Commissioner Didier Reynders and U.S. Secretary of Commerce Wilbur Ross dated 10 August 2020 (listed on the Commission EU-US data transfers timeline). - **2021-06-04 - New Standard Contractual Clauses adopted**: European Commission adopts two sets of SCCs on 4 June 2021 (intra-EEA controller-processor and international transfers). - **2021-06-18 - EDPB Recommendations 01/2020 supplementary measures (Version 2.0) adopted**: EDPB adopted Recommendations 01/2020 on supplementary measures for international transfers (Version 2.0) on 18 June 2021. - **2021-06-28 - UK adequacy decision (GDPR) adopted**: Decision on the adequate protection of personal data by the United Kingdom under the GDPR dated 28 June 2021 (as listed on the Commission adequacy decisions page timeline). - **2021-07-07 - EDPB Guidelines 07/2020 on controller and processor (Version 2.0) adopted**: EDPB adopted Guidelines 07/2020 on the concepts of controller and processor (Version 2.0) on 7 July 2021. - **2021-09-27 - New SCCs required for new transfer agreements**: Agreements to transfer data concluded after 27 September 2021 must be based on the new SCCs. - **2021-12-17 - South Korea adequacy decision (17 December 2021)**: Decision on the adequate protection of personal data by the Republic of Korea dated 17 December 2021 (as listed on the Commission adequacy decisions page timeline). - **2022-10-07 - US Executive Order 14086 adopted**: Executive Order on "Enhancing Safeguards for United States Signals Intelligence Activities" adopted on 7 October 2022 (as referenced on the Commission EU-US transfers page timeline). - **2022-12-27 - Transition ends: old SCCs can no longer be relied upon**: Transition period ends on 27 December 2022 for switching to the new SCCs for agreements entered into before 27 September 2021. - **2023-03-28 - EDPB Guidelines 01/2022 right of access (Version 2.0) adopted**: EDPB adopted Guidelines 01/2022 on data subject rights (right of access) (Version 2.0) on 28 March 2023. - **2023-03-28 - EDPB Guidelines 09/2022 on personal data breach notification (Version 2.0) adopted**: EDPB adopted Guidelines 09/2022 on personal data breach notification under the GDPR (Version 2.0) on 28 March 2023. - **2023-04-01 - Irish DPC RoPA guidance note (April 2023) published**: Irish Data Protection Commission guidance note on Records of Processing Activities (RoPA), cover date April 2023. - **2023-04-04 - Report on first periodic review of Japan adequacy decision**: Commission publishes its report on the first periodic review of the adequacy decision for Japan on 4 April 2023 (as listed on the Commission adequacy decisions page timeline). - **2023-07-10 - EU-US Data Privacy Framework adequacy decision adopted**: Commission adopts its adequacy decision for the EU-US Data Privacy Framework on 10 July 2023 (as listed on the Commission EU-US transfers page timeline). - **2024-01-15 - Report on first review of 11 adequacy decisions (Directive 95/46/EC)**: Commission publishes its report on the first review of the functioning of the eleven adequacy decisions adopted pursuant to Directive 95/46/EC, on 15 January 2024. - **2024-03-04 - First high-level meeting on safe data flows**: Commission hosts the first ever high-level meeting on safe data flows on 4 March 2024. - **2024-07-18 - EU-US Data Privacy Framework review meeting starts (18-19 July 2024)**: First day of the DPF review meeting in Washington D.C. (18-19 July 2024), as referenced in the Commission's first periodic review report timeline section. - **2024-10-09 - First periodic review report of the EU-US Data Privacy Framework (DPF) dated**: Commission report dated Brussels, 9.10.2024 (publication date shown at top of the report). - **2025-07-01 - European Patent Organisation adequacy decision (July 2025)**: European Patent Organisation adequacy decision listed for July 2025 on the Commission adequacy decisions page timeline (month provided, exact day not specified). - **2025-07-15 - UK adequacy decision (LED) renewal published**: Publication date for renewal of the EU adequacy decision for the UK under the Law Enforcement Directive (LED): 15 July 2025 (as listed on the Commission adequacy decisions page timeline). - **2025-12-19 - UK adequacy decisions renewed (GDPR and LED)**: Publication date for renewal of EU adequacy decisions for the UK under the GDPR and under the LED: 19 December 2025 (as listed on the Commission adequacy decisions page timeline). - **2026-02-10 - EU-Japan joint press statement listed (10 February 2026)**: Joint press statement by Commissioner Michael McGrath and TEZUKA Satoru (Japan PIPC) listed under "Adequacy decisions latest" dated 10 February 2026 (as extracted from the Commission adequacy decisions page timeline). --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation