Artifact GuideEU

EU GDPR Compliance

A practical GDPR compliance map for deciding whether the law applies, assigning controller and processor duties, and keeping evidence for lawful basis, notices, rights, DPIAs, RoPA, contracts, breaches, transfers, retention, security, and enforcement risk.

Built for privacy, legal, product, security, procurement, support, HR, marketing, and data governance teams that need operating controls rather than a generic policy summary.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
9

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Use this guide as a GDPR compliance operating checklist. For each processing activity, record the scope decision, controller or processor role, lawful basis, notice text, rights workflow, DPIA result, RoPA entry, processor contract, transfer mechanism, retention and erasure rule, security controls, and breach escalation path. The goal is a reviewable evidence set, not a one-time policy document.

Section 1

Confirm GDPR scope and processing roles

Start with the facts that make the GDPR relevant: personal data, a processing purpose, an actor that decides purposes and means or processes on another party's instructions, and a territorial connection through EU establishment, EU-facing offering, or monitoring of people in the EU. Do not treat a vendor list as the role map; the same organisation can be a controller for one workflow, a processor for another, and a joint controller where purposes and means are decided together.

The first evidence record should say what personal data is processed, whose data it is, which entity is controller or processor, which services or countries are in scope, and which planned product or supplier changes would reopen the analysis.

  • Create a processing inventory row before launch or material change, not after an audit request.
  • Separate controller decisions from processor delivery tasks, including subprocessors and audit rights.
  • Flag EU targeting, EU monitoring, cross-border service delivery, and mixed-role arrangements for legal review.
  • Keep out-of-scope conclusions short but specific, with the data flow, role, and territorial fact that drove the conclusion.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Articles 3, 4, 24, 28, and 30 support the scope, role, accountability, processor, and records checks used in the opening inventory.
EDPB Guidelines 07/2020 on controller and processor concepts
Used for practical separation of controller, processor, and joint-controller roles before assigning obligations.
Section 2

Set lawful basis, transparency, rights, and retention controls

Every processing purpose needs a lawful basis before collection or use. Consent must be evidenced and withdrawable; legitimate interests need the specific interest and balancing rationale; contract, legal obligation, vital interests, and public-task bases should be tied to the exact processing purpose rather than the whole product.

Transparency controls should match the data flow. Notices must identify purposes, legal bases, recipients, transfers, storage periods or criteria, rights, and complaint routes. For rights handling, maintain an intake, identity-check, search, exemption, response, and completion log so access, rectification, erasure, restriction, portability, objection, and automated-decision requests can be handled within the GDPR response period.

  • Map one lawful basis per purpose, and add Article 9 or Article 10 conditions where special-category or criminal-offence data is used.
  • Keep privacy notices aligned with product screens, HR notices, marketing flows, support workflows, and supplier data imports.
  • Record DSAR receipt date, request type, verification steps, systems searched, response decision, extension rationale if used, and delivery date.
  • Make retention rules purpose-specific: keep the period or decision criteria, erasure trigger, hold exception, and system owner for each data category.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Articles 5, 6, 7, 9, 12 to 22, and storage-limitation wording ground the lawful-basis, rights, withdrawal, and retention controls.
EDPB Guidelines 05/2020 on consent under GDPR
Used for consent quality, consent evidence, and withdrawal design where consent is selected as the lawful basis.
WP29 Guidelines on transparency under Regulation 2016/679
Supports notice content, timing, layered explanation, transfer disclosures, rights explanations, and storage-period specificity.
Section 3

Maintain RoPA, DPIA, processor, and accountability evidence

A GDPR compliance file should be organised around processing activities, not departments. The RoPA should identify controller or processor contacts, purposes, data-subject and data categories, recipient categories, third-country transfers, erasure time limits where possible, and a general description of security measures.

Run a DPIA before high-risk processing, especially systematic profiling with significant effects, large-scale special-category data, criminal-offence data, or large-scale systematic monitoring. If residual high risk remains after mitigation, escalate for prior consultation rather than treating the DPIA as complete. Processor contracts should cover documented instructions, confidentiality, Article 32 measures, subprocessor controls, rights assistance, breach and DPIA support, return or deletion, audits, and compliance information.

  • Link each RoPA row to the product, data owner, privacy notice, lawful basis, retention rule, transfer mechanism, and security control owner.
  • Treat new technology, changed purpose, combined datasets, vulnerable data subjects, large scale, unavoidable monitoring, or cross-border transfer as DPIA screening triggers.
  • For processors, keep the signed Article 28 terms, subprocessor list, transfer clauses, security schedule, audit evidence, and deletion or return confirmation.
  • Keep accountability evidence current when the product, purpose, supplier, hosting region, data category, risk level, or authority guidance changes.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Articles 28, 30, 35, and 36 ground processor contracts, records of processing activities, DPIAs, and prior consultation.
Irish Data Protection Commission - RoPA under Article 30 GDPR
Used for practical RoPA evidence expectations and Article 30 implementation context.
Irish Data Protection Commission - Data Protection Impact Assessments
Supports DPIA screening, high-risk indicators, early project timing, and documented reasons where a DPIA is not carried out.
Section 4

Operate breach notification, security, and transfer controls

Security and incident response must be connected. Article 32 expects measures appropriate to risk, including confidentiality, integrity, availability, resilience, restoration, and regular testing. The breach workflow should start when the organisation becomes aware of a personal-data breach, triage risk to individuals, preserve facts, involve processors quickly, and decide whether supervisory-authority or data-subject notification is required.

International transfers need a separate control from vendor onboarding. Identify the recipient country, transfer role, transfer tool, onward-transfer chain, and whether an adequacy decision, SCCs, binding corporate rules, or another Article 46 mechanism is being used. Where SCCs are used, keep the transfer assessment and recipient-country risk review with the contract record.

  • Maintain an incident log with awareness time, affected data, affected people, likely consequences, mitigation, notification decision, and reasons for any delay.
  • Require processors to notify the controller without undue delay and to supply facts needed for Article 33 and Article 34 decisions.
  • Test access control, encryption, backup, restore, logging, vulnerability management, and incident exercises against the actual processing risk.
  • For transfers, keep the SCC module or other transfer tool, recipient country, transfer assessment, recipient-country risk review, and notice disclosure together.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Articles 32 to 34 and 44 to 49 ground security, breach notification, data-subject communication, and international-transfer safeguards.
WP29 Guidelines on personal data breach notification
Used for breach assessment and notification workflow context referenced by the EDPB breach-guidance grounding material.
European Commission - Standard Contractual Clauses
Supports use of Commission-approved SCCs as a transfer safeguard for EU to non-EU personal-data transfers.
ENISA Guidelines for SMEs on security of personal data processing
Supports risk-based security measures for confidentiality, integrity, and availability of personal data.
Section 5

Review penalties, escalation, and common failure points

GDPR enforcement risk is not limited to fines. Supervisory authorities can investigate, order compliance, restrict processing, suspend data flows, and impose administrative fines. Article 83 ties fines to factors such as gravity, duration, intentional or negligent character, mitigation, responsibility, previous infringements, cooperation, affected data categories, notification, and aggravating or mitigating factors.

The highest fine tier reaches up to EUR 20,000,000 or 4% of total worldwide annual turnover, whichever is higher, for infringements including basic processing principles, data-subject rights, and transfer rules. A lower tier reaches up to EUR 10,000,000 or 2% for obligations including controller and processor duties in Articles 25 to 39. Escalate before launch when a control owner cannot prove lawful basis, notice accuracy, rights handling, retention, processor terms, transfer safeguards, breach readiness, or security testing.

What should a GDPR compliance evidence file contain?

It should contain the processing inventory, controller or processor role decision, lawful basis per purpose, notice text, rights workflow logs, RoPA entry, DPIA screening and assessment, Article 28 processor terms, breach log, transfer mechanism and assessment, retention and erasure rule, security control evidence, approvals, and review triggers.

When does a GDPR breach notification clock matter?

For controller notifications to the supervisory authority, Article 33 uses awareness of a personal-data breach and requires notification without undue delay and, where feasible, not later than 72 hours unless the breach is unlikely to result in risk to rights and freedoms. Late notifications need reasons for the delay.

  • Do not launch processing where no lawful basis has been selected for each purpose.
  • Do not rely on generic retention language such as keeping data as long as necessary without category-specific periods or criteria.
  • Do not sign vendor terms that omit Article 28 instructions, subprocessor controls, audit support, deletion or return, or breach assistance.
  • Do not treat SCCs as complete unless the transfer record also addresses recipient-country risk and the transfer facts that make the clause set appropriate.
  • Do not wait for annual review if a product, supplier, country, data category, security risk, or processing purpose changes materially.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Articles 58 and 83 support supervisory powers, fine factors, and the two administrative-fine tiers.
Recommended next step

Use this GDPR guide to structure implementation evidence

Sorena can turn the GDPR controls on this page into cited answers, owner assignments, evidence requests, and reusable review steps for privacy, product, security, procurement, and legal teams.

Research workflow
Open Research Copilot for GDPR

Ask source-linked questions about GDPR scope, lawful basis, rights, DPIAs, RoPA, processor terms, breaches, transfers, security, and penalties using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your GDPR compliance workflow, source gaps, evidence files, and next implementation steps with Sorena.

Explore next step
Primary sources

References and citations

EDPB Guidelines 05/2020 on consent under GDPR
edpb.europa.eu
Referenced sections
  • Used for consent quality, consent evidence, and withdrawal design where consent is selected as the lawful basis.
"free, specific, informed and unambiguous"
Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Articles 58 and 83 support supervisory powers, fine factors, and the two administrative-fine tiers.
"effective, proportionate and dissuasive"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.