Artifact GuideEU

EU GDPR deadlines and compliance calendar

Track the GDPR dates and response clocks that are actually supported by official sources: applicability, rights requests, breach notification, DPIA review, prior consultation, transfer assessments, and retention checks.

Use this calendar as a source-linked operations reference, not as a substitute for national authority procedures or sector-specific timelines that are not grounded in the cited sources.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 26, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 26, 2026
Overview

This GDPR calendar separates fixed dates, event-driven clocks, and recurring review triggers. It includes only deadlines and timing rules grounded in the cited official sources, so teams do not add unsupported national timelines or informal service levels to the public compliance record.

Section 1

Fixed GDPR dates to anchor the calendar

The GDPR was adopted in 2016 and applies from 25 May 2018. Use 25 May 2018 as the baseline applicability date for EU GDPR calendar records and avoid treating adoption, publication, or corrigendum dates as separate operational compliance deadlines unless a specific source-linked task depends on them.

Directive 95/46/EC was repealed with effect from the same 25 May 2018 date. For legacy privacy program records, keep that as a migration context date rather than a recurring deadline.

  • Calendar entry: GDPR applies from 25 May 2018.
  • Legacy entry: Directive 95/46/EC repeal took effect on 25 May 2018.
  • Do not add annual GDPR anniversary tasks unless they are tied to a real review obligation, such as accountability updates, retention checks, DPIA review, or transfer monitoring.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Supports the GDPR applicability date and the repeal date for Directive 95/46/EC.
Section 2

Event-driven response clocks

The two clocks most likely to need operational routing are the data subject request clock and the personal data breach clock. Both should start from a documented trigger, not from an internal weekly privacy meeting.

For rights requests under Articles 15 to 22, the controller must respond without undue delay and in any event within one month of receipt. A two-month extension can be used where necessary because of complexity and number of requests, but the data subject must be told about the extension and reasons within one month of receipt.

For personal data breaches, the controller must notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. If the notification is late, the notification must include reasons for the delay.

  • DSAR clock: receipt of a GDPR rights request starts the one-month response period.
  • DSAR extension control: record complexity or request volume, notify the data subject within one month, and set the extended due date no more than two further months out.
  • Breach clock: awareness of a personal data breach starts the Article 33 authority-notification assessment and 72-hour target.
  • Breach evidence: record awareness time, risk assessment, notification decision, Article 33 content, data-subject communication decision, and reasons for any delayed authority notification.
  • Processor handoff: processors should route suspected breaches to the controller without undue delay so the controller can run the Article 33 assessment.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Supports Article 12 response timing and Article 33 breach-notification timing.
EDPB data breach notification routing page
Provides official EDPB routing context for data breach notification forms and supervisory authority contacts.
Section 3

DPIA and prior consultation timing

Schedule the DPIA before processing starts when the planned type of processing is likely to result in a high risk to individuals. The calendar trigger should be a project, product, supplier, architecture, data-category, or scope change that may create high-risk processing, not a fixed annual date.

If a DPIA shows that processing would still result in high risk without mitigation, consult the supervisory authority before processing. The GDPR gives the authority up to eight weeks from receipt of the consultation request to provide written advice, extendable by six weeks for complex processing, and the period can be suspended while requested information is outstanding.

After implementation, review the DPIA where necessary at least when the risk represented by processing operations changes. Treat major design changes, new data categories, expanded monitoring, changed sharing, or changed safeguards as calendar reopen triggers.

  • DPIA trigger: likely high-risk processing, assessed before processing begins.
  • Prior consultation trigger: residual high risk shown by the DPIA before processing proceeds.
  • Authority timing: up to eight weeks for written advice, with a possible six-week extension for complexity.
  • DPIA review trigger: change in risk represented by the processing operation.
  • Evidence: DPIA scope, necessity and proportionality assessment, risks, mitigations, DPO advice if requested, residual-risk decision, and review trigger.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Supports Article 35 DPIA timing, Article 35 review triggers, and Article 36 prior consultation timing.
Irish Data Protection Commission - Data Protection Impact Assessments
Supports early project lifecycle DPIA planning, ongoing DPIA review, and consultation where residual high risk remains.
Section 4

Transfer and SCC review triggers

Do not put a generic annual SCC deadline in the GDPR calendar unless the organization has adopted that cadence internally. The grounded public rule is event-driven: before concluding SCC-based transfers, assess the specific transfer, destination-country laws and practices, and safeguards; then monitor developments that could affect the assessment.

The European Commission Q&A explains that the SCCs require a transfer impact assessment before concluding the SCCs and that the exporter must suspend the transfer if appropriate safeguards cannot be ensured. The EDPB supplementary-measures roadmap adds an ongoing re-evaluation obligation at appropriate intervals and continuous vigilance for developments affecting protection.

Calendar transfer reviews should therefore be tied to new transfer tools, new data importers, changed destinations, changed processing chains, government-access developments, importer notices that it cannot comply, adequacy decision changes, or material changes to supplementary safeguards.

  • Pre-transfer check: map the transfer, select the Article 45 or Article 46 basis, and document whether SCCs or adequacy apply.
  • SCC check: before concluding SCCs, document transfer circumstances, destination laws and practices, and additional safeguards.
  • Ongoing check: monitor destination-country, importer, legal, and safeguard changes that may affect the initial assessment.
  • Escalation: suspend, end, or avoid the transfer where no appropriate safeguards can be ensured.
  • Source limit: this page does not assert a universal fixed SCC annual review date.
Sources for this answer
European Commission - Standard Contractual Clauses
Supports the use of Commission pre-approved SCCs for EU-to-third-country transfers.
European Commission - New Standard Contractual Clauses Q&A
Supports transfer impact assessment timing before concluding SCCs and suspension where safeguards cannot be ensured.
EDPB Recommendations 01/2020 on supplementary measures
Supports ongoing re-evaluation of transfer protection and monitoring developments affecting third-country transfers.
Section 5

Retention and accountability review operations

The GDPR does not give one universal retention period for all personal data. Calendar retention work should therefore be attached to purposes, legal bases, data categories, systems, contracts, statutory retention needs, and deletion or anonymisation controls.

Use the storage limitation principle as the calendar anchor: personal data should not be kept in identifiable form for longer than necessary for the processing purposes, subject to the GDPR's longer-storage conditions for archiving in the public interest, research, or statistical purposes with safeguards.

Article 24 also requires controllers to implement measures to ensure and demonstrate GDPR compliance and to review and update those measures where necessary. That supports recurring operational reviews, but it does not create a single fixed EU-wide date for every organization.

  • Retention register row: purpose, data category, system, legal basis, retention criterion or period, deletion action, owner, and evidence location.
  • Review trigger: new purpose, new lawful basis, contract change, product retirement, litigation hold, incident finding, DPIA change, or data subject request trend.
  • Deletion evidence: system logs, purge report, anonymisation record, exception approval, or legal-hold reference.
  • Source limit: do not invent sector retention periods or national archival rules unless a cited source in the relevant jurisdiction supports them.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Supports storage limitation, accountability, and review/update operations where necessary.
Section 6

Source limits for this calendar

This page intentionally excludes unsupported national authority timelines, informal SLA targets, and sector procedures. Add those only in a separate jurisdiction-specific artifact when the grounding folder contains a source for the exact timeline.

Use this artifact as a public-facing GDPR operations calendar for source-linked clocks. Internal teams can add stricter service levels, but those should be labelled as internal controls rather than GDPR deadlines.

  • Included: GDPR applicability date, DSAR response clock, breach 72-hour clock, DPIA and prior consultation timing, transfer review triggers, and retention/accountability review operations.
  • Excluded: national complaint handling times, authority-specific breach form deadlines beyond Article 33, sector retention periods, and unsupported annual review dates.
  • Citation rule: every public source URL on this page is external, HTTPS, and includes ref=sorena.io.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Primary legal source for the included GDPR timing rules and source limits.
Recommended next step

Use this GDPR calendar as a cited operating reference

Sorena can help convert these source-linked GDPR clocks into request queues, incident runbooks, DPIA gates, transfer reviews, and retention checks with owner and evidence fields.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about GDPR deadlines, breach notification, DSAR timing, DPIAs, transfers, and retention using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your GDPR calendar, source gaps, and operational evidence model with Sorena.

Explore next step
Primary sources

References and citations

Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Primary legal source for the included GDPR timing rules and source limits.
"binding in its entirety"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.