FAQEU

EU GDPR FAQ

Practical answers for teams building GDPR controls and evidence.

Use this page as a navigation map to the deeper implementation subpages.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Questions
6

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

These are the GDPR questions that recur in real implementation work: scope, timing, lawful basis, DSAR extensions, breach awareness, Chapter V transfers, DPF reliance, vendor clauses, and RoPA upkeep. The answers below focus on what teams actually need to build and preserve as evidence.

Question 1

Does GDPR apply to my company if we're not in the EU?

GDPR can apply based on territorial scope (Article 3), including targeting EU data subjects or monitoring behavior in the EU.

The right output is an Article 3 mapping with facts and evidence, not a vague conclusion.

  • Run the applicability test and document the Article 3 path.
  • If Article 3(2) applies, assess representative obligations (Article 27).
  • If you have transfers, plan Chapter V safeguards early.
Question 3

How do we meet DSAR deadlines in practice?

DSAR compliance is a workflow: intake -> identity -> search -> response -> evidence.

Most failures come from missing systems in the search scope and weak deadline tracking.

  • Build a DSAR data map (systems + identifiers + vendor scope).
  • Standardize response packages per right and track the 1-month SLA.
  • Keep an evidence pack per request (logs, decisions, delivered response).
Question 4

When do we need a DPIA?

DPIAs are for high-risk processing. Use a screening checklist so you decide early.

A good DPIA produces mitigations engineering teams can ship and residual risk sign-offs.

  • Run screening on new features that introduce monitoring, profiling, sensitive data, or large-scale processing.
  • Keep a DPIA register and link mitigations to backlog items.
  • If residual high risk remains, evaluate prior consultation (Article 36).
Question 5

How does the 72-hour breach notification work?

The core operational problem is timekeeping: when the controller became aware of a personal data breach.

Use an awareness criteria checklist, document the timestamp, and notify in phases if needed.

  • Build a breach classification and risk rubric aligned to Articles 33-34.
  • Prepare notification and communication templates in advance.
  • Keep an incident evidence pack: timeline, logs, decisions, communications, remediation.
Question 6

Do SCCs automatically make transfers compliant?

SCCs are a mechanism, not a magic shield. You still need to map transfers, assess risks, and implement supplementary measures where appropriate.

Treat SCCs as an implementation project: configuration, logging, and governance.

  • Build a transfer map (destinations, vendors, onward transfers).
  • Use Commission SCC resources and maintain packs per vendor/destination.
  • Run TIAs and monitor changes in destination risk and vendor practices.
Recommended next step

Use EU GDPR FAQ as a cited research workflow

Research Copilot can take EU GDPR FAQ from cited answers to recurring questions on this topic to a reusable workflow inside Sorena. Teams working on EU GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Research workflow
Open Research Copilot for EU GDPR FAQ

Start from EU GDPR FAQ and answer scope, timing, and interpretation questions with cited outputs.

Explore next step
Talk to Sorena
Talk through EU GDPR

Review your current process, evidence gaps, and next steps for EU GDPR FAQ.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

EU GDPR Checklist (Regulation (EU) 2016/679) | Audit-Ready Controls, Owners, Evidence, and Common Pitfalls
An audit-ready GDPR checklist: scope and role mapping, lawful basis and consent, transparency and notices, DSAR workflows, DPIA governance, security measures.
EU GDPR Compliance Guide | Build a Repeatable Program: Inventory, Controls, Evidence, and Operating Cadence
An execution-oriented GDPR compliance guide for Regulation (EU) 2016/679: program setup, governance, control design, evidence exports.
EU GDPR Requirements (Regulation (EU) 2016/679) | Obligations Map: Scope, Rights, Security, DPIA, Vendors, Transfers + Evidence Index
A practical GDPR requirements breakdown: scope (Articles 2-3), principles (Article 5), lawful basis (Article 6-7), transparency (Articles 12-14).
GDPR Applicability Test (Article 2-3) | Territorial Scope, Establishment vs Targeting, Roles, and Edge Cases
A practical GDPR applicability test for Regulation (EU) 2016/679: check material scope (Article 2), territorial scope (Article 3), establishment vs targeting.
GDPR Breach Notification (72 Hours) | Article 33-34 Workflow, Awareness Timestamp, Risk Test, and Evidence Pack
An execution-ready guide to GDPR breach notification built on Articles 33 and 34, the EDPB breach-notification guidelines.
GDPR Data Subject Rights + DSAR Workflow | Articles 12-22 Playbook: Intake, Identity, Search, Response, Exceptions, Evidence
A practical DSAR (data subject access request) playbook for GDPR Articles 12-22: build intake and identity verification, define system search scope.
GDPR Deadlines and Compliance Calendar | DSAR 1-Month SLA, Breach 72 Hours, DPIA Cadence, Vendor Reviews, Transfer Monitoring
A grounded GDPR compliance calendar that combines fixed legal milestones, 27 April 2016 adoption, 25 May 2018 application, the 2021 SCC overhaul.
GDPR DPIA (Article 35) + Risk Management | Triggers, Template, Controls, Residual Risk Sign-off, and Prior Consultation (Article 36)
A practical DPIA guide for GDPR Articles 35-36: how to screen for DPIA triggers, run a risk assessment focused on rights/freedoms.
GDPR International Transfers (Chapter V) + SCCs | Transfer Map, Adequacy, SCC Packs, TIA, Supplementary Measures, and Monitoring
A practical guide to GDPR international transfers (Chapter V): how to build a transfer map, choose mechanisms (adequacy vs SCCs).
GDPR Lawful Basis (Article 6) + Consent (Article 7) | How to Choose, Document, Implement, and Prove Compliance
A practical guide to GDPR lawful bases (Article 6) and consent (Article 7): how to select a lawful basis per purpose, when consent is appropriate vs risky.
GDPR Penalties and Fines | Articles 83-84 Explained + Risk Reduction Controls and Evidence
A practical penalties guide for GDPR enforcement: how administrative fines work under Articles 83-84, what factors drive exposure (purpose drift.
GDPR Processor Contracts (Article 28) + Vendor Management | DPA Checklist, Sub-processors, Security Evidence, Transfers/SCCs
A practical vendor management guide for GDPR: how to operationalize Article 28 processor contracts, define controller vs processor roles.
GDPR RoPA Template (Article 30) | Record of Processing Activities: Fields, Examples, and Evidence Tips
A practical Record of Processing Activities (RoPA) template for GDPR Article 30: controller and processor fields.
GDPR vs CCPA/CPRA | Key Differences in Scope, Rights, Legal Bases, and Operational Compliance (DSAR, Vendors, Transfers)
A practical comparison of GDPR (EU) and CCPA/CPRA (California): differences in applicability triggers, roles, legal bases versus sale/share models.
GDPR vs UK GDPR | Practical Differences for Scope, Enforcement, Transfers (EU SCCs vs UK IDTA/Addendum), and Evidence
A practical comparison of EU GDPR and UK GDPR: territorial scope triggers, regulator structure (one-stop-shop vs ICO), cross-border processing implications.