Answers to recurring GDPR questions about territorial scope, controller and processor roles, lawful basis, rights requests, DPIAs, breach notification, transfer mechanisms, and penalty tiers.
Each answer stays at EU-level GDPR grounding and avoids national procedures, derogations, or authority-specific variants unless the cited source supports them.
Structured answer sets in this page tree.
Cited legal and guidance references.
Use this EU GDPR FAQ for source-linked answers to core GDPR implementation questions: when GDPR applies, how to separate controller and processor duties, which lawful basis to record, how rights requests work, when a DPIA or breach notice is triggered, what transfer safeguards are available, and how Article 83 fine tiers are framed.
These focused FAQ modules break this artifact into narrower answer sets so teams can move straight to the right source-backed guidance.
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.
The GDPR applies to processing of personal data in the context of an establishment of a controller or processor in the Union, regardless of whether the processing itself takes place in the Union. It can also apply to non-EU controllers or processors when the processing relates to offering goods or services to people in the Union, or monitoring their behaviour in the Union.
Scope is assessed by processing activity, not just by company headquarters. A business can have some processing activities in scope and others outside the GDPR, so the FAQ answer should identify the activity, people affected, role, establishment or targeting facts, and data involved.
No. GDPR Article 3 can apply because a controller or processor has an EU establishment, or because a non-EU controller or processor offers goods or services to people in the Union or monitors their behaviour there.
Yes. EDPB territorial-scope guidance treats scope as a processing-activity assessment, so teams should document the specific activity rather than making a company-wide assumption.
A controller determines the purposes and means of processing. A processor processes personal data on behalf of a controller. Joint controllers jointly determine purposes and means, and must transparently allocate responsibilities for GDPR duties.
The label in a vendor form is not decisive. The role analysis should use the actual decision-making facts: who decides why data is processed, what data is processed, how long it is kept, who receives it, and whether another party acts only on documented instructions.
No. A vendor is a processor only for processing it performs on behalf of a controller under documented instructions. If the vendor decides its own purposes and essential means, it may be a controller for that activity.
Article 28 requires a binding contract or legal act covering documented instructions, confidentiality, security measures, subprocessor controls, assistance with rights and other controller duties, return or deletion, audits, and compliance information.
Every processing purpose needs a lawful basis under Article 6 before the processing starts. The six Article 6 bases are consent, contract, legal obligation, vital interests, public task, and legitimate interests.
Consent is only one lawful basis and must be freely given, specific, informed, and unambiguous. If the service is conditional on consent to processing that is not necessary for the contract, or if the person cannot withdraw without detriment, the consent answer is risky and another lawful basis may be needed.
No. The lawful basis should be identified before processing because it controls transparency, rights handling, records, and whether the processing is lawful.
No. Consent is valid only when the GDPR and EDPB consent conditions are met. Where consent is not freely given or is bundled with unnecessary processing, another Article 6 basis may be more appropriate if the facts support it.
GDPR rights include transparent information, access, rectification, erasure, restriction, portability, objection, and rights related to automated individual decision-making. For access requests, the controller should confirm whether it processes the person's data, provide access to the personal data, and provide information about the processing.
The response process should identify the requester, locate personal data across relevant systems, apply any GDPR-supported limits carefully, and respond as soon as possible and in any event within one month unless an extension is justified by complexity or number of requests.
No. Each right has its own GDPR conditions. Access, erasure, portability, restriction, objection, and rectification requests should be routed to the rule that matches the request and lawful basis.
EDPB access guidance says the controller must fulfill the request as soon as possible and in any event within one month of receipt, with a possible two-month extension where necessary because of complexity or number of requests.
A data protection impact assessment is required before processing that is likely to result in high risk to the rights and freedoms of natural persons, taking account of the nature, scope, context, and purposes of the processing, especially where new technologies are used.
Article 35 gives examples including systematic and extensive evaluation with legal or similarly significant effects, large-scale processing of special categories or criminal-offence data, and systematic monitoring of publicly accessible areas on a large scale. If a DPIA still indicates high risk in the absence of measures, Article 36 prior consultation may be required before processing.
No. Article 35 requires a DPIA where processing is likely to result in high risk. Lower-risk processing still needs GDPR compliance evidence, but not every activity requires a DPIA.
Article 35(7) requires at least a systematic description of processing and purposes, an assessment of necessity and proportionality, an assessment of risks to people, and the measures planned to address those risks.
A controller must notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. A processor must notify the controller without undue delay after becoming aware of a personal data breach.
Data-subject communication is a separate Article 34 question. It is required without undue delay when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, unless an Article 34 exception applies.
No. The Article 33 clock concerns personal data breaches. Teams should first decide whether a security incident compromised personal data, then assess risk to individuals.
No. Supervisory-authority notification uses the Article 33 risk threshold; data-subject communication under Article 34 uses a high-risk threshold.
Chapter V applies when personal data is transferred to a third country or international organisation. A transfer can rely on an adequacy decision, or, in the absence of adequacy, appropriate safeguards such as standard contractual clauses, provided enforceable data subject rights and effective legal remedies are available.
Standard contractual clauses are not just a template attachment. After Schrems II and EDPB supplementary-measures guidance, exporters should assess the transfer circumstances and whether the transfer tool works in practice, including whether supplementary measures are needed.
No. SCCs are an Article 46 safeguard, but the transfer still needs an assessment of whether the clauses can be complied with in practice and whether supplementary measures are needed.
Identify whether personal data leaves the GDPR-protected context for a third country or international organisation, then check adequacy, appropriate safeguards, and any needed supplementary measures.
GDPR Article 83 requires administrative fines to be effective, proportionate, and dissuasive in each individual case. It sets two main maximum tiers: up to EUR 10,000,000 or 2% of total worldwide annual turnover for certain infringements, and up to EUR 20,000,000 or 4% of total worldwide annual turnover for more serious infringements, in each case whichever is higher for undertakings.
The FAQ should not invent national penalty variants. Article 83 also states that Member States may lay down rules on administrative fines for public authorities and bodies, and Article 84 covers other penalties, so national details should be handled only with separate grounded national sources.
No. Article 83 has different tiers and requires the supervisory authority to assess the circumstances of the individual case. The 4% tier is a maximum for specified infringements, not an automatic amount.
No. This root EU GDPR FAQ should stay with Article 83 and Article 84 unless a separate grounded national source supports the country-specific penalty rule.
Sorena can help convert GDPR scope, role, lawful-basis, rights, DPIA, breach, transfer, and penalty questions into cited records and implementation tasks.
Ask source-linked questions about GDPR scope, roles, lawful basis, rights, DPIAs, breaches, transfers, and Article 83 fines using the cited sources on this page.
Review your GDPR scope, role, lawful-basis, rights, DPIA, breach, transfer, and evidence gaps with Sorena.
"consent; contract; legal obligation; vital interests; public task; or legitimate interests"
"DPIAs will be mandatory for any new high risk processing projects"
"within one month"
"free, specific, informed and unambiguous"
"controller and processor"
"establishment criterion"
"reasonable degree of certainty"
"supplementary measures"
"Standard Contractual Clauses"
"not later than 72 hours after having become aware"
"effective, proportionate and dissuasive"
"likely to result in a high risk"
"transfers of personal data to third countries"