--- title: "EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers" canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq" source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/items" author: "Sorena AI" description: "Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU GDPR FAQ" - "GDPR scope" - "lawful basis" - "data subject rights" - "DPIA" - "breach notification" - "international transfers" - "controller processor" - "Article 83 fines" - "EU GDPR" - "GDPR FAQ" - "scope" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers. *Artifact Guide* *EU* ## EU GDPR Frequently asked questions Answers to recurring GDPR questions about territorial scope, controller and processor roles, lawful basis, rights requests, DPIAs, breach notification, transfer mechanisms, and penalty tiers. Each answer stays at EU-level GDPR grounding and avoids national procedures, derogations, or authority-specific variants unless the cited source supports them. Use this EU GDPR FAQ for source-linked answers to core GDPR implementation questions: when GDPR applies, how to separate controller and processor duties, which lawful basis to record, how rights requests work, when a DPIA or breach notice is triggered, what transfer safeguards are available, and how Article 83 fine tiers are framed. ## Browse sub-FAQ modules ### [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md) A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives. - 4 items ### [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md) FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data. - 5 items ### [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md) FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15. - 5 items ### [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md) source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required. - 3 items ### [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md) Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records. - 4 items ### [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md) Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements. - 4 items ### [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md) GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep. - 4 items Browse all indexed questions: [/artifacts/eu/general-data-protection-regulation/faq/items](/artifacts/eu/general-data-protection-regulation/faq/items.md) ## All FAQ items *Page 1 of 2. Showing 20 of 29 items.* ### [Does GDPR Article 3 apply to a non-EU organization?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md#does-gdpr-article-3-apply-to-a-non-eu-organization) *Module: [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md)* It can, but only through the Article 3 triggers. First, GDPR applies to processing carried out in the context of the activities of an establishment of a controller or processor in the Union, even if the processing itself takes place outside the Union. - Start with Article 3(1): identify any EU establishment and explain how the processing is carried out in the context of that establishment's activities. - If there is no EU establishment trigger, test Article 3(2)(a): whether the processing relates to offering goods or services to data subjects who are in the Union. - Separately test Article 3(2)(b): whether the processing relates to monitoring behavior that takes place within the Union. - Avoid unsupported conclusions such as "EU user equals GDPR" or "non-EU company equals out of scope"; document the actual processing activity and the trigger that applies. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Provides the binding Article 3 territorial-scope triggers and Article 27 representative rule. - [EDPB Guidelines 3/2018 on territorial scope](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en?ref=sorena.io) - Explains the establishment and targeting criteria and states that Article 3 is assessed against the relevant processing activity. ### [What facts show offering goods or services to people in the Union?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md#what-facts-show-offering-goods-or-services-to-people-in-the-union) *Module: [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md)* For Article 3(2)(a), the key question is whether the controller or processor appears to envisage offering goods or services to data subjects in one or more EU Member States. Payment is not required. - Keep screenshots or product records showing EU countries, delivery areas, booking availability, account creation, or checkout paths. - Record language, currency, domain, ad-campaign, search-marketing, and customer-reference signals together; one weak signal may not be enough on its own. - Distinguish intentional EU offering from incidental use by a person who happens to travel into the Union. - Map the evidence to the processing activity, such as account registration, payment, shipping, customer support, personalization, or marketing. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 3(2)(a) applies to offering goods or services to data subjects in the Union, whether or not payment is required. - [EDPB Guidelines 3/2018 on territorial scope](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en?ref=sorena.io) - Lists practical targeting indicators and warns that mere website accessibility in the Union is insufficient by itself. ### [What counts as monitoring behavior in the Union?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md#what-counts-as-monitoring-behavior-in-the-union) *Module: [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md)* Article 3(2)(b) applies where the processing relates to monitoring data subjects' behavior and that behavior takes place within the Union. The EDPB says monitoring requires attention to the controller's purpose, especially later behavioral analysis or profiling; not every collection or analysis of data from people in the Union is automatically monitoring. - Identify the behavior observed, where it takes place, and the personal data used to observe it. - Record whether tracking, profiling, prediction, segmentation, targeted advertising, or individualized reporting is part of the purpose. - Separate ordinary service logging from behavior monitoring when there is no later behavioral analysis or profiling purpose. - For processors, document whether their processing is related to the controller's EU-targeting or EU-monitoring activity. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 3(2)(b) covers monitoring behavior where the behavior takes place within the Union. - [EDPB Guidelines 3/2018 on territorial scope](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en?ref=sorena.io) - Explains that monitoring depends on purpose and behavioral analysis or profiling, and gives examples such as cookies, fingerprinting, geolocation, CCTV, and health-status monitoring. ### [When is an EU representative needed?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md#when-is-an-eu-representative-needed) *Module: [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md)* Where Article 3(2) applies, a non-EU controller or processor must designate a representative in the Union unless an Article 27(2) exemption applies. The GDPR exemptions are narrow: certain occasional, low-risk processing without large-scale special-category or criminal-offence data, or processing by a public authority or body. - Keep the written representative mandate and the Member State rationale tied to where affected data subjects are located. - Keep representative contact details aligned with privacy notices and other Article 13 or 14 information given to data subjects. - Keep enough processing-record information available for the representative to produce records when addressed under Article 27 and Article 30. - Do not rely on the representative as a substitute controller, processor, or DPO without checking the EDPB conflict guidance. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 27 requires a written representative for Article 3(2) controllers or processors and states the exemptions, location rule, mandate, and liability reservation. - [EDPB Guidelines 3/2018 on territorial scope](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en?ref=sorena.io) - Explains representative designation, accessibility, privacy-notice disclosure, record availability, and the distinction from an Article 3(1) establishment. ### [What are the six Article 6 lawful bases?](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md#what-are-the-six-article-6-lawful-bases) *Module: [EU GDPR Article 6 Legal Bases](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md)* Article 6(1) GDPR lists six lawful bases: consent for one or more specific purposes; necessity for a contract with the data subject or pre-contract steps requested by the data subject; necessity for a legal obligation that applies to the controller; necessity to protect vital interests; necessity for a public-interest task or official authority vested in the controller; and necessity for legitimate interests pursued by the controller or a third party, unless overridden by the data subject's interests or fundamental rights and freedoms. - Consent: record the specific purpose and the affirmative consent event. - Contract: show why the processing is necessary to perform the contract or requested pre-contract step. - Legal obligation: identify the Union or Member State law that requires the controller to process the data. - Vital interests: reserve for protection of a natural person's vital interests. - Public task or official authority: link the processing to the public-interest task or official authority vested in the controller. - Legitimate interests: document the interest, necessity, and balancing test, including child or rights impacts. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 6 lists the six lawful bases and states that processing is lawful only if at least one applies. - [Data Protection Commission - Guidance on Legal Bases for Processing Personal Data](https://www.dataprotection.ie/en/dpc-guidance/guidance-legal-bases-processing-personal-data?ref=sorena.io) - Explains that controllers should identify their reason or justification for processing and names the six Article 6 bases. ### [When is consent risky as the lawful basis?](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md#when-is-consent-risky-as-the-lawful-basis) *Module: [EU GDPR Article 6 Legal Bases](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md)* Consent must be freely given, specific, informed, and unambiguous, and Article 7 requires the controller to demonstrate consent. It must be as easy to withdraw as to give, and withdrawal does not invalidate processing that was lawful before withdrawal. - Do not use consent for data that is actually necessary to perform the requested service; test Article 6(1)(b) instead. - Do not bundle optional marketing, sharing, or analytics purposes into one all-or-nothing consent. - Keep enough consent records to show who consented, for what purpose, through which action, and what information was shown. - Give withdrawal through a practical route that is not harder than the original consent route. - Do not silently switch withdrawn or invalid consent to legitimate interests after collection. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 7 sets consent demonstration, clear-language, withdrawal, and conditionality requirements. - [EDPB Guidelines 05/2020 on consent under Regulation 2016/679](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/edpb-guidelines-052020-consent-under-regulation-2016679_en?ref=sorena.io) - Explains free choice, power imbalance, conditionality, granularity, consent records, withdrawal, and limits on switching lawful bases. ### [How should legitimate interests be documented?](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md#how-should-legitimate-interests-be-documented) *Module: [EU GDPR Article 6 Legal Bases](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md)* Article 6(1)(f) is available where processing is necessary for legitimate interests pursued by the controller or a third party, unless those interests are overridden by the data subject's interests or fundamental rights and freedoms. The GDPR text specifically highlights protection of children in this balancing exercise. - Name the concrete interest, not a generic business preference. - Explain why less intrusive processing would not achieve the same purpose. - Assess affected people, reasonable expectations, sensitivity, consequences, and safeguards. - Do not use Article 6(1)(f) for public authorities processing in the performance of their tasks. - Reassess the balance when the purpose, data categories, profiling, user group, or safeguards change. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 6(1)(f) sets the legitimate-interests basis and excludes public authorities using it for processing in the performance of their tasks. ### [What limits apply to legal obligation and public task?](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md#what-limits-apply-to-legal-obligation-and-public-task) *Module: [EU GDPR Article 6 Legal Bases](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md)* Article 6(1)(c) covers processing necessary for compliance with a legal obligation to which the controller is subject. Article 6(1)(e) covers processing necessary for a public-interest task or official authority vested in the controller. - For legal obligation, cite the law that applies to the controller and requires the processing. - For public task, cite the public-interest task or official authority vested in the controller. - Do not treat internal policy, customer preference, or a contract clause as a GDPR Article 6(1)(c) legal obligation. - Do not invent Member State details unless the cited source in the record provides them. - Keep the cited legal basis, purpose, data categories, affected data subjects, recipients, retention logic, and safeguards together in the processing record. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 6(3) requires Article 6(1)(c) and 6(1)(e) processing to be based on Union or Member State law and limits the purpose and proportionality of that basis. ### [How does Article 9 special-category data change the answer?](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md#how-does-article-9-special-category-data-change-the-answer) *Module: [EU GDPR Article 6 Legal Bases](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md)* Article 6 lawfulness is not the whole analysis when special-category data is involved. Article 9 separately prohibits processing data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used to uniquely identify a person, health data, or data about a person's sex life or sexual orientation unless an Article 9(2) condition applies. - First identify the Article 6 lawful basis for the processing purpose. - Then identify the Article 9(2) condition if the data is special-category data. - Do not describe Article 9 explicit consent as the same thing as ordinary Article 6 consent. - Flag health, biometric identification, union membership, political, religious, racial or ethnic, genetic, sex-life, and sexual-orientation data before launch. - Escalate if the asserted Article 9 condition depends on Union or Member State law not present in the source record. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 9 defines special-category data, states the prohibition, and lists conditions that can lift the prohibition. - [EDPB Guidelines 05/2020 on consent under Regulation 2016/679](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/edpb-guidelines-052020-consent-under-regulation-2016679_en?ref=sorena.io) - Explains that explicit consent is one Article 9 condition and discusses the additional standard for valid consent. ### [When can a controller extend a DSAR response?](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md#when-can-a-controller-extend-a-dsar-response) *Module: [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md)* Article 12(3) requires the controller to provide information on action taken without undue delay and in any event within one month of receiving the request. The controller may extend that period by two further months only where necessary, taking into account the complexity and number of requests. - Record the date the request was received and the first one-month response deadline. - Identify the concrete complexity or request volume that makes the extension necessary. - Send the extension notice within the first month, with reasons for the delay. - Do not extend merely because a processor or internal team is slow to retrieve information. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 12(3) sets the one-month DSAR response period and the two-month extension rule. - [EDPB Guidelines 01/2022 on data subject rights - Right of access](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - EDPB access-right guidance explains that access must be fulfilled as soon as possible and that extension depends on complexity and number of requests. ### [When can a controller ask for identity information?](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md#when-can-a-controller-ask-for-identity-information) *Module: [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md)* A controller may request additional information only where it has reasonable doubts about the identity of the person making the request. The additional information must be necessary to confirm identity, not a routine barrier to exercising rights. - Do not demand extra identity documents for every DSAR by default. - Record the reasonable doubt that triggered the identity check. - Ask only for information necessary to confirm the requester's identity or authority. - For third-party or proxy requests, verify authority before disclosing personal data. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 12(2) and 12(6) cover facilitation of rights, inability to identify the data subject, and additional identity information where reasonable doubts exist. - [EDPB Guidelines 01/2022 on data subject rights - Right of access](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - EDPB guidance says identity checks must be proportionate to the data and potential damage, avoiding excessive data collection. ### [When can a controller charge a fee or refuse a DSAR?](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md#when-can-a-controller-charge-a-fee-or-refuse-a-dsar) *Module: [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md)* Article 12(5) starts from a free-of-charge rule. A controller may charge a reasonable fee or refuse to act only where the request is manifestly unfounded or excessive, in particular because of its repetitive character. The controller bears the burden of demonstrating that condition. - Test whether Article 15 is clearly not met before calling a request manifestly unfounded. - For repetitive requests, compare the interval, data-change frequency, data sensitivity, processing purpose, and overlap with prior requests. - Consider whether combining overlapping requests or charging administrative costs is more appropriate than refusal. - If refusing, tell the data subject the reasons, complaint right, and judicial remedy route no later than one month after receipt. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 12(5) sets the manifestly unfounded or excessive threshold, fee/refusal options, and controller burden of proof. - [EDPB Guidelines 01/2022 on data subject rights - Right of access](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - EDPB access-right guidance explains narrow interpretation, repetitive-request assessment, fee handling, and refusal notice content. ### [Can access be narrowed to protect other people's rights?](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md#can-access-be-narrowed-to-protect-other-peoples-rights) *Module: [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md)* Article 15(4) says the right to obtain a copy must not adversely affect the rights and freedoms of others. That is not a general permission to reject the whole DSAR. The controller should assess the concrete conflict and provide access in an adjusted form where reconciliation is possible. - Identify the specific rights or freedoms of others that would be affected. - Assess the likelihood and severity of the adverse effect. - Use redaction, extraction, or partial disclosure where those measures solve the conflict. - Document why any withheld part could not be disclosed without adversely affecting others. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 15(3) requires a copy of personal data undergoing processing, and Article 15(4) limits copies where rights and freedoms of others would be adversely affected. - [EDPB Guidelines 01/2022 on data subject rights - Right of access](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - EDPB access-right guidance explains balancing and adjusted disclosure under Article 15(4). ### [What evidence should a DSAR exceptions record keep?](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md#what-evidence-should-a-dsar-exceptions-record-keep) *Module: [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md)* The record should show that the controller started from the right of access and applied only the grounded limit needed for the specific request. It should be usable by privacy, legal, support, and product teams without adding unsupported national derogations or authority-specific procedures. - Request receipt date, channel, requester, authority or proxy check, and identity-check rationale. - Data stores searched and whether the request covered all or only part of the data subject's personal data. - Any extension notice, its date, and the concrete complexity or volume reasons. - Any Article 12(5) fee or refusal decision, with facts proving manifestly unfounded or excessive character. - Any Article 15(4) redactions, the affected third-party rights, and why partial disclosure was sufficient or not. - If a legal restriction is invoked, the Union or Member State provision, conditions checked, and when the restriction should be lifted. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Articles 12, 15, and 23 provide the GDPR-level rules for DSAR modalities, copies, refusal, fees, identity checks, and legal restrictions. - [EDPB Guidelines 01/2022 on data subject rights - Right of access](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - EDPB access-right guidance recommends case-by-case documentation for manifestly unfounded or excessive access requests and cautions controllers to check Article 23 restriction conditions carefully. ### [How should teams handle an SCC transfer impact assessment?](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md#how-should-teams-handle-an-scc-transfer-impact-assessment) *Module: [EU GDPR SCC Transfer Impact Assessment](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md)* Handle it as a transfer-specific Article 46 check, not as a generic privacy review. First map the transfer: exporter, importer, roles, destination country, onward transfers, categories and format of personal data, processing purpose, transfer route, storage location, recipient type, economic sector, and processing-chain length. - Start with the Article 45 adequacy check before using SCCs as the Article 46 transfer tool. - Use the SCC module that matches the parties' roles: controller-to-controller, controller-to-processor, processor-to-processor, or processor-to-controller. - Complete the SCC annexes so the transfer, data categories, purposes, roles, safeguards, sub-processors, and competent authority are clear. - Record the Clause 14 assessment of relevant destination-country laws and practices, public-authority access risks, and any contractual, technical, or organisational safeguards. - Suspend the transfer if the exporter concludes appropriate safeguards cannot be ensured, or if the competent supervisory authority instructs suspension. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - GDPR Chapter V sets the sequence for international transfers: Article 45 adequacy decisions, Article 46 appropriate safeguards, and Article 49 derogations. - [European Commission - Adequacy decisions](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en?ref=sorena.io) - Commission source for checking whether an adequacy decision covers the destination before SCCs are used. - [European Commission SCC Q&A](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en?ref=sorena.io) - Commission Q&A explains SCC modules, annex completion, and the transfer impact assessment required under Clause 14. ### [What should the assessment record?](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md#what-should-the-assessment-record) *Module: [EU GDPR SCC Transfer Impact Assessment](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md)* The record should be specific enough to show why the SCCs work for this transfer. Under Clause 14, the parties take due account of the transfer's circumstances, relevant destination-country laws and practices, and safeguards that supplement the clauses. The importer should provide relevant information and continue cooperating with the exporter. - Exporter, importer, controller/processor role, SCC module, signatories, governing choices, and competent supervisory authority. - Categories of data subjects, personal data categories, sensitive-data indicators, transfer purpose, retention, storage location, transmission channel, and onward-transfer chain. - Destination-country laws and practices relevant to the importer and transfer, including public-authority disclosure or direct-access risks. - Objective support used in the assessment, such as case law, independent oversight reports, sector request history, or documented practical experience where lawfully shareable and corroborated. - Supplementary contractual, technical, and organisational safeguards, plus why they are effective for the destination country, importer, data format, and processing context. - Decision outcome, approver, importer notice duties, suspension or termination criteria, reassessment trigger, and the date of the next review. Sources for this answer: - [Commission Implementing Decision (EU) 2021/914](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&ref=sorena.io) - Binding SCC decision containing Clause 14 local-law assessment, supplementary safeguards, importer cooperation, public-authority access duties, and suspension/termination mechanics. - [European Commission SCC Q&A](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en?ref=sorena.io) - Commission Q&A lists the transfer details to clarify in SCC annexes and explains the Clause 14 transfer impact assessment. ### [When do supplementary measures or suspension become necessary?](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md#when-do-supplementary-measures-or-suspension-become-necessary) *Module: [EU GDPR SCC Transfer Impact Assessment](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md)* Supplementary measures are needed when the Clause 14 assessment is negative or shows that the SCCs alone may not ensure the required protection. The measures can be contractual, technical, or organisational, but they must actually address the identified gap for the specific transfer. - Use supplementary safeguards only after identifying the specific law, practice, access risk, data format, or importer constraint they address. - Do not treat policy promises alone as sufficient where the risk requires a technical or organisational control. - Require importer notice if laws, practices, or disclosure requests mean it is or has become unable to comply with Clause 14. - Suspend the transfer when appropriate safeguards cannot be ensured, and document whether termination, return, or deletion is required under the SCCs. - Reopen the assessment after new onward transfers, destination-country legal changes, importer control changes, public-authority access events, data-category changes, or security-control changes. Sources for this answer: - [Commission Implementing Decision (EU) 2021/914](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&ref=sorena.io) - Binding SCC decision for importer notice, public-authority access obligations, supplementary safeguards, suspension, termination, and return-or-delete outcomes. - [European Commission - Standard Contractual Clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Commission SCC overview confirming SCCs as pre-approved clauses for EU-to-third-country GDPR transfers and linking to the modernised SCC materials. ### [Short answer: how do you tell a processor from a controller?](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md#short-answer-how-do-you-tell-a-processor-from-a-controller) *Module: [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md)* A controller is the party that determines why personal data is processed and the essential means of that processing. A processor is a separate party that processes personal data on behalf of the controller and must not use the data for its own purposes outside the controller's instructions. - Start with the specific processing activity, not the whole vendor, group company, or product. - Label a party as controller when it decides the purpose or essential means of that processing. - Label a party as processor when it is separate from the controller and acts on the controller's behalf under instructions. - Treat a processor that starts using the data for its own purposes as a controller for that processing. - Do not treat employees or internal teams as separate processors merely because they handle personal data under the organisation's authority. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR), Article 4](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 4 defines controller by determination of purposes and means, and processor by processing personal data on behalf of the controller. - [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance explains that role labels are functional and must be assessed against the actual processing activity. ### [When do Article 28 processor terms apply?](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md#when-do-article-28-processor-terms-apply) *Module: [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md)* Article 28 applies when processing is carried out on behalf of a controller. The controller must use only processors that provide sufficient guarantees for appropriate technical and organisational measures, and the processing must be governed by a binding contract or other legal act. - Keep documented controller instructions, including instructions on international transfers where relevant. - Record confidentiality duties for authorised personnel and the Article 32 security measures required for the service. - Track prior specific or general written authorisation for subprocessors and objections to subprocessor changes. - Document assistance with data-subject rights, security, breach notification inputs, DPIAs, and prior consultation where applicable. - Keep deletion or return evidence at service end and audit-support evidence showing the processor made compliance information available. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR), Article 28](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 28 sets processor-selection requirements and mandatory processor-contract terms, including instructions, subprocessors, assistance, deletion or return, and audits. - [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance says processing agreements should include concrete information on how GDPR requirements and security levels will be met. ### [When is it joint controllership instead of a processor relationship?](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md#when-is-it-joint-controllership-instead-of-a-processor-relationship) *Module: [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md)* Joint controllership exists where two or more parties jointly determine the purposes and means of the same processing. The EDPB explains that joint participation may come from a common decision or from converging decisions that complement each other and are necessary for the processing in a way that has a tangible impact on purposes and means. - Use Article 26 when parties jointly determine purposes and means; do not force the relationship into Article 28 if both parties make controller-level decisions. - Allocate rights handling, privacy information, security, breach notification, DPIAs, processor use, transfers, and authority communications where those issues are relevant to the joint processing. - Make the arrangement reflect the real roles and relationships, not only a preferred contracting model. - Keep the internal allocation evidence, because the EDPB treats that analysis as part of accountability documentation. - Remember that an Article 26 arrangement allocates tasks between joint controllers but does not prevent data subjects from contacting either controller. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR), Article 26](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 26 defines joint-controller arrangements, responsibilities, data-subject access to the arrangement essence, and rights against each joint controller. - [EDPB guidelines on controller and processor concepts](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines_en?ref=sorena.io) - The captured EDPB 07/2020 guidance explains common and converging decisions, practical allocation of joint-controller duties, and recommended documentation. ## FAQ Pagination - Canonical index (page 1): [/artifacts/eu/general-data-protection-regulation/faq/items](/artifacts/eu/general-data-protection-regulation/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 1 of 2 Pages: [1](/artifacts/eu/general-data-protection-regulation/faq/items.md) | [2](/artifacts/eu/general-data-protection-regulation/faq/items/page/2.md) [Next page](/artifacts/eu/general-data-protection-regulation/faq/items/page/2.md) *Recommended next step* *Placement: before sources* ## Use this EU GDPR FAQ as a source-linked triage aid Sorena can help convert GDPR scope, role, lawful-basis, rights, DPIA, breach, transfer, and penalty questions into cited records and implementation tasks. - [Open Research Copilot for EU GDPR](/solutions/research-copilot.md): Ask source-linked questions about GDPR scope, roles, lawful basis, rights, DPIAs, breaches, transfers, and Article 83 fines using the cited sources on this page. - [Talk through implementation](/contact.md): Review your GDPR scope, role, lawful-basis, rights, DPIA, breach, transfer, and evidence gaps with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/items