--- title: "EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers" canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq" source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/items/page/2" author: "Sorena AI" description: "Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU GDPR FAQ" - "GDPR scope" - "lawful basis" - "data subject rights" - "DPIA" - "breach notification" - "international transfers" - "controller processor" - "Article 83 fines" - "EU GDPR" - "GDPR FAQ" - "scope" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers. *Artifact Guide* *EU* ## EU GDPR Frequently asked questions Answers to recurring GDPR questions about territorial scope, controller and processor roles, lawful basis, rights requests, DPIAs, breach notification, transfer mechanisms, and penalty tiers. Each answer stays at EU-level GDPR grounding and avoids national procedures, derogations, or authority-specific variants unless the cited source supports them. Use this EU GDPR FAQ for source-linked answers to core GDPR implementation questions: when GDPR applies, how to separate controller and processor duties, which lawful basis to record, how rights requests work, when a DPIA or breach notice is triggered, what transfer safeguards are available, and how Article 83 fine tiers are framed. ## Browse sub-FAQ modules ### [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md) A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives. - 4 items ### [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md) FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data. - 5 items ### [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md) FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15. - 5 items ### [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md) source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required. - 3 items ### [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md) Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records. - 4 items ### [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md) Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements. - 4 items ### [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md) GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep. - 4 items Browse all indexed questions: [/artifacts/eu/general-data-protection-regulation/faq/items](/artifacts/eu/general-data-protection-regulation/faq/items.md) ## All FAQ items *Page 2 of 2. Showing 9 of 29 items.* ### [What evidence should teams keep for the role decision?](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md#what-evidence-should-teams-keep-for-the-role-decision) *Module: [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md)* Keep evidence at processing-activity level. A useful role file shows the purpose, essential means, party responsibilities, instructions, contract or arrangement, relevant records of processing, and the trigger for reassessing the label. - Role assessment showing who decides the purpose and essential means for the specific processing activity. - Article 28 contract or legal act, documented instructions, subprocessor approvals, assistance logs, deletion or return record, and audit evidence for processor relationships. - Article 26 arrangement, responsibility allocation, contact point if designated, and published essence evidence for joint-controller relationships. - Controller RoPA entry with purposes, data-subject categories, personal-data categories, recipients, transfers, retention where possible, and Article 32 measure description where possible. - Processor RoPA entry with each controller on whose behalf the processor acts, processing categories for each controller, transfers where applicable, and security-measure description where possible. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR), Article 30](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 30 distinguishes controller records from processor records carried out on behalf of controllers. - [Irish Data Protection Commission guidance on RoPA under Article 30](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - The DPC guidance explains controller and processor RoPA content, standalone record quality, and the need to make records available to the supervisory authority on request. ### [Short answer: when is a DPIA mandatory under EU GDPR Article 35?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md#short-answer-when-is-a-dpia-mandatory-under-eu-gdpr-article-35) *Module: [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md)* A DPIA is mandatory when the planned processing is likely to result in a high risk to individuals. Article 35 says the controller must assess the impact before the processing starts, especially where new technologies are used and the nature, scope, context, and purposes of the operation make the risk high. - Treat the controller as accountable for the DPIA threshold decision, even where a processor or vendor provides inputs. - Run the threshold check before launch and again when the risk represented by the processing changes. - Use one DPIA for a set of similar processing operations only where they present similar high risks. - If the assessment shows residual high risk without measures to mitigate it, escalate to prior consultation under Article 36. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR), Article 35](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 35 sets the core DPIA threshold, timing, Article 35(3) trigger examples, review duty, and minimum DPIA content. - [Irish Data Protection Commission guidance on DPIAs](https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments?ref=sorena.io) - The DPC guidance explains Article 35 DPIA triggers, WP29 high-risk criteria, reuse of similar DPIAs, lifecycle timing, and documentation expectations. ### [How should the high-risk threshold be checked?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md#how-should-the-high-risk-threshold-be-checked) *Module: [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md)* Start with the three Article 35(3) cases, then test the broader high-risk criteria described in DPIA guidance: evaluation or scoring, automated decisions with legal or similar significant effects, systematic monitoring, sensitive or criminal-offence data, large scale, matched or combined datasets, vulnerable people, innovative technology, cross-border transfers outside the EU, and processing that prevents people from exercising a right or using a service or contract. - Describe the processing operation, not just the product name or vendor system. - Record which Article 35(3) case or high-risk criteria are present, absent, or uncertain. - For large-scale processing, document the number or proportion of people affected, data volume and variety, duration or permanence, and geographic extent. - Check whether data subjects include children, employees, patients, asylum seekers, elderly people, or another group with a power imbalance or special vulnerability. - Escalate borderline cases where multiple criteria are present, the technology is novel, or people cannot reasonably avoid the processing. Sources for this answer: - [Irish Data Protection Commission guidance on DPIAs](https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments?ref=sorena.io) - The DPC guidance lists high-risk criteria from the Article 29 Working Party DPIA guidance, including scale factors and the two-criteria rule of thumb. - [Regulation (EU) 2016/679 (GDPR), Article 35](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 35(3) names three processing cases where a DPIA is required in particular. ### [How should supervisory-authority list references be used?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md#how-should-supervisory-authority-list-references-be-used) *Module: [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md)* Article 35(4) requires each supervisory authority to establish and publish a list of processing operations that are subject to the DPIA requirement, and Article 35(5) allows a supervisory authority to publish a list of operations for which no DPIA is required. Use those lists as a jurisdiction-specific check only where the relevant list is actually available and applicable to the processing operation. - Identify the competent supervisory authority before relying on a DPIA-required or no-DPIA list. - Record the list entry, the processing facts that match it, and any conditions or limits stated in the list. - Where processing involves several Member States or behavioural monitoring across Member States, flag that Article 35 list issues may involve GDPR consistency-mechanism considerations. - If the folder does not ground a specific national list entry, leave the page at Article 35 list mechanics rather than naming that entry. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR), Article 35](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 35(4) and 35(5) require or permit supervisory-authority lists for processing operations that do or do not require a DPIA. - [Irish Data Protection Commission guidance on DPIAs](https://www.dataprotection.ie/en/organisations/know-your-obligations/data-protection-impact-assessments?ref=sorena.io) - The DPC guidance explains that a no-DPIA list applies only where the processing falls strictly within the listed procedure and requirements. ### [What must the DPIA contain once the threshold is met?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md#what-must-the-dpia-contain-once-the-threshold-is-met) *Module: [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md)* If the threshold is met, Article 35(7) requires the DPIA to contain at least four elements: a systematic description of the envisaged processing and purposes, an assessment of necessity and proportionality, an assessment of risks to data subjects' rights and freedoms, and the measures envisaged to address those risks and demonstrate GDPR compliance. - Keep the nature, scope, context, purposes, personal data, recipients, retention periods, functional description, and supporting assets in the DPIA file. - Document necessity and proportionality against the purpose, lawful basis, data minimization, storage limits, transparency, data-subject rights, processor controls, and transfer safeguards. - Assess risk from the perspective of affected individuals, including severity, likelihood, risk sources, and impacts such as illegitimate access, unwanted change, or disappearance of data. - Record safeguards, security measures, corrective actions, residual risk, DPO advice where a DPO is designated, and views of data subjects or representatives where appropriate. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR), Article 35](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 35(7) defines the minimum contents of a GDPR DPIA. - [CNIL Privacy Impact Assessment methodology](https://www.cnil.fr/en/privacy-impact-assessments-cnil-publishes-its-pia-manual?ref=sorena.io) - CNIL's methodology and templates provide grounded DPIA record categories that map to Article 35(7), DPO advice, and data-subject views. ### [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md#when-does-the-gdpr-72-hour-breach-notification-clock-start) *Module: [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md)* Do not start the Article 33 clock from every raw security alert. The EDPB says a controller becomes aware when it has a reasonable degree of certainty that a security incident has occurred and has led to personal data being compromised. - Record the first alert, who received it, and why it was or was not immediately enough to establish a personal data breach. - Record the awareness timestamp separately: the point when the controller had reasonable certainty that personal data was compromised. - Assess whether the breach is unlikely to result in a risk to rights and freedoms; if not, prepare supervisory-authority notification without undue delay and, where feasible, within 72 hours after awareness. - Keep the Article 34 high-risk assessment separate from the Article 33 authority notification threshold; communication to data subjects is triggered by likely high risk. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR), Article 33](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 33 sets the controller's supervisory-authority notification duty, the 72-hour timing after awareness, the risk exception, delayed-notification reasons, processor escalation, phased information, and breach documentation duty. - [EDPB Guidelines 9/2022 on personal data breach notification](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - EDPB guidance explains that awareness requires a reasonable degree of certainty that a security incident occurred and personal data was compromised. ### [What should happen when a processor finds the breach first?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md#what-should-happen-when-a-processor-finds-the-breach-first) *Module: [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md)* A processor that becomes aware of a personal data breach affecting personal data processed for a controller must notify the controller without undue delay. The processor does not decide the Article 33 risk threshold for the controller before escalating. - Processor record: when the processor became aware, when it notified the controller, affected services, affected personal data, and facts still unknown. - Controller intake record: when the controller received processor notice, whether that notice gave reasonable certainty of a personal data breach, and who opened the Article 33 assessment. - Contract check: whether the controller-processor arrangement specifies early breach notice, phased updates, and any authority-notification support. - Multi-controller incident check: whether the processor must report details to each affected controller. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR), Article 33(2)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 33(2) requires processors to notify controllers without undue delay after becoming aware of a personal data breach. - [EDPB Guidelines 9/2022 on personal data breach notification](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - EDPB guidance explains that the processor need only establish that a breach occurred before notifying the controller, while the controller performs the risk assessment. ### [What if the controller cannot complete everything within 72 hours?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md#what-if-the-controller-cannot-complete-everything-within-72-hours) *Module: [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md)* The GDPR allows notification information to be provided in phases when it is not possible to provide all information at the same time. The first notice should say what is known, what is not yet known, and that more information will follow without undue further delay. - Minimum notification content: nature of the breach, affected data-subject and record categories where possible, DPO or contact point, likely consequences, and measures taken or proposed. - Phased-update log: missing facts, owner for each investigation item, next update trigger, and later information sent to the supervisory authority. - Delay record: why notification exceeded 72 hours, when each material fact became available, and why the delay was not excessive. - Bundling check: only group similar breaches over a short period when that gives a meaningful notification; different data or breach types should be assessed separately. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR), Article 33(3)-(4)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 33 lists minimum notification content and permits phased information where it is not possible to provide all information at the same time. - [EDPB Guidelines 9/2022 on personal data breach notification](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - EDPB guidance explains phased notification, delayed-notification reasons, and the limited use of bundled notifications for similar breaches. ### [Which records prove the breach-clock decision?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md#which-records-prove-the-breach-clock-decision) *Module: [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md)* Article 33(5) requires the controller to document personal data breaches, including the facts, effects, and remedial action. The record must allow a supervisory authority to verify compliance with Article 33. - Timeline: first alert, investigation start, awareness point, risk assessment, notification decision, authority submission, phased updates, and closure. - Facts: breach type, cause, affected systems, affected personal data, affected data subjects, known or approximate volumes, and whether data remained intelligible. - Effects and risk: likely consequences, likelihood and severity assessment, high-risk data-subject communication decision, and reviewer approvals. - Remedial action: containment, recovery, mitigation steps, communications sent, processor updates, authority correspondence, and lessons learned. Sources for this answer: - [Regulation (EU) 2016/679 (GDPR), Article 33(5)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Article 33(5) requires documentation of personal data breach facts, effects, and remedial action so the supervisory authority can verify Article 33 compliance. - [EDPB Guidelines 9/2022 on personal data breach notification](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under_en?ref=sorena.io) - EDPB guidance recommends an internal breach register and documenting reasons for notification, non-notification, delayed notification, and data-subject communication decisions. ## FAQ Pagination - Canonical index (page 1): [/artifacts/eu/general-data-protection-regulation/faq/items](/artifacts/eu/general-data-protection-regulation/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 2 of 2 Pages: [1](/artifacts/eu/general-data-protection-regulation/faq/items.md) | [2](/artifacts/eu/general-data-protection-regulation/faq/items/page/2.md) [Previous page](/artifacts/eu/general-data-protection-regulation/faq/items.md) *Recommended next step* *Placement: before sources* ## Use this EU GDPR FAQ as a source-linked triage aid Sorena can help convert GDPR scope, role, lawful-basis, rights, DPIA, breach, transfer, and penalty questions into cited records and implementation tasks. - [Open Research Copilot for EU GDPR](/solutions/research-copilot.md): Ask source-linked questions about GDPR scope, roles, lawful basis, rights, DPIAs, breaches, transfers, and Article 83 fines using the cited sources on this page. - [Talk through implementation](/contact.md): Review your GDPR scope, role, lawful-basis, rights, DPIA, breach, transfer, and evidence gaps with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/faq/items/page/2