---
title: "GDPR vs EU Data Act: personal data safeguards and source limits"
canonical_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act"
source_url: "https://www.sorena.io/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act"
author: "Sorena AI"
description: "Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
- "GDPR"
- "EU Data Act"
- "personal data"
- "lawful basis"
- "data subject rights"
- "international transfers"
- "controller processor accountability"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform
[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)
---
# GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
*Artifact Guide* *EU*
## GDPR GDPR vs EU Data Act
Use this comparison to keep personal data issues under GDPR safeguards even when a data-access or data-use workstream also considers the EU Data Act.
The available grounding supports GDPR obligations in detail and supports only limited Data Act identification, so Data Act comparator facts are deliberately source-limited.
This artifact compares GDPR with the EU Data Act only to the extent supported by the retained GDPR grounding folder. Treat GDPR as the controlling workstream for personal data processing, lawful basis, transparency, data-subject rights, controller and processor allocation, security, breach handling, international transfers, and accountability evidence. Treat the Data Act side here as a source-limited comparator, not a complete Data Act implementation guide.
## GDPR vs EU Data Act: what this GDPR-grounded page can compare
Use these rows to keep GDPR obligations intact and to avoid treating unsupported Data Act details as sourced facts.
- **GDPR**: Detailed grounding is available for personal data processing, lawful basis, rights, transfers, security, controller and processor accountability, and records.
- **EU Data Act**: The GDPR grounding folder supports only limited identification of Regulation (EU) 2023/2854 as concerning fairness in access to and use of data.
| Dimension | GDPR | EU Data Act | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope boundary | Covers processing of personal data, including information relating to an identified or identifiable natural person. | Source-limited here to the Data Act's identification as Regulation (EU) 2023/2854 on fairness in access to and use of data. | If personal data is involved, run the GDPR analysis even if another data-access or data-use regime is also being considered. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports treating personal data processing as the GDPR trigger.
[CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Supports limited identification of Regulation (EU) 2023/2854. |
| Covered actors | Requires role allocation for controllers, joint controllers, processors, representatives where relevant, DPO tasks where applicable, processor contracts, RoPA, security, breach, DPIA, and accountability records. | This folder does not ground Data Act actor allocation beyond the limited Regulation (EU) 2023/2854 identification. | Do not let a Data Act project label obscure who determines purposes and means for personal data or who processes on documented instructions. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports determining controller and processor roles from personal-data processing facts.
[Irish DPC guidance on Records of Processing Activities](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports practical RoPA evidence for accountability.
[CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Does not ground detailed Data Act actor allocation. |
| Trigger | Requires a lawful basis for each processing purpose and accountability evidence for lawfulness, fairness, transparency, purpose limitation, minimisation, accuracy, storage limitation, integrity, and confidentiality. | No Data Act lawful-basis substitute is grounded in this folder. | Do not rely on a data-access or data-sharing rationale until the GDPR basis and purpose are recorded. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the need to document GDPR lawfulness and accountability before processing.
[CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Used only to identify the limited Data Act comparator source available in this folder. |
| Core obligations | Requires transparent information and data-subject rights handling, including access, rectification, erasure, restriction, portability, objection, and automated-decision safeguards where applicable. | This folder does not ground Data Act request procedures, response windows, or recipient workflows. | Keep GDPR rights intake and fulfilment separate from any Data Act request queue unless a Data Act-specific source set supports integration. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping GDPR rights obligations intact.
[CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Does not ground Data Act request procedures; included to show the comparator source limit. |
| Evidence record | Requires a Chapter V transfer basis or safeguard when personal data is transferred to a third country or international organisation. | No Data Act transfer safeguard rule is grounded in this folder. | Use GDPR transfer records, SCCs, adequacy, and supplementary-measures analysis where personal data crosses borders. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports Chapter V transfer controls.
[CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Does not ground Data Act transfer safeguards; included to show the comparator source limit.
[European Commission - Standard Contractual Clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Supports SCCs as a GDPR transfer safeguard in relevant cases. |
| Timing and deadlines | GDPR grounding supports supervisory authorities, corrective powers, data-subject remedies, compensation, and administrative fines under GDPR. | No Data Act competent-authority procedure or penalty variant is grounded in this folder. | For this artifact, escalate GDPR issues through privacy governance and supervisory-authority readiness; do not invent Data Act enforcement details. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR supervisory authority and enforcement readiness.
[CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Does not ground Data Act enforcement or penalty detail. |
| Enforcement | The GDPR gives supervisory authorities powers to monitor application, handle complaints, investigate, and impose corrective measures, including suspension of data flows or administrative fines where needed. | This folder does not ground Data Act enforcement bodies, remedies, or penalty scales. | If the issue is about personal data enforcement, route it through the GDPR authority first and only add Data Act enforcement steps from Data Act-specific sources. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports supervisory authority enforcement powers and complaint handling.
[CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Supports limited identification of Regulation (EU) 2023/2854. |
| Overlap and reuse | The GDPR analysis can still run even when another EU data regime is also relevant, and the same factual workflow may need a separate lawfulness, transfer, or security review. | This folder only identifies the Data Act at a high level and does not support reuse of Data Act conclusions for personal data questions. | Use shared facts, not shared conclusions: the same event may trigger both regimes, but GDPR findings do not automatically answer Data Act questions and vice versa. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports separating GDPR accountability from other regulatory workstreams.
[CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Supports only limited identification of Regulation (EU) 2023/2854. |
| Practical decision rule | Start with GDPR if any personal data is present, because the GDPR provides the grounded rules here for scope, lawful basis, rights, transfers, security, and accountability. | Treat the Data Act side as a cue to check whether a separate source set is needed; this folder does not ground the full Data Act rule set. | If the fact pattern contains personal data, document the GDPR decision first and only then layer in Data Act work from Data Act-specific sources. | [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR-first decision rule when personal data is involved.
[CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Supports the limited Data Act comparator reference available in this folder. |
Sources for Scope boundary - GDPR:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR scope and personal data definition.
- Quote: "identified or identifiable natural person"
Sources for Scope boundary - EU Data Act:
- [CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Supports limited identification of Regulation (EU) 2023/2854.
- Quote: "Regulation (EU) 2023/2854"
Sources for Scope boundary - operational implication:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports treating personal data processing as the GDPR trigger.
- Quote: "processing of personal data"
Sources for Covered actors - GDPR:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports controller, processor, record, security, breach, DPIA, DPO, and accountability obligations.
- Quote: "controller or processor"
- [Irish DPC guidance on Records of Processing Activities](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports practical RoPA evidence for accountability.
- Quote: "under Article 30 GDPR"
Sources for Covered actors - EU Data Act:
- [CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Does not ground detailed Data Act actor allocation.
- Quote: "Regulation (EU) 2023/2854"
Sources for Covered actors - operational implication:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports determining controller and processor roles from personal-data processing facts.
- Quote: "purposes and means"
Sources for Trigger - GDPR:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports Article 5 principles and Article 6 lawful processing.
- Quote: "Lawfulness of processing"
Sources for Trigger - EU Data Act:
- [CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Used only to identify the limited Data Act comparator source available in this folder.
- Quote: "fairness in access to and use of data"
Sources for Trigger - operational implication:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the need to document GDPR lawfulness and accountability before processing.
- Quote: "be able to demonstrate compliance"
Sources for Core obligations - GDPR:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR Chapter III rights and transparent information duties.
- Quote: "rights of the data subject"
Sources for Core obligations - EU Data Act:
- [CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Does not ground Data Act request procedures; included to show the comparator source limit.
- Quote: "Regulation (EU) 2023/2854"
Sources for Core obligations - operational implication:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports keeping GDPR rights obligations intact.
- Quote: "Transparent information"
Sources for Evidence record - GDPR:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports Chapter V transfer controls.
- Quote: "transfer of personal data"
Sources for Evidence record - EU Data Act:
- [CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Does not ground Data Act transfer safeguards; included to show the comparator source limit.
- Quote: "Regulation (EU) 2023/2854"
Sources for Evidence record - operational implication:
- [European Commission - Standard Contractual Clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Supports SCCs as a GDPR transfer safeguard in relevant cases.
- Quote: "appropriate data protection safeguards"
Sources for Timing and deadlines - GDPR:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR remedies, liability, and administrative fine provisions.
- Quote: "administrative fines"
Sources for Timing and deadlines - EU Data Act:
- [CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Does not ground Data Act enforcement or penalty detail.
- Quote: "Regulation (EU) 2023/2854"
Sources for Timing and deadlines - operational implication:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR supervisory authority and enforcement readiness.
- Quote: "supervisory authority"
Sources for Enforcement - GDPR:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports suspension of data flows and administrative fines.
- Quote: "suspension of data flows"
Sources for Enforcement - EU Data Act:
- [CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Supports limited identification of Regulation (EU) 2023/2854.
- Quote: "Regulation (EU) 2023/2854"
Sources for Enforcement - operational implication:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports supervisory authority enforcement powers and complaint handling.
- Quote: "handle complaints lodged by a data subject"
Sources for Overlap and reuse - GDPR:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR trigger, accountability, and transfer controls that remain applicable even with overlapping workflows.
- Quote: "processing of personal data"
Sources for Overlap and reuse - EU Data Act:
- [CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Supports only limited identification of Regulation (EU) 2023/2854.
- Quote: "Regulation (EU) 2023/2854"
Sources for Overlap and reuse - operational implication:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports separating GDPR accountability from other regulatory workstreams.
- Quote: "be able to demonstrate compliance"
Sources for Practical decision rule - GDPR:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR scope and personal data definition.
- Quote: "identified or identifiable natural person"
Sources for Practical decision rule - EU Data Act:
- [CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Supports the limited Data Act comparator reference available in this folder.
- Quote: "fairness in access to and use of data"
Sources for Practical decision rule - operational implication:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports the GDPR-first decision rule when personal data is involved.
- Quote: "processing of personal data"
### How should teams use this comparison?
- If the data is personal data, start with GDPR and record the lawful basis, purpose, rights route, transfer mechanism, and accountable role.
- Use the Data Act side only as a source-limited prompt that another data-use regime may need review.
- Do not make Data Act actor, deadline, authority, penalty, switching, or access-procedure decisions from this GDPR-grounded artifact.
- Add a Data Act-specific source set before combining implementation controls or customer-facing commitments.
Sources for the practical decision rule:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary source for the GDPR-first decision rule when personal data is involved.
- Quote: "protection of personal data"
- [CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Supports the limited Data Act comparator reference available in this folder.
- Quote: "fairness in access to and use of data"
## Use GDPR controls whenever personal data is in the fact pattern
GDPR applies to processing of personal data and defines both personal data and processing broadly. If a connected product, service, data-sharing request, contract, support workflow, analytics feature, or export contains information relating to an identified or identifiable natural person, the GDPR analysis should run before any reuse of Data Act evidence.
The available Data Act grounding in this folder supports identifying Regulation (EU) 2023/2854 as a regulation on fairness in access to and use of data. It does not support detailed Data Act actor, deadline, procedure, or penalty claims in this artifact.
- Separate personal data from non-personal data before assigning owners or reusing evidence.
- Record the GDPR lawful basis, purpose, data categories, data-subject rights channel, transfer mechanism, and controller or processor role.
- Use Data Act labels on this page only for the limited comparator point that another EU data-use regime may be relevant.
- Escalate to a Data Act-specific source set before making Data Act product, contract, access, switching, authority, or penalty decisions.
Sources for this answer:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR scope, personal data definitions, lawful processing, rights, security, transfers, and accountability.
- [CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Source-limited support that Regulation (EU) 2023/2854 concerns fairness in access to and use of data.
## Keep lawful basis, rights, and accountability separate from Data Act analysis
A Data Act workstream does not supersede GDPR Article 6 lawful-basis analysis, transparency duties, data-subject rights handling, processor terms, security controls, or breach documentation. Each processing purpose still needs its own GDPR basis and evidence.
For controller and processor accountability, maintain a record that shows who determines purposes and means, who processes on documented instructions, which processor terms apply, and how data-subject requests reach the accountable controller.
- For each data-use scenario, name the GDPR processing purpose before discussing data sharing.
- Store lawful-basis reasoning beside privacy notice text and data-subject request handling steps.
- Keep controller, joint-controller, and processor decisions tied to the actual purposes and means of processing.
- Use RoPA entries to link purposes, categories of data subjects, categories of personal data, recipients, transfers, retention, and security measures.
Sources for this answer:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports lawful basis, transparency, data-subject rights, controller and processor duties, and accountability.
- [Irish DPC guidance on Records of Processing Activities](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports RoPA as practical accountability evidence for Article 30 processing records.
## Preserve transfer safeguards when data-sharing crosses borders
If a data-access, recipient, vendor, cloud, support, or analytics path sends personal data outside the EU/EEA or to an international organisation, keep the GDPR Chapter V transfer analysis separate from any Data Act comparison.
The Commission SCC source in the grounding folder supports SCCs as a GDPR transfer safeguard for transfers from EU/EEA controllers or processors to third-country controllers or processors in the relevant circumstances. This artifact does not add Data Act transfer rules because the folder does not ground them.
- Identify exporter, importer, roles, destination, categories of personal data, and onward-transfer points.
- Attach the transfer mechanism, SCC module or adequacy basis, and any supplementary-measures assessment to the processing record.
- Do not treat a Data Act access or sharing label as a substitute for GDPR transfer safeguards.
- Reassess transfers when recipients, hosting locations, support models, subprocessors, or government-access risk facts change.
Sources for this answer:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports Chapter V transfer requirements for personal data sent to third countries or international organisations.
- [European Commission - Standard Contractual Clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Supports SCCs as Commission-preapproved GDPR contractual safeguards for certain international transfers.
## Evidence to keep when both regimes may be discussed
The safest comparison output is a two-column evidence record: GDPR evidence in one column and source-limited Data Act notes in the other. Do not merge them into one generic data-governance decision.
For GDPR, keep records that can show compliance to privacy, security, legal, product, procurement, support, and audit reviewers without relying on unsupported Data Act assumptions.
- GDPR scope note: personal data, processing operation, data subjects, purposes, recipients, and systems.
- GDPR safeguard note: lawful basis, notice, rights route, security measures, breach workflow, retention, and transfer mechanism.
- Role note: controller, joint controller, processor, subprocessors, and contract or arrangement evidence.
- Data Act note: limited to the grounded statement that Regulation (EU) 2023/2854 concerns fairness in access to and use of data, unless a Data Act-specific source set is added.
Sources for this answer:
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Supports GDPR accountability, records, rights, security, breach, and transfer evidence categories.
- [CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Supports only limited identification of the Data Act/Data Regulation in this GDPR grounding folder.
*Recommended next step*
*Placement: before sources*
## Turn this comparison into a personal-data evidence record
Sorena can help map each data-use scenario to GDPR scope, lawful basis, rights, transfers, and accountability evidence while flagging where Data Act-specific source work is still needed.
- [Open Research Copilot for GDPR](/solutions/research-copilot.md): Ask source-linked questions about GDPR scope, lawful basis, data-subject rights, transfer safeguards, and accountability evidence.
- [Talk through GDPR and Data Act overlap](/contact.md): Review where personal data safeguards apply and where a Data Act-specific source set is needed before implementation decisions.
## Primary sources
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary source for the GDPR-first decision rule when personal data is involved.
- Quote: "protection of personal data"
- [CJEU fact sheet - Protection of personal data](https://curia.europa.eu?ref=sorena.io) - Supports the limited Data Act comparator reference available in this folder.
- Quote: "fairness in access to and use of data"
- [European Commission - Standard Contractual Clauses](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Supports SCCs as a GDPR transfer safeguard in relevant cases.
- Quote: "appropriate data protection safeguards"
- [Irish DPC guidance on Records of Processing Activities](https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Records%20of%20Processing%20Activities%20%28RoPA%29%20under%20Article%2030%20GDPR.pdf?ref=sorena.io) - Supports practical RoPA evidence for accountability.
- Quote: "under Article 30 GDPR"
## Related Topic Guides
- [Does the EU GDPR apply outside the EU under Article 3?](/artifacts/eu/general-data-protection-regulation/faq/territorial-scope.md): A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
- [EU GDPR Applicability Test for Products, Vendors, and Data Flows](/artifacts/eu/general-data-protection-regulation/applicability-test.md): A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
- [EU GDPR Article 30 RoPA Intake Workflow](/artifacts/eu/general-data-protection-regulation/ropa-intake-workflow.md): Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
- [EU GDPR Article 6 Legal Bases FAQ](/artifacts/eu/general-data-protection-regulation/faq/legal-bases.md): FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
- [EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence](/artifacts/eu/general-data-protection-regulation/automated-decision-making-and-profiling.md): source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
- [EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow](/artifacts/eu/general-data-protection-regulation/breach-notification-72-hours.md): Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
- [EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records](/artifacts/eu/general-data-protection-regulation/breach-notification-workflow.md): A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
- [EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/checklist.md): Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
- [EU GDPR Children and Special-Category Data Guide](/artifacts/eu/general-data-protection-regulation/children-and-special-categories.md): source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
- [EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers](/artifacts/eu/general-data-protection-regulation/compliance.md): Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
- [EU GDPR Controller, Processor, and Joint Controller Roles](/artifacts/eu/general-data-protection-regulation/controller-processor-and-joint-controller-roles.md): source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
- [EU GDPR Data Subject Rights and DSAR Workflow](/artifacts/eu/general-data-protection-regulation/data-subject-rights-and-dsar-workflow.md): source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
- [EU GDPR deadlines and compliance calendar](/artifacts/eu/general-data-protection-regulation/deadlines-and-compliance-calendar.md): source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
- [EU GDPR DPIA and Prior Consultation Workflow](/artifacts/eu/general-data-protection-regulation/dpia-and-prior-consultation-workflow.md): Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
- [EU GDPR DPIA and risk management under Articles 35 and 36](/artifacts/eu/general-data-protection-regulation/dpia-and-risk-management.md): EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
- [EU GDPR DSAR Exceptions: refusal, extensions, identity checks](/artifacts/eu/general-data-protection-regulation/faq/dsar-exceptions.md): FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
- [EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence](/artifacts/eu/general-data-protection-regulation/dsar-workflow.md): Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
- [EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers](/artifacts/eu/general-data-protection-regulation/faq.md): Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
- [EU GDPR International Transfers and SCCs: Chapter V evidence guide](/artifacts/eu/general-data-protection-regulation/international-transfers-and-sccs.md): source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
- [EU GDPR Lawful Basis and Consent Guide](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-consent.md): Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
- [EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lawful-basis-and-lia-workflow.md): Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
- [EU GDPR Lead Supervisory Authority and One-Stop-Shop](/artifacts/eu/general-data-protection-regulation/lead-authority-and-one-stop-shop.md): How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
- [EU GDPR LIA Template for Article 6(1)(f)](/artifacts/eu/general-data-protection-regulation/lia-template.md): Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
- [EU GDPR penalties and fines: Article 83 tiers and evidence](/artifacts/eu/general-data-protection-regulation/penalties-and-fines.md): EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
- [EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide](/artifacts/eu/general-data-protection-regulation/processor-contracts-and-vendor-management.md): EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
- [EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields](/artifacts/eu/general-data-protection-regulation/record-of-processing-activities-template.md): Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
- [EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers](/artifacts/eu/general-data-protection-regulation/requirements.md): Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
- [EU GDPR Retention and Erasure Schedule](/artifacts/eu/general-data-protection-regulation/retention-and-erasure-schedule.md): Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
- [EU GDPR SCC Transfer Impact Assessment FAQ](/artifacts/eu/general-data-protection-regulation/faq/scc-transfer-impact-assessment.md): source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
- [EU GDPR Transfer TIA and SCC Workflow](/artifacts/eu/general-data-protection-regulation/transfer-tia-and-scc-workflow.md): A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
- [EU GDPR Transparency Notices: Articles 12, 13 and 14](/artifacts/eu/general-data-protection-regulation/transparency-notices.md): Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
- [EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps](/artifacts/eu/general-data-protection-regulation/gdpr-vs-lgpd.md): Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
- [EU GDPR vs California CCPA: grounded GDPR comparison limits](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ccpa.md): Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
- [EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications](/artifacts/eu/general-data-protection-regulation/gdpr-vs-eprivacy.md): Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
- [EU GDPR vs UK GDPR: source-limited compliance comparison](/artifacts/eu/general-data-protection-regulation/gdpr-vs-uk-gdpr.md): Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
- [GDPR processor vs controller: role boundaries and evidence](/artifacts/eu/general-data-protection-regulation/faq/processor-vs-controller.md): Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
- [GDPR vs EU AI Act: privacy controls for AI systems](/artifacts/eu/general-data-protection-regulation/gdpr-vs-ai-act.md): Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
- [When does the EU GDPR require a DPIA?](/artifacts/eu/general-data-protection-regulation/faq/dpia-threshold.md): Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
- [When does the GDPR 72-hour breach notification clock start?](/artifacts/eu/general-data-protection-regulation/faq/breach-awareness-clock.md): GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.
---
[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)
(c) 2026 Sorena AB (559573-7338). All rights reserved.
Source: https://www.sorena.io/artifacts/eu/general-data-protection-regulation/gdpr-vs-data-act