Requirements MapEU GDPR

EU GDPR Requirements

A practical map of the GDPR duties most teams need to operate: scope, Article 5 principles, lawful basis, transparency, rights, security, breach handling, DPIAs, records, processors, and transfers.

Use it to check whether each processing activity has a controller or processor role, a lawful basis, a notice path, a rights workflow, a RoPA entry, security controls, incident routing, and transfer safeguards where needed.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
7

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

The GDPR is not a single checklist. It is a set of connected duties that attach to personal-data processing: decide whether the Regulation applies, identify the controller and processor roles, apply the processing principles, choose and document a lawful basis, give transparent information, enable data-subject rights, keep required records, secure processing, handle breaches, assess high-risk processing, and control transfers outside the EU framework.

Section 1

Scope and role requirements

Start with the processing activity, not the department. GDPR scope depends on whether personal data is processed in a covered context, including material scope under Article 2 and territorial scope under Article 3. For each activity, record the data subjects, personal-data categories, purpose, entity, location, and whether the organisation is acting as controller, joint controller, processor, or both in different parts of the service.

Role classification drives the rest of the work. Controllers decide purposes and means and carry the core accountability burden. Processors process on documented controller instructions and need an Article 28 arrangement. Joint controllers must transparently allocate responsibilities for duties such as information notices and rights handling.

  • Define the processing activity before assigning a GDPR owner.
  • Record whether Article 2 and Article 3 facts bring the activity into GDPR scope.
  • Separate controller, joint-controller, and processor duties when a product has multiple data flows.
  • Check whether a non-EU controller or processor needs an EU representative when Article 3(2) applies.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Supports the scope and role map through Articles 2, 3, 4, 26, 27, and 28.
Section 2

Principles and lawful basis

Article 5 is the control layer for every GDPR decision. Processing must be lawful, fair, transparent, purpose-limited, data-minimised, accurate, storage-limited, secure, and accountable. Do not treat these as labels; turn each one into a test against the actual data flow.

Article 6 then requires at least one lawful basis for processing. The record should identify the basis, the purpose it supports, the evidence for that basis, and any dependency such as consent withdrawal, contract necessity, legal obligation, public task, vital interests, or legitimate-interest balancing. Special category data and criminal-offence data need additional checks under Articles 9 and 10.

  • Tie each purpose to one Article 6 lawful basis before collection or reuse.
  • Do not use consent as a fallback if another basis actually controls the processing.
  • For legitimate interests, keep the purpose, necessity analysis, and rights-impact balancing together.
  • Check Articles 9 and 10 before processing special-category or criminal-offence data.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Supports the processing-principle and lawful-basis requirements in Articles 5, 6, 9, and 10.
Section 3

Transparency and data-subject rights

Transparency starts before or at collection when Article 13 applies, and it also covers data obtained from other sources under Article 14. Notices should explain the controller, purposes, lawful bases, recipients, retention logic, transfer safeguards where relevant, rights, complaint routes, and automated decision-making information where applicable.

Rights handling needs an operational workflow, not only a policy page. Article 12 sets communication standards, Articles 15 to 22 define rights such as access, rectification, erasure, restriction, portability, objection, and safeguards around automated decision-making, and Article 34 adds communication duties for high-risk personal-data breaches.

  • Keep notice content aligned with the RoPA and the actual product data flow.
  • Build intake, identity-verification, search, exception review, response, and logging steps for rights requests.
  • Make Article 15 access responses traceable to systems and data categories, including transfer-safeguard information where relevant.
  • Do not hide primary privacy information behind user actions that a data subject may never take.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Supports notice and rights requirements in Articles 12 to 22 and breach communication duties in Article 34.
Section 4

RoPA and accountability records

Article 30 requires controllers and processors to maintain records of processing activities. A controller RoPA should cover purposes, categories of data subjects and personal data, recipients, transfers, retention time limits where possible, and a general description of Article 32 security measures. Processor records need the categories of processing carried out for each controller, transfer details where applicable, and security-measure descriptions where possible.

The Irish DPC guidance is useful because it explains what makes a RoPA reviewable: keep mandatory Article 30 fields visible, make the record available on request, avoid substituting scattered DPIAs or policies for the RoPA, and assign process owners who maintain entries by business function.

  • Maintain a RoPA entry for each real processing activity, not just each system.
  • Mark Article 30 required fields separately from helpful extra fields.
  • Include transfers, retention, and technical and organisational security measures where they apply.
  • Review RoPA entries when purposes, data categories, recipients, processors, retention, or transfers change.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Supports the Article 30 record-keeping obligation and its links to transfers and Article 32 security measures.
Irish Data Protection Commission - Records of Processing Activities under Article 30 GDPR
Supports practical RoPA maintenance, required fields, processor records, and making the actual record available to the supervisory authority on request.
Section 5

Security and breach notification

Article 32 requires security appropriate to the risk, including measures such as pseudonymisation and encryption where appropriate, confidentiality, integrity, availability, resilience, restoration capability, and regular testing or evaluation of measures. The right security evidence is therefore risk-specific: data sensitivity, access model, retention, supplier access, backup and recovery, monitoring, and control testing.

Article 33 requires controller notification to the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of a personal-data breach, unless the breach is unlikely to result in a risk to natural persons. Article 34 requires communication to data subjects when the breach is likely to result in high risk, subject to the GDPR's stated conditions.

  • Document the risk assessment that explains why chosen Article 32 measures are appropriate.
  • Require processors to notify controllers without undue delay after becoming aware of a personal-data breach.
  • Keep a breach log with facts, effects, remedial action, notification decision, timing, and reasons for any delay.
  • Separate supervisory-authority notification analysis from data-subject communication analysis.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Supports Article 32 security, Article 33 supervisory-authority notification, Article 34 data-subject communication, and processor breach notice duties.
Section 6

DPIA and high-risk processing

Article 35 requires a data protection impact assessment where a type of processing is likely to result in a high risk to natural persons, especially with new technologies and considering the nature, scope, context, and purposes of processing. The assessment must describe the processing and purposes, assess necessity and proportionality, assess risks to rights and freedoms, and identify measures to address those risks.

CNIL's PIA methodology grounds the practical structure: define and describe context, analyse controls for fundamental principles, assess privacy risks linked to data security, and formally document validation. Treat a DPIA as a living risk record for the processing activity, not a one-time approval attachment.

  • Screen DPIA need before launching or materially changing high-risk processing.
  • Include necessity, proportionality, rights impact, risk treatment, security controls, and residual-risk approval.
  • Consult the DPO where required and capture stakeholder input when relevant to the processing.
  • Use prior consultation under Article 36 when the DPIA indicates unmitigated high risk.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Supports DPIA and prior-consultation duties in Articles 35 and 36.
CNIL - Privacy Impact Assessment Methodology
Supports a concrete DPIA work structure: processing context, fundamental-principle controls, privacy-risk assessment, and validation.
Section 7

Processors and international transfers

Processor governance starts with Article 28. The controller must use processors that provide sufficient guarantees, and processing by a processor must be governed by a contract or other legal act covering documented instructions, confidentiality, Article 32 security, sub-processors, assistance with rights and breach duties, deletion or return of data, audits, and information needed to demonstrate compliance.

International transfers require a separate Chapter V analysis. Article 44 sets the general principle, Article 45 covers adequacy decisions, Article 46 covers appropriate safeguards such as standard contractual clauses, and Article 49 covers derogations for specific situations. The European Commission SCC page confirms that SCCs are pre-approved model clauses used as a ground for EU-to-third-country transfers under the GDPR.

What are the minimum GDPR requirements to check for a new processing activity?

Confirm GDPR scope, assign controller and processor roles, define the purpose, choose a lawful basis, prepare Article 13 or 14 notice content, add the RoPA entry, check rights handling, assess Article 32 security, screen for DPIA need, and identify any Chapter V transfer.

Which GDPR requirements usually need written evidence?

Keep written evidence for lawful basis, transparency notices, RoPA entries, processor terms, security risk assessment and controls, breach assessments, DPIA screening or DPIA results, rights-request handling, retention decisions, and international-transfer safeguards.

  • Link each processor to the processing activity, controller instructions, security measures, sub-processor approval path, and audit evidence.
  • Do not treat a vendor security questionnaire as a substitute for an Article 28 processing arrangement.
  • For transfers, identify the destination, importer role, transfer tool, safeguards, and RoPA entry.
  • Keep SCC execution, transfer assessment, supplementary measures where needed, and review triggers together.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Supports processor-contract requirements in Article 28 and transfer requirements in Chapter V.
European Commission - Standard Contractual Clauses
Supports the role of Commission pre-approved standard contractual clauses for GDPR international transfers.
Recommended next step

Map each processing activity to the GDPR duties it triggers

Sorena can help convert this GDPR requirements map into scoped processing records, source-linked obligation checks, owner assignments, and evidence requests.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about GDPR scope, lawful basis, RoPA, DPIA, breach, processor, and transfer requirements using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through GDPR implementation

Review your GDPR processing map, source gaps, owner model, and evidence plan with Sorena.

Explore next step
Primary sources

References and citations

CNIL - Privacy Impact Assessment Methodology
cnil.fr
Referenced sections
  • Supports a concrete DPIA work structure: processing context, fundamental-principle controls, privacy-risk assessment, and validation.
"define and describe the context"
Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Supports processor-contract requirements in Article 28 and transfer requirements in Chapter V.
"Processor"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Checklist: scope, lawful basis, DSARs, DPIA, RoPA, transfers
Use this GDPR checklist to review scope, lawful basis, notices, DSAR handling, DPIAs, RoPA, processor contracts, SCC transfers, breach notification, retention, security, and evidence.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.