EU Data Protection Regulation
GDPR Compliance
Services
Achieve comprehensive compliance with the EU General Data Protection Regulation. Protect personal data, implement data subject rights, and avoid penalties up to €20 million or 4% of global revenue.
- 7 GDPR principles fully implemented across your organization
- Complete data subject rights framework (Articles 15-22)
- International data transfer mechanisms (BCRs, SCCs, adequacy decisions)
EU GDPR Compliance · 99 Articles · Global Data Protection
Introduction
What is GDPR?
The General Data Protection Regulation (GDPR) is the world's most comprehensive data privacy and security law. Enacted by the European Union in May 2018, it replaced the 1995 Data Protection Directive and fundamentally transformed how organizations worldwide handle personal data of EU residents.
GDPR consists of 99 articles organized into 11 chapters, covering everything from lawful processing grounds to individual rights, data protection by design, breach notifications, and cross-border data transfers. It applies to any organization—regardless of location—that processes personal data of individuals in the EU.
The regulation introduces severe penalties for non-compliance: up to €20 million or 4% of global annual turnover, whichever is higher. Since enforcement began, regulators have issued billions in fines to companies including Google (€50M), Amazon (€746M), and Meta (€1.2B).
Who Must Comply with GDPR?
EU-Based Organizations
Any company established in the EU, regardless of where data processing occurs.
Non-EU Organizations with EU Customers
Companies offering goods/services to EU residents or monitoring their behavior (e.g., US SaaS companies with European users).
Data Controllers
Organizations that determine the purposes and means of processing personal data (e.g., employers, e-commerce platforms).
Data Processors
Organizations that process data on behalf of controllers (e.g., cloud providers, payroll services, marketing agencies).
Public Authorities
Government bodies and public institutions processing personal data (except for law enforcement activities).
Key Insight: GDPR has extraterritorial reach. Even if your company is based in India, US, or anywhere else, you must comply if you process data of EU residents.
Core Framework
The 7 GDPR Principles
Article 5 establishes seven foundational principles that govern all personal data processing. Compliance with these principles is mandatory and forms the basis for GDPR enforcement.
Lawfulness, Fairness, and Transparency
Personal data must be processed lawfully, fairly, and in a transparent manner. Data subjects must be informed about how their data is collected and used.
Purpose Limitation
Data must be collected for specified, explicit, and legitimate purposes. Further processing must be compatible with the original purpose.
Data Minimisation
Only collect and process data that is adequate, relevant, and limited to what is necessary for the stated purpose.
Accuracy
Personal data must be accurate and kept up to date. Inaccurate data must be erased or rectified without delay.
Storage Limitation
Data should be kept in a form that permits identification of data subjects for no longer than necessary for the stated purpose.
Integrity and Confidentiality
Process data in a manner that ensures appropriate security, including protection against unauthorized processing, accidental loss, destruction, or damage.
Accountability
The controller is responsible for and must be able to demonstrate compliance with all GDPR principles through documentation and evidence.
Accountability Principle
The 7th principle—Accountability—is critical: you must not only comply with principles 1-6 but also demonstrate compliance through documentation, policies, procedures, and evidence. This includes maintaining records of processing activities (Article 30), conducting Data Protection Impact Assessments (Article 35), and implementing data protection by design and by default (Article 25).
Article 6
Lawful Basis for Processing
Under GDPR Article 6, you must have at least one of six lawful bases to process personal data. You cannot switch to a different lawful basis after processing begins—choose carefully at the outset.
1. Consent
Article 6(1)(a)The data subject has given clear, affirmative consent for specific processing purposes. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not constitute valid consent.
Examples:
Marketing emails, newsletter subscriptions, cookies (non-essential)
Requirements:
Must be withdrawable at any time; burden of proof is on controller; consent requests must be separate from other terms
When to Use:
Best for optional activities like marketing. Avoid for employment or public services where power imbalance exists.
2. Contract
Article 6(1)(b)Processing is necessary for the performance of a contract with the data subject, or to take steps at their request before entering into a contract.
Examples:
Processing customer orders, delivering products, providing services under contract
Requirements:
Must be objectively necessary—not just mentioned in terms of service
When to Use:
E-commerce transactions, SaaS service delivery, employment contracts
3. Legal Obligation
Article 6(1)(c)Processing is necessary to comply with a legal obligation under EU or Member State law.
Examples:
Tax reporting, employment law compliance, anti-money laundering checks
Requirements:
Must cite specific legal provision requiring processing
When to Use:
Regulatory reporting, legal compliance (GDPR itself is NOT a legal obligation for this purpose)
4. Vital Interests
Article 6(1)(d)Processing is necessary to protect someone's life or physical integrity. This is a narrow exception for emergency situations.
Examples:
Emergency medical treatment, disaster response, safeguarding children
Requirements:
Must be genuine life-or-death situation; cannot be used if another lawful basis applies
When to Use:
Rarely used; only for genuine emergencies where consent cannot be obtained
5. Public Task
Article 6(1)(e)Processing is necessary for tasks carried out in the public interest or in the exercise of official authority vested in the controller.
Examples:
Public healthcare, education, government services
Requirements:
Must have clear basis in law; controller must be public authority or private entity exercising public authority
When to Use:
Government bodies, public universities, healthcare providers acting under statutory obligations
6. Legitimate Interests
Article 6(1)(f)Processing is necessary for the legitimate interests of the controller or third party, except where overridden by the interests, rights, or freedoms of the data subject (especially children).
Examples:
Fraud prevention, network security, direct marketing to existing customers, employee monitoring
Requirements:
Must conduct and document a Legitimate Interest Assessment (LIA) balancing controller interests against data subject rights
When to Use:
Business operations, cybersecurity, customer analytics—when consent is impractical and no other basis applies
Special Categories of Personal Data (Article 9)
Processing of sensitive data—racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation—is generally prohibited unless you meet one of the Article 9 exceptions (e.g., explicit consent, vital interests, legitimate activities of non-profits, data manifestly made public by the data subject).
Criminal conviction data (Article 10) can only be processed under official authority or when authorized by Union/Member State law.
Articles 15-22
Data Subject Rights
GDPR grants individuals eight fundamental rights over their personal data. Organizations must have processes in place to respond to these requests within strict timelines—typically 1 month, extendable to 3 months for complex requests.
Right to Access
Individuals can request confirmation that their data is being processed and obtain a copy of their personal data.
Timeline: Response within 1 month
Right to Rectification
Individuals can request correction of inaccurate or incomplete personal data.
Timeline: Response within 1 month
Right to Erasure
Also known as "right to be forgotten". Individuals can request deletion of their personal data under specific circumstances.
Timeline: Response within 1 month
Right to Restriction
Individuals can request limitation of processing of their personal data in certain situations (e.g., contesting accuracy).
Timeline: Response within 1 month
Right to Data Portability
Individuals can receive their personal data in a structured, machine-readable format and transmit it to another controller.
Timeline: Response within 1 month
Right to Object
Individuals can object to processing based on legitimate interests, direct marketing, or processing for scientific/historical research.
Timeline: Immediate cessation
Rights Related to Automated Decision-Making
Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects.
Timeline: Immediate review
Right to be Informed
Individuals must be informed about data collection and usage through clear privacy notices at the point of data collection.
Timeline: At point of collection
Implementing Data Subject Access Requests (DSARs)
What You Must Provide:
- Confirmation that you process their data
- Copy of personal data (first copy free)
- Categories of data processed
- Purposes of processing
- Recipients or categories of recipients
- Retention period (or criteria to determine it)
- Rights (rectification, erasure, restriction, objection)
- Right to lodge a complaint with supervisory authority
- Source of data (if not collected from individual)
- Existence of automated decision-making/profiling
DSAR Response Checklist:
- Verify identity of requester (don't disclose data to wrong person)
- Search all systems: databases, emails, backups, third-party processors
- Redact third-party personal data (e.g., names of other individuals)
- Provide data in structured, commonly used, machine-readable format
- Respond within 1 month (extendable to 3 months if complex)
- If refusing, explain why and inform of right to complain
- Document the request and your response for accountability
Article 35
Data Protection Impact Assessment (DPIA)
When processing is likely to result in high risk to individuals' rights and freedoms, you must conduct a DPIA before processing begins. This is mandatory for certain types of processing.
When DPIA is Mandatory:
Systematic and Extensive Profiling
Automated processing including profiling that produces legal or similarly significant effects (e.g., credit scoring, algorithmic decision-making for employment/healthcare)
Large-Scale Processing of Special Categories
Processing sensitive data (health, biometric, genetic, racial/ethnic origin, political opinions) or criminal conviction data at scale
Systematic Monitoring of Public Areas
Large-scale systematic monitoring (e.g., CCTV surveillance, facial recognition in public spaces, location tracking)
New Technologies
Use of new technological solutions that present high risk (e.g., AI/ML systems, IoT deployments, blockchain for personal data)
DPIA Must Include:
- Systematic description of processing operations and purposes
- Assessment of necessity and proportionality of processing
- Assessment of risks to rights and freedoms of data subjects
- Measures to address risks (technical and organizational)
- Safeguards, security measures, and mechanisms to ensure data protection
- Demonstration of compliance with GDPR
- Consultation with data subjects or their representatives (where appropriate)
- Consultation with DPO (if appointed)
- Prior consultation with supervisory authority if high risk cannot be mitigated
Articles 33-34
Data Breach Notification
Personal data breaches must be reported to the supervisory authority within 72 hours—and to affected individuals if the breach poses high risk to their rights and freedoms.
Detect & Assess
- Detect the breach
- Contain the incident
- Assess scope and severity
- Determine if breach is likely to result in risk to individuals
Notify Authority
- Notify supervisory authority (ICO, CNIL, etc.)
- Provide: nature of breach, categories/number of individuals affected, likely consequences, measures taken/proposed
- If not notified within 72h, provide reasons for delay
Notify Individuals
- Required if high risk to individuals
- Describe breach in clear, plain language
- Provide contact point for more information
- Describe likely consequences and mitigation measures
- Not required if: data encrypted, subsequent measures remove high risk, or disproportionate effort (use public communication instead)
Penalties for Non-Compliance
Failure to notify a breach to the supervisory authority or affected individuals can result in fines up to €10 million or 2% of global annual turnover (whichever is higher). In 2022, British Airways was fined £20M for a breach affecting 400,000 customers due to inadequate security and delayed notification.
What's Included
Comprehensive GDPR Compliance Services
End-to-end GDPR implementation from gap analysis to certification, audit support, and ongoing compliance management.
Gap Assessment
Current state analysis against GDPR requirements, data mapping, processing inventory (Article 30), identification of high-risk processing activities.
Policy & Documentation
Privacy policies, data processing agreements, consent mechanisms, data retention schedules, breach response plan, DPIA templates.
Lawful Basis Analysis
Identify appropriate lawful basis for each processing activity, conduct Legitimate Interest Assessments (LIAs), document basis selection.
DPIA Execution
Conduct Data Protection Impact Assessments for high-risk processing, risk mitigation strategies, supervisory authority consultation.
Data Subject Rights
Implement DSAR response procedures, automated request portals, identity verification, data discovery across systems.
International Transfers
Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), Transfer Impact Assessments (TIAs), adequacy decisions.
Breach Notification
72-hour breach notification procedures, incident response playbooks, supervisory authority templates, individual notification protocols.
Security Measures
Data protection by design and by default, encryption, pseudonymization, access controls, organizational security measures.
Training & Awareness
Staff GDPR training programs, DPO certification support, privacy champion networks, ongoing awareness campaigns.
Implementation Roadmap
GDPR Compliance Timeline
TYPICAL 5-6 MONTH TIMELINE
GDPR Implementation Roadmap
At Tranquility, compliance is fast, flexible, and achievable in under 2 months or sometimes even under 2 weeks!
Data Mapping & Gap Analysis
Complete data inventory, map data flows, identify all processing activities, document Article 30 records, conduct gap assessment against GDPR requirements.
Lawful Basis & Documentation
Identify lawful basis for each processing activity, conduct Legitimate Interest Assessments, update privacy policies, create data processing agreements.
Data Subject Rights Implementation
Build DSAR response procedures, implement automated request portals, train staff on rights requests, test response workflows.
DPIAs & High-Risk Processing
Conduct DPIAs for high-risk activities, implement risk mitigation measures, consult supervisory authority if required.
Security & Technical Controls
Implement encryption, pseudonymization, access controls, breach notification procedures, security by design and by default.
International Transfers & Final Audit
Implement SCCs/BCRs, conduct Transfer Impact Assessments, final compliance audit, staff training, continuous monitoring setup.
FAQ
Frequently Asked Questions
Strengthen Your Compliance Posture
Explore complementary certifications that work together to provide comprehensive security and compliance coverage.
ISO 27001
Information security management. Complements GDPR with technical security controls.
ISO 27701
Privacy information management extension to ISO 27001. Demonstrates GDPR compliance.
SOC 2
Trust service criteria for US clients. Often required alongside GDPR for global operations.
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours