Question 1

What is the GDPR?

Accepted Answer

The General Data Protection Regulation is the EU's comprehensive data protection law. It governs how personal data is collected, used, shared and protected, and gives individuals strong rights over their data.

Question 2

Who must comply with the GDPR?

Accepted Answer

The GDPR applies to controllers and processors established in the EU, and to organisations outside the EU that offer goods or services to individuals in the EU or monitor their behaviour.

Question 3

What is a record of processing?

Accepted Answer

Article 30 requires controllers and most processors to maintain a written or electronic record of processing activities, covering purposes, categories of data and recipients, retention periods and security measures.

Question 4

What is a DPIA?

Accepted Answer

A Data Protection Impact Assessment is a structured process to identify and mitigate privacy risks before high-risk processing starts. It is mandatory in specific cases, such as large-scale processing of sensitive data or systematic monitoring.

Question 5

What are data subject rights?

Accepted Answer

Individuals have rights of access, rectification, erasure, restriction, data portability, objection and protection against solely automated decision-making, including profiling that significantly affects them.

Question 6

When must a breach be reported?

Accepted Answer

Personal data breaches must be reported to the supervisory authority within 72 hours of awareness, unless the breach is unlikely to result in a risk to individuals. Affected individuals must be informed when the risk is high.

Question 7

How do international transfers work?

Accepted Answer

Transfers outside the EEA require an adequate level of protection. This can be achieved through adequacy decisions, Standard Contractual Clauses, Binding Corporate Rules or specific derogations, often combined with supplementary measures.

Question 8

Who is the DPO and when is one required?

Accepted Answer

A Data Protection Officer is required when processing is carried out by a public authority, when core activities involve large-scale monitoring or when they involve large-scale processing of special categories of data.

Question 9

What are the penalties?

Accepted Answer

Fines can reach up to EUR 20 million or 4% of global annual turnover, whichever is higher, for the most serious infringements, with lower tiers for other breaches.

Question 10

How does Basenorm support GDPR?

Accepted Answer

Basenorm centralises records, DPIAs, DSARs, breach workflows, transfer assessments and processor oversight, with evidence and controls mapped to the Unified Control Library.

Operationalise GDPR
with Confidence

Records, Lawful Bases and Accountability

Article 32 Security Measures

Records of Processing (RoPA)

DPIA, Data Subject Rights and Breach Management

International Transfers and Third-Party Oversight

72-Hour Breach Response

Ready to make GDPR operational?

Frequently Asked Questions

Operationalise GDPRwith Confidence

Records, Lawful Bases and Accountability

Article 32 Security Measures

Records of Processing (RoPA)

DPIA, Data Subject Rights and Breach Management

International Transfers and Third-Party Oversight

72-Hour Breach Response

Ready to make GDPR operational?

Frequently Asked Questions

What is the GDPR?

Who must comply with the GDPR?

What is the record of processing activities?

When is a DPIA required?

How are data subject rights handled?

What happens when a personal data breach occurs?

How are international transfers managed?

When is a Data Protection Officer required?

What are the penalties for non-compliance?

How does Basenorm support GDPR compliance?

Related FAQ Topics

Operationalise GDPR
with Confidence