Question 1

What is GDPR and who does it apply to?

Accepted Answer

The General Data Protection Regulation (GDPR, Regulation 2016/679) is the EU data protection law that governs how organisations collect, process, store, and transfer personal data of individuals in the European Economic Area (EEA). It applies to any organisation that processes personal data of EU residents, regardless of where the organisation is located. This includes EU-based companies, non-EU companies offering goods or services to EU residents, and organisations monitoring the behaviour of EU residents. GDPR establishes rights for data subjects, obligations for data controllers and processors, and enforcement mechanisms with fines of up to 20 million euros or 4% of global annual turnover.

Question 2

What is a Record of Processing Activities (ROPA) under Article 30?

Accepted Answer

GDPR Article 30 requires both data controllers and data processors to maintain a written Record of Processing Activities (ROPA). For controllers, this must include the name and contact details of the controller, the purposes of processing, categories of data subjects and personal data, categories of recipients, international transfers including safeguards, retention periods, and a general description of technical and organisational security measures. For processors, the record must include the name of each controller on behalf of whom processing is carried out, categories of processing, international transfers, and security measures. Venvera maintains your ROPA automatically as you document processing activities, with export capabilities for supervisory authority requests.

Question 3

What is a Data Protection Impact Assessment (DPIA)?

Accepted Answer

A Data Protection Impact Assessment (DPIA), required under GDPR Article 35, is a process to identify and minimise data protection risks of a project or processing activity. DPIAs are mandatory when processing is likely to result in a high risk to individuals, including systematic and extensive profiling with significant effects, large-scale processing of special categories of data, and systematic monitoring of publicly accessible areas. A DPIA must describe the processing operations, assess necessity and proportionality, evaluate risks to data subjects, and identify measures to address those risks. If the DPIA indicates high residual risk, the controller must consult the supervisory authority under Article 36. Venvera provides structured DPIA templates with risk scoring and mitigation tracking.

Question 4

What is the 72-hour breach notification requirement?

Accepted Answer

GDPR Article 33 requires data controllers to notify their supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification must include the nature of the breach, categories and approximate number of data subjects and records affected, the name and contact details of the DPO, the likely consequences, and the measures taken or proposed to address the breach. If notification is not possible within 72 hours, reasons for the delay must be provided. Where the breach is likely to result in a high risk to individuals, Article 34 requires the controller to also communicate the breach to the affected data subjects without undue delay.

Question 5

How does GDPR handle cross-border data transfers?

Accepted Answer

GDPR restricts transfers of personal data to countries outside the EEA unless adequate protection is ensured. Transfer mechanisms include adequacy decisions by the European Commission (where a third country is deemed to provide adequate protection), Standard Contractual Clauses (SCCs) adopted by the Commission, Binding Corporate Rules (BCRs) approved by supervisory authorities, and derogations for specific situations under Article 49. Following the Schrems II ruling, organisations must also conduct Transfer Impact Assessments (TIAs) to evaluate whether the laws of the recipient country provide essentially equivalent protection. Venvera tracks all cross-border transfers, documents the legal basis for each, and flags transfers to countries without adequacy decisions for TIA completion.

Question 6

What are data subject rights under GDPR?

Accepted Answer

GDPR grants data subjects eight key rights: the right to be informed (Articles 13-14) about how their data is processed, the right of access (Article 15) to obtain a copy of their personal data, the right to rectification (Article 16) of inaccurate data, the right to erasure or "right to be forgotten" (Article 17), the right to restrict processing (Article 18), the right to data portability (Article 20) in a machine-readable format, the right to object (Article 21) to processing based on legitimate interests or direct marketing, and the right not to be subject to automated decision-making including profiling (Article 22). Controllers must respond to data subject requests within one month, extendable by two months for complex requests. Venvera helps you track and manage data subject requests with deadline monitoring.

Question 7

What are the penalties for GDPR non-compliance?

Accepted Answer

GDPR establishes a two-tier penalty structure. The lower tier (Article 83(4)) applies to infringements of obligations on controllers, processors, certification bodies, and monitoring bodies, with fines of up to 10 million euros or 2% of total worldwide annual turnover, whichever is higher. The upper tier (Article 83(5)) applies to infringements of basic processing principles, conditions for consent, data subject rights, and international transfer provisions, with fines of up to 20 million euros or 4% of total worldwide annual turnover, whichever is higher. Supervisory authorities consider factors including the nature, gravity, and duration of the infringement, whether it was intentional or negligent, measures taken to mitigate damage, prior infringements, and the degree of cooperation with the authority.

GDPR COMPLIANCE SOFTWARE: PROCESSING ACTIVITIES, DPIAs, AND 72-HOUR BREACH NOTIFICATION

RECORD OF PROCESSING ACTIVITIES (ROPA) FOR ARTICLE 30

BREACH NOTIFICATION WITH 72-HOUR DEADLINE TRACKING

DATA PROTECTION IMPACT ASSESSMENTS (DPIAs)

CROSS-BORDER DATA TRANSFER DOCUMENTATION

DATA SUBJECT RIGHTS REQUEST MANAGEMENT

GDPR POLICY MANAGEMENT AND DOCUMENTATION

GDPR COMPLIANCE: VENVERA VS MANUAL PROCESSES

FREQUENTLY ASKED QUESTIONS ABOUT GDPR

READY TO STREAMLINE YOUR
GDPR COMPLIANCE?