GDPR: Protect your users' personal data
The European data protection regulation imposes strict obligations for personal data processing. Conformitly centralizes your processing register, DPIAs, and data subject rights management.
What is RGPD?
The General Data Protection Regulation (EU 2016/679), commonly known as GDPR, is the European reference regulatory framework for personal data protection. It applies to any organization, whether established in the EU or not, that processes personal data of European residents. GDPR is built on fundamental principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability.
Who is concerned by GDPR?
Key GDPR requirements
Record of processing activities (Art. 30)
Maintenance of a detailed register of all processing activities, including purposes, categories of data and data subjects, recipients, transfers outside the EU, retention periods, and security measures.
Data Protection Impact Assessment (DPIA)
Conducting a data protection impact assessment for any processing likely to result in a high risk to the rights and freedoms of natural persons, particularly systematic profiling, large-scale processing of sensitive data, or systematic monitoring of publicly accessible areas.
Data subject rights
Implementation of mechanisms enabling the effective exercise of data subjects' rights: access, rectification, erasure (right to be forgotten), restriction of processing, data portability, objection, and the right not to be subject to automated decision-making.
Data breach notification (Art. 33-34)
Notification to the supervisory authority within 72 hours of becoming aware of a personal data breach likely to result in a risk to individuals' rights. Communication to data subjects without undue delay when the breach is likely to result in a high risk.
DPO appointment
Mandatory appointment of a Data Protection Officer for public bodies, organizations whose core activities involve regular and systematic large-scale monitoring, or large-scale processing of special categories of data.
Data protection by design (Privacy by Design)
Integration of personal data protection from the design phase of processing systems and processes, and by default. Implementation of appropriate technical and organizational measures such as pseudonymization and data minimization.
GDPR timeline
Adoption of the GDPR regulation by the European Parliament and Council
GDPR enforcement date — all concerned organizations must be in compliance
GDPR sanctions
The most serious violations (fundamental processing principles, data subject rights, international transfers) are subject to administrative fines of up to 20 million euros or 4% of global annual turnover, whichever is higher. Other breaches can result in fines of up to 10 million euros or 2% of global turnover. Supervisory authorities also have corrective powers including warnings, reprimands, and temporary or permanent limitation or prohibition of processing.
How Conformitly helps with GDPR
Processing register management
Create and maintain your Article 30 compliant record of processing activities with pre-filled templates, automatic data categorization, and legal basis tracking for each processing activity.
DPIA templates
Conduct your data protection impact assessments with structured templates compliant with EDPB guidelines, including assessment of necessity, proportionality, and risks, as well as mitigation measures.
Data subject request tracking
Manage data subject rights requests (access, rectification, erasure, portability) with tracking of one-month legal deadlines, approval workflows, and a complete exchange history.
Breach notification workflow
Declare and manage personal data breaches with a guided workflow: severity assessment, decision on notification to the supervisory authority and data subjects, and generation of notification forms within the 72-hour deadline.