Article 30
Records of processing
Maintain records for core processing activities, systems, purposes, and processors.
Due: active
← All regulations
Data protection authorityActiveRegulation (EU) 2016/679
GDPR
GDPR applies to organisations that process personal data. It requires processing records, data subject rights, processor contracts, risk assessments, and breach notification within 72 hours when required.
Who must comply
Practical impact for EU SMBs.
- Any organisation processing customer, employee, prospect, or supplier personal data.
- E-commerce, SaaS, agencies, healthcare, professional services, and B2B teams with CRM data.
- Companies using analytics, marketing tools, cloud services, or external processors.
- Organisations transferring personal data outside the EU or EEA.
Key obligations
What needs to be provable.
Article 35
DPIA
Assess risk and safeguards before high-risk personal data processing starts.
Due: before high-risk processing
Article 33
Breach notification
Notify the competent authority when a personal data breach meets the reporting threshold.
Due: 72 hours
Article 28
Processor contracts
Keep processor terms and supplier reviews for vendors handling personal data.
Due: active
Fines and sanctions
Risk is measured in money, contracts, and lost trust.
Violation typeMaximum sanctionEnforcement
Core principle violationsEUR 20 million or 4% of worldwide turnoverData protection authority
Process obligationsEUR 10 million or 2% of worldwide turnoverData protection authority
Late breach notificationDepends on impact and delayData protection authority
How Splnit.eu helps
Turn obligations into controls, evidence, and deadlines.
ROPA generator
Build processing records from systems, teams, vendors, and purposes.
DPIA workflow
Track risk assessment steps, approvals, mitigations, and review dates.
72-hour incident log
Keep a defensible breach timeline and exportable notification record.