Europe's data protection standard. Map your data processing, demonstrate accountability, and manage subject rights.
The General Data Protection Regulation (GDPR, Regulation 2016/679) is the EU's comprehensive data protection law that governs how organizations collect, process, store, and share personal data of EU residents. It replaced the 1995 Data Protection Directive and has been in force since May 2018.
GDPR establishes principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability. Organizations must demonstrate compliance through documentation, impact assessments, and appointed Data Protection Officers.
The regulation grants individuals extensive rights over their personal data, including the right to access, rectification, erasure ('right to be forgotten'), data portability, and the right to object to automated decision-making.
The most important articles and obligations you need to address.
The seven core principles: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, and accountability.
Six legal bases for processing: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
Detailed information that must be provided to data subjects when personal data is collected directly or indirectly.
Controllers must implement data protection principles from the design stage and by default in all processing activities.
Mandatory records of all processing activities, including purposes, categories, recipients, and retention periods.
Data breaches must be reported to the supervisory authority within 72 hours, and to affected individuals if high risk.
Required for high-risk processing. Must assess necessity, proportionality, risks to individuals, and mitigation measures.
Maximum fines of EUR 20M or 4% of global annual turnover for the most serious violations.
Purpose-built features to get you from zero to compliant.
Pre-built checks covering all major GDPR requirements, from lawful basis to breach notification procedures.
Collect and organize DPIAs, processing records, consent logs, and data flow documentation with approval workflows.
Organization-wide GDPR requirements separate from per-application data processing checks.
Define data protection controls once, map them to GDPR articles, and track implementation status across teams.
Assess and track data protection risks with impact scoring linked to mitigating controls.
Generate compliance reports for supervisory authority requests or internal audits in PDF, Excel, or Word.
Yes. GDPR applies to all organizations processing personal data of EU residents, regardless of size. However, some obligations (like appointing a DPO) have exemptions for smaller organizations. The key factor is what data you process, not how big you are.
Personal data is any information relating to an identified or identifiable natural person. This includes names, email addresses, IP addresses, location data, cookie identifiers, and even pseudonymized data if it can be linked back to an individual.
A controller determines the purposes and means of processing personal data. A processor processes data on behalf of the controller. Both have obligations under GDPR, but controllers bear primary responsibility for compliance.
GDPR fines can reach EUR 20 million or 4% of global annual turnover, whichever is higher. In practice, fines vary based on severity. Notable fines include EUR 1.2B (Meta, 2023), EUR 746M (Amazon, 2021), and EUR 405M (Meta/Instagram, 2022).
complixo provides structured GDPR compliance checks at both organization and application level, evidence management for DPIAs and processing records, controls mapped to specific GDPR articles, and audit-ready reports for supervisory authority requests.
Pre-built checks, structured evidence, and audit-ready reports. No credit card required.