GDPR compliance, automated and continuous
Go beyond checkbox compliance. Matproof automates your records of processing, DPIA workflows, and data subject rights β keeping you continuously GDPR-compliant.
Key Features
Records of Processing Activities
Maintain Article 30 records automatically. Track processing activities, legal bases, retention periods, and data flows.
Data Protection Impact Assessments
Automated DPIA workflows for high-risk processing. Step-by-step assessments with risk scoring and mitigation tracking.
Data Subject Rights Management
Handle access, deletion, and portability requests within regulatory deadlines. Full audit trail for every request.
Breach Notification Workflows
72-hour breach notification workflows. Auto-generate reports for supervisory authorities and affected data subjects.
Consent Management
Track consent across all processing activities. Manage opt-ins, withdrawals, and consent refresh cycles.
Third-Party Data Processing
Manage processor agreements, sub-processor tracking, and international transfer safeguards (SCCs, adequacy decisions).
Why Matproof
GDPR compliance across Germany
Find city-specific compliance guidance for your financial institution.
What is the GDPR?
The General Data Protection Regulation (GDPR), formally EU Regulation 2016/679, is the European Union's landmark data protection law that fundamentally reshaped how organizations worldwide handle personal data. Effective since May 25, 2018, the GDPR established a unified data protection framework across all EU and EEA member states, replacing the patchwork of national laws based on the 1995 Data Protection Directive. It is widely regarded as the most comprehensive and influential data protection regulation globally.
The GDPR is built on seven core principles that govern all personal data processing: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. These principles are not merely aspirational β they form the legal basis against which all processing activities are measured. Organizations must be able to demonstrate compliance with each principle, a concept known as the accountability principle under Article 5(2).
One of the GDPR's most significant features is its extraterritorial scope. Under Article 3, the regulation applies not only to organizations established in the EU, but also to any organization worldwide that offers goods or services to EU residents or monitors their behavior. This means that a technology company based in the United States, a fintech startup in Singapore, or a SaaS provider in Israel must comply with the GDPR if they process personal data of individuals in the EU β regardless of where the data is actually processed.
In Germany, the GDPR is supplemented by the Bundesdatenschutzgesetz (BDSG), which adds national provisions in areas where the GDPR allows member state flexibility. The BDSG establishes stricter requirements in several areas β most notably, it mandates the appointment of a Data Protection Officer (Datenschutzbeauftragter) for any organization with 20 or more employees regularly engaged in automated processing of personal data. Germany also has 16 state data protection authorities (Landesdatenschutzbehoerden) alongside the federal commissioner (BfDI), creating a complex but robust enforcement landscape.
Who Needs GDPR Compliance?
The GDPR applies to virtually every organization that processes personal data of individuals in the EU/EEA, whether as a data controller (determining the purposes and means of processing) or a data processor (processing data on behalf of a controller). The regulation has no revenue threshold or minimum company size β even sole traders and micro-enterprises must comply.
Controllers
- Any EU-based company processing personal data
- Non-EU companies offering goods/services to EU residents
- Non-EU companies monitoring behavior of EU residents
- Public authorities and government bodies
- Healthcare providers and pharmaceutical companies
- Financial services and insurance companies
Processors
- Cloud service and hosting providers
- SaaS platforms processing customer data
- Payroll and HR service providers
- Marketing and analytics platforms
- IT outsourcing and managed service providers
- Customer support and call center providers
Special attention applies to organizations processing special categories of personal data (Article 9) β including health data, biometric data, genetic data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, and data concerning sex life or sexual orientation. Processing such data requires meeting one of the specific conditions in Article 9(2), and organizations processing these categories at scale must appoint a DPO and typically conduct DPIAs.
GDPR Key Requirements in Detail
1. Lawful Basis for Processing (Article 6)
Every processing activity must have a valid legal basis. The GDPR provides six lawful bases: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Organizations must identify and document the lawful basis for each processing activity before processing begins. Consent must be freely given, specific, informed, and unambiguous β and must be as easy to withdraw as to give. Legitimate interests require a documented balancing test (Legitimate Interests Assessment).
2. Data Subject Rights (Articles 12-22)
The GDPR grants individuals eight rights: the right to be informed (transparency), right of access (subject access requests), right to rectification, right to erasure (right to be forgotten), right to restrict processing, right to data portability, right to object, and rights related to automated decision-making and profiling. Organizations must respond to data subject requests within one month (extendable by two months for complex requests) and provide the response free of charge in most cases.
3. Records of Processing Activities (Article 30)
Controllers and processors with more than 250 employees β or those processing data that poses risks, involves special categories, or relates to criminal convictions β must maintain detailed records of processing activities (ROPA/Verarbeitungsverzeichnis). These records must include the purposes of processing, categories of data subjects and personal data, recipients, international transfers, retention periods, and a description of security measures. The records must be available to the supervisory authority upon request.
4. Data Protection Impact Assessments (Article 35)
A DPIA is mandatory when processing is likely to result in a high risk to data subjects' rights and freedoms. This includes systematic and extensive profiling with significant effects, large-scale processing of special category data, and systematic monitoring of publicly accessible areas. The DPIA must describe the processing operations, assess necessity and proportionality, evaluate risks, and identify measures to address those risks. If risks remain high after mitigation, prior consultation with the supervisory authority is required under Article 36.
5. Data Protection Officer (Articles 37-39)
A DPO must be appointed by public authorities, organizations whose core activities require regular and systematic monitoring of individuals at scale, or organizations processing special categories of data at scale. In Germany, the BDSG extends this requirement to any company with 20 or more employees regularly involved in automated data processing. The DPO must have expert knowledge of data protection law, operate independently, report directly to the highest management level, and cannot be dismissed or penalized for performing their duties.
6. Breach Notification (Articles 33-34)
Personal data breaches must be reported to the competent supervisory authority within 72 hours of the controller becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals. The notification must include the nature of the breach, approximate number of data subjects and records affected, likely consequences, and measures taken or proposed. If the breach is likely to result in a high risk to individuals, they must also be informed directly without undue delay. Processors must notify controllers without undue delay after becoming aware of a breach.
7. International Data Transfers (Articles 44-49)
Transfers of personal data outside the EU/EEA are only permitted if the recipient country provides an adequate level of protection (adequacy decision), or if appropriate safeguards are in place. Standard Contractual Clauses (SCCs) are the most commonly used transfer mechanism, though Binding Corporate Rules (BCRs) are available for intra-group transfers. Following the Schrems II ruling, organizations using SCCs must also conduct a Transfer Impact Assessment (TIA) to evaluate the data protection laws of the recipient country and implement supplementary measures if needed.
8. Data Processing Agreements (Article 28)
When a controller engages a data processor, a written Data Processing Agreement (DPA/Auftragsverarbeitungsvertrag) must be in place. The DPA must specify the subject matter and duration of processing, the nature and purpose of processing, the types of personal data, categories of data subjects, and the controller's obligations and rights. Processors must provide sufficient guarantees to implement appropriate technical and organizational measures and must not engage sub-processors without the controller's authorization.
Penalties for GDPR Non-Compliance
The GDPR introduced the highest data protection fines ever seen, and enforcement activity has increased significantly year over year since 2018. As of 2025, supervisory authorities across Europe have imposed cumulative fines exceeding EUR 4 billion.
Upper-tier fines for violations of processing principles, data subject rights, and international transfer rules (whichever amount is higher)
Lower-tier fines for administrative and organizational violations including records of processing, DPO appointment, and security measures
Germany's BDSG adds criminal liability of up to 3 years imprisonment for intentional unauthorized data processing or obtaining data through deception
Data subjects have the right to compensation for material and non-material damage (Article 82), enabling class-action style litigation across the EU
Notable GDPR fines include Meta (EUR 1.2 billion for international transfers), Amazon (EUR 746 million for targeted advertising), and WhatsApp (EUR 225 million for transparency failures). In Germany, H&M received a EUR 35.3 million fine for employee surveillance, and 1&1 Telecom was fined EUR 9.55 million for inadequate authentication procedures. These cases demonstrate that enforcement affects companies of all sizes across all sectors.
How to Achieve GDPR Compliance
GDPR compliance is not a one-time project but an ongoing program. Here is a structured approach to building and maintaining a comprehensive GDPR compliance framework:
- 1
Data Mapping and Records of Processing
Map all personal data flows across your organization: what data you collect, where it comes from, how it is processed, who has access, where it is stored, and with whom it is shared. Create and maintain your Records of Processing Activities (ROPA). This forms the foundation for all other GDPR compliance activities and must be kept up to date as processing activities change.
- 2
Legal Basis Assessment and Privacy Notices
For each processing activity, determine and document the appropriate lawful basis. Update privacy notices to meet GDPR transparency requirements (Articles 13-14), clearly communicating what data you collect, why, on what legal basis, how long you retain it, and what rights individuals have. Review and update consent mechanisms where consent is the lawful basis.
- 3
DPO Appointment and Governance
Determine whether your organization is required to appoint a Data Protection Officer. In Germany, this is mandatory for companies with 20 or more employees in automated data processing. Establish a data protection governance structure with clear roles, responsibilities, and reporting lines. Implement regular privacy training for all employees who handle personal data.
- 4
Data Subject Rights Processes
Implement processes and systems to handle data subject requests within the required one-month timeframe. This includes access requests, deletion requests, portability requests, and objections. Ensure you can identify and retrieve all personal data relating to an individual across all systems, and that deletion processes cascade to all relevant data stores and processors.
- 5
Breach Detection and Notification
Implement technical measures to detect data breaches promptly and establish an incident response plan that meets the 72-hour notification requirement. Define escalation procedures, notification templates, and decision criteria for assessing risk to data subjects. Conduct regular breach response exercises to ensure your team can meet the tight timelines under real pressure.
- 6
Vendor Management and International Transfers
Review all data processor relationships and ensure appropriate Data Processing Agreements are in place. For international data transfers, implement appropriate safeguards (SCCs, BCRs, or adequacy decisions) and conduct Transfer Impact Assessments where required. Use Matproof to centralize vendor compliance tracking, automate DPA management, and maintain ongoing oversight of your processing chain.
Frequently Asked Questions about GDPR
What is the GDPR?
The General Data Protection Regulation (GDPR), officially EU Regulation 2016/679, is the European Union's comprehensive data protection law. Effective since May 25, 2018, it governs how organizations collect, process, store, and transfer personal data of individuals in the EU/EEA. The GDPR replaced the 1995 Data Protection Directive and applies directly in all EU member states without requiring national transposition, though member states can add supplementary provisions.
Does the GDPR apply to companies outside the EU?
Yes. The GDPR has extraterritorial scope under Article 3. It applies to any organization β regardless of where it is established β that processes personal data of individuals in the EU/EEA if it offers goods or services to them, or monitors their behavior within the EU/EEA. This means a US-based SaaS company with EU customers must comply with the GDPR, including appointing an EU representative under Article 27.
What are the penalties for GDPR violations?
The GDPR establishes a two-tier penalty system. The upper tier carries fines of up to EUR 20 million or 4% of annual global turnover (whichever is higher) for violations of data processing principles, data subject rights, and international transfer rules. The lower tier imposes fines of up to EUR 10 million or 2% of turnover for administrative and organizational violations. In Germany, the BDSG adds criminal penalties of up to 3 years imprisonment for certain violations.
Do I need a Data Protection Officer (DPO)?
Under the GDPR, a DPO is mandatory for public authorities, organizations whose core activities involve regular and systematic monitoring of individuals on a large scale, or organizations processing special categories of data on a large scale. In Germany, the BDSG lowers this threshold significantly: any company with 20 or more employees regularly engaged in automated processing of personal data must appoint a DPO (Datenschutzbeauftragter). The DPO can be internal or external.
What is a DPIA and when is it required?
A Data Protection Impact Assessment (DPIA) is a risk assessment required under Article 35 whenever processing is 'likely to result in a high risk' to data subjects. This includes systematic profiling, large-scale processing of special category data, and systematic monitoring of public areas. Supervisory authorities also publish lists of processing activities that require DPIAs. The DPIA must describe the processing, assess necessity and proportionality, evaluate risks, and identify mitigation measures.
What is the 72-hour breach notification requirement?
Under Article 33, controllers must notify the competent supervisory authority of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. The notification must describe the breach, affected data subjects, likely consequences, and measures taken. If the breach is likely to result in a high risk to individuals, they must also be notified directly under Article 34.