Framework library / GDPR
Data & Security · regulatory framework
GDPR — EU General Data Protection Regulation.
EU data protection law — Article 28 makes you accountable for every processor in your chain.
What it is
The GDPR governs processing of EU personal data. Article 28 requires written contracts (DPAs) with every processor, using only processors providing “sufficient guarantees”, and Article 30 requires records of processing activities. Accountability means documented evidence — including for the vendors and sub-processors behind your services.
Who it applies to
Any organization processing EU residents’ personal data — controllers and processors alike, wherever headquartered.
The evidence auditors expect
- Records of processing activities (Art. 30)
- Signed DPAs with all processors and sub-processors
- Vendor due-diligence and transfer-mechanism records
- Breach response and notification procedure evidence
How ComplianceFlow keeps you ready
- DPAs and due-diligence documents are collected per vendor and kept current with renewal reminders
- Every vendor decision keeps its reviewer and evidence — accountability you can demonstrate
- A registry-style export answers “show me your processors” in minutes
Related frameworks
See GDPR evidence assemble itself.
ComplianceFlow keeps a living copy of GDPR mapped to your suppliers, products and evidence — so what you must prove is always current, and always exportable.
Book a demo Get the audit checklist
TraceR2C