EU Regulation 2016/679 — since May 2018

GDPR Compliance for Your Company

The GDPR affects virtually every company in the EU. Records of processing, TOMs, data subject rights, data processing agreements — Kopexa bundles everything in one platform.

99%

of companies affected

72h

breach notification deadline

€20M

or 4% annual turnover fine

Free ConsultationAm I compliant?
Made in EuropeGDPR CompliantISO 27001 AlignedOSCAL-Based

Background

What is the GDPR and Who Does It Affect?

The General Data Protection Regulation (GDPR) (EU Regulation 2016/679) is the central European data protection regulation. It has been directly applicable since May 25, 2018 and affects virtually every company that processes personal data of EU residents.

The GDPR is based on 7 principles (Article 5): lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. Every processing of personal data must be based on one of the 6 legal bases of Article 6: consent, contract, legal obligation, vital interests, public interest, or legitimate interest.

What makes the GDPR unique is its extraterritorial scope (market location principle): even companies outside the EU must comply if they offer goods or services to EU residents or monitor their behavior. Violations can result in fines of up to EUR 20 million or 4% of annual global turnover.

Key areas include data subject rights (Art. 15-22), records of processing activities (Art. 30), data processing agreements (Art. 28), the Data Protection Officer (Art. 37-39), and breach notification within 72 hours (Art. 33).

The 7 Principles of Data Processing (Art. 5)

Core principles of the GDPR

  • Lawfulness, fairness, and transparency
  • Purpose limitation — data only for specified purposes
  • Data minimization — collect only what is necessary
  • Accuracy — keep data up to date
  • Storage limitation — not longer than necessary
  • Integrity and confidentiality (security)
  • Accountability — demonstrate compliance

Who Does the GDPR Affect?

Market location principle — regardless of company location

  • Any company processing personal data of EU residents
  • Controllers: determine purpose and means of processing
  • Processors: process data on behalf of controllers
  • Also companies outside the EU targeting EU residents
All GDPR Requirements in Detail

Free GDPR Readiness Check

How Well Are You Positioned?

Find out in 2 minutes. Free and anonymous.

GDPR Readiness Check

Answer 5 short questions and find out how well your company is positioned for GDPR compliance.

Note: This initial assessment is based on your responses and publicly available criteria (NIS2). It is not legally binding and does not replace an individual case review.

Timeline

The Path to GDPR Compliance

Step 1

Assessment

Record all processing activities, check legal bases, document data flows.

Step 2

Records of Processing

Create complete records per Art. 30: purpose, legal basis, recipients, deletion periods.

Step 35 Steps

TOMs & Policies

Document technical and organizational measures, create privacy policies.

Step 4

Establish Processes

Implement DSAR process, breach notification, DPA management, and training.

Step 5

Audit Readiness

Collect evidence, document accountability, prepare for supervisory authority review.

The sooner you start, the sooner you’re compliant. Kopexa supports you at every step.

View Checklist

GDPR Obligations

Key Obligations at a Glance

6 core areas that every company must implement.

Records of Processing (Art. 30)

Documentation of all processing activities with purpose, legal basis, and deletion periods.

Technical & Org. Measures (Art. 32)

Encryption, access controls, backup strategies, and regular security reviews.

Data Subject Rights (Art. 15–22)

Access, erasure, rectification, data portability, and objection — implemented within deadlines.

Data Processing (Art. 28)

Conclude DPAs with every service provider, document and control sub-processors.

Data Protection Officer (Art. 37–39)

Appoint DPO, define duties, ensure independence and protection against dismissal.

Breach Notification (Art. 33–34)

Report data breaches within 72 hours and notify data subjects when there is a high risk.

Free Initial Consultation

How Kopexa Helps

From Requirement to Implementation

Manage data subject requests?

DSAR Management in Kopexa

Data subjects have extensive rights: access, erasure, rectification, data portability. Kopexa helps you process DSAR requests within deadlines and document everything.

  • DSAR tracking and deadline management
  • Response letter templates
  • Audit trail for evidence

Create records of processing?

Document processing activities centrally

Art. 30 GDPR requires a complete record of all processing activities. Kopexa makes this simple: record activities, assign legal bases, track deletion periods.

  • Structured records of processing
  • Legal basis assignment
  • Deletion period management

Manage processors?

Vendor management with DPA tracking

Art. 28 GDPR requires agreements with every service provider. Kopexa manages processors, tracks DPA status, and documents service provider TOMs.

  • Processor register
  • DPA status and deadlines
  • TOM documentation per provider

All Frameworks. One System.

Built by GRC Experts for European Mid-Market Companies

ISO 27001NIS2TISAXDORABSI GrundschutzDSGVOSOC 2KRITISPCI-DSSNIST CSF

Kopexa is built on OSCAL, the open NIST standard for machine-readable compliance frameworks. Every framework, every standard, every regulation: available instantly or custom-built with our Framework Builder.

Content Hub

Deep Dive into GDPR

Requirements

All GDPR requirements at a glance

Data Subject Rights

Rights of data subjects under Art. 15–22

Data Processing

Obligations for data processing (Art. 28)

Data Protection Officer

Requirement, duties, and position of the DPO

Technical Measures

Technical and organizational measures (Art. 32)

Records of Processing

Records of processing activities (Art. 30)

DPIA

Data Protection Impact Assessment (Art. 35)

Breach Notification

Breach notification obligations (Art. 33–34)

Fines & Penalties

GDPR fines and enforcement (Art. 83–84)

International Transfers

Third-country transfers, SCCs, and adequacy (Art. 44–49)

GDPR Checklist

10 steps to GDPR compliance

ISO 27001 Mapping

Cross-mapping and dual compliance

Frequently Asked Questions about the GDPR

Let’s Assess Where You Stand

Free & non-binding. Response within 24h.

By submitting, you agree to our Privacy Policy .