GDPR & Data Protection
Records of processing activities (ROPA), data processing agreements (DPA), technical and organisational measures (TOM) under Article 32, DPIA, cookie banner, Schrems II, data breach notification — the GDPR practice track for DACH SMEs.
GDPR at a glance — before you deploy any templates
Structural knowledge on scope, mandatory duties and where to start reading the GDPR materials.
Who is subject to the GDPR?
The General Data Protection Regulation applies to every natural or legal person who, as a controller within the meaning of Article 4(7) GDPR, determines the purposes and means of processing personal data, as well as to processors as defined in Article 4(8) GDPR. Establishment within the Union is not the only trigger: through the market-location principle set out in Article 3(2) GDPR, the Regulation reaches extraterritorially and also covers providers from third countries where they offer goods or services to data subjects in the EU or monitor their behaviour within the Union. For DACH SMEs operating webshops, using cloud services or working with international partners, the personal scope of the Regulation is virtually always engaged.
The 4 mandatory pillars of GDPR compliance
The operational implementation of the Regulation rests on four binding pillars. First, the accountability obligation under Article 5(2) GDPR, which requires documented evidence of compliance with all principles laid down in Article 5(1) GDPR. Second, the data subject rights under Articles 12 to 22 GDPR — access, rectification, erasure, restriction, data portability and objection. Third, the technical and organisational measures under Article 32 GDPR, by which organisations must ensure a level of security appropriate to the risk. Fourth, the notification duties under Articles 33 and 34 GDPR for personal data breaches towards the supervisory authority and, where applicable, towards the data subjects affected.
Where to start?
The pillar article GDPR guide sets out the Regulation systematically and provides the framework for the deeper dives that follow. Four knowledge articles cover the most common entry questions: the data processing agreement under Article 28 GDPR for every service-provider relationship, the TOM checklist for Article 32 GDPR as the basis of the appropriate level of security, the 72-hour data breach notification procedure, and the assessment When is a data protection officer mandatory? under Article 37 GDPR and Section 38 BDSG.
The most important GDPR topics in detail
Step-by-step guides with templates, regulatory references and audit checklists.
Create records of processing activities 2026
Excel template + 14 SME examples + 9 mandatory fields
DPA template 2026 (Article 28 GDPR)
Model contract + 8 mandatory contents + Schrems II annex
TOM under Article 32: 8-area checklist
60-measure catalogue · State of the art 2026
Cookie banner Section 25 TDDDG
Equal-Choice + 12-point audit
Schrems II + DPF update 2026
Trump executive order + 12 EU alternatives
Data breach notification 72h
Articles 33/34 GDPR step by step
GDPR fining procedure: 8 steps
From incoming complaint to court action
When is a DPO required?
Section 38 BDSG + cost comparison internal vs. external
Listicles & top lists
Compact overviews — perfect for board meetings, newsletters or as an A4 print template.
Practice clusters & glossary
Special topics by industry, use case and mandatory terminology.
New GDPR templates for IT service providers
DPA templates, TOMs catalogue and sub-processor clauses for hosting, SaaS and cloud providers.
Audit-ready in 2-4 hours
Instead of months of research: deployable templates, personalised with your company name, one-off investment instead of consultancy fees.
View GDPR Kit →Sources
- Regulation (EU) 2016/679 (GDPR) — English full text, EUR-Lex (as of 27 April 2016, in force since 25 May 2018)
- German Federal Data Protection Act (BDSG) — gesetze-im-internet.de (ongoing, German Federal Ministry of Justice service)
- European Commission — Data Protection main page (ongoing)
- European Commission — Digital Omnibus press release (as of 19 November 2025, trilogue ongoing)