Decision first
Do not start with a privacy-policy template. Start by identifying the processing activity, people affected, purpose, systems, jurisdictions, and parties that decide or perform the processing.
What GDPR regulates
GDPR regulates processing of personal data about identified or identifiable natural persons. Processing includes collection, storage, access, use, disclosure, transfer, alteration, restriction, and deletion. The technology is irrelevant: a database, spreadsheet, support ticket, log, paper register, model-training corpus, or backup can all be in scope.
Territorial questions
GDPR can apply to processing in the context of an EU establishment. It can also apply to a controller or processor outside the EU when processing relates to offering goods or services to people in the EU or monitoring their behavior there. Mere website accessibility is not, by itself, enough to prove that goods or services are being offered into the EU.
Role model
| Role | Core decision | Engineering consequence |
|---|---|---|
| Controller | Determines purposes and essential means | Owns lawful basis, notices, rights, retention, processor selection, and accountability evidence |
| Joint controllers | Determine purposes and means together | Must allocate responsibilities transparently without removing data-subject rights |
| Processor | Processes personal data on documented controller instructions | Needs an Article 28 contract, security controls, subprocessor governance, assistance, and deletion or return duties |
| Subprocessor | Processes data for a processor | Requires authorization and equivalent downstream obligations |
| DPO | Advises and monitors where Article 37 requires appointment | Must be independent, accessible, adequately resourced, and involved early |
| EU representative | Represents certain non-EU controllers or processors under Article 27 | Does not replace controller accountability |
Scope record
For every candidate activity, record:
- the product, service, or business process;
- categories of people and personal data;
- purposes and expected outcomes;
- systems, logs, exports, backups, suppliers, and recipients;
- controller, processor, joint-controller, and subprocessor roles;
- establishment, targeting, and monitoring facts relevant to territorial scope;
- the owner who approves the scope decision; and
- the source law, guidance, contract, and review date.
Common failures
- Treating all vendors as processors without checking who determines purpose.
- Assuming a cloud provider owns GDPR accountability because it hosts the database.
- Scoping only production databases and ignoring logs, support tools, exports, test data, and backups.
- Claiming GDPR applies globally to every accessible website without analyzing establishment, targeting, or monitoring.
- Publishing a notice before the processing inventory and role allocation exist.
Primary references
- Gdpr
- Privacy
- Scope
- Controller
- Processor
- Governance
Note Metadata
Aliases: GDPR Overview, GDPR Scope and Roles
Source: https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng