GDPR Compliance

General Data Protection Regulation (EU 2016/679)

GDPR Compliance Status: Compliant
DPO: Dr. Sarah Mueller | Last Audit: September 2025 | Next Review: March 2026
Active Compliance

Requirement Coverage

98.1%

58/59 requirements met

Processing Activities

42

documented in ROPA

Data Subject Requests

24

processed this year

Data Breaches

0

in the last 12 months

GDPR Article Compliance

ArticleTopicDescriptionRequirementsImplementedStatus
Art. 5
Principles of ProcessingLawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity66
Compliant
Art. 6
Lawfulness of ProcessingLegal basis for processing personal data44
Compliant
Art. 12-14
Transparency & InformationPrivacy notices, information to data subjects88
Compliant
Art. 15-22
Data Subject RightsAccess, rectification, erasure, portability, objection, automated decision-making87
Partial
Art. 24-25
Controller ObligationsData protection by design and default55
Compliant
Art. 28-29
Processor RequirementsData processing agreements, sub-processor management66
Compliant
Art. 30
Records of ProcessingProcessing activity documentation33
Compliant
Art. 32-34
Security & BreachesSecurity measures, breach notification, communication to data subjects77
Compliant
Art. 35-36
Impact AssessmentsDPIA requirements and prior consultation44
Compliant
Art. 37-39
Data Protection OfficerDPO designation, position, and tasks33
Compliant
Art. 44-49
International TransfersCross-border data transfers and safeguards55
Compliant
Total5958
98.3%

Data Security

Encryption at Rest
AES-256
Encryption in Transit
TLS 1.3
Pseudonymisation
Implemented
Access Controls
RBAC

Data Subject Rights

Right to Access
Active
Right to Erasure
Active
Right to Portability
Active
Response SLA30 days

International Transfers

EU/EEA
No restrictions
UK
Adequacy
US
EU-US DPF
Other
SCCs

Records of Processing Activities (ROPA) - Sample

ActivityPurposeData CategoriesRetentionLawful Basis
Client OnboardingContract performanceIdentity, Contact, FinancialDuration of relationship + 7 years
Contract
Portfolio ManagementContract performanceFinancial, Investment preferencesDuration of relationship + 10 years
Contract
AML/KYC ComplianceLegal obligationIdentity, Source of wealth5 years post-relationship
Legal obligation
Marketing CommunicationsLegitimate interest/ConsentContact, PreferencesUntil withdrawal + 2 years
Consent
Employee ManagementContract/Legal obligationIdentity, Employment, PayrollDuration + 7 years
Contract

Data Subject Requests (YTD)

15
Access Requests
4
Erasure Requests
3
Rectification
2
Portability
On-Time Completion Rate
100%
Average Response Time18 days

Data Protection Impact Assessments

New CRM System Implementation
October 2025
Medium
Approved
Cloud Migration Project
August 2025
High
Approved with conditions
Client Portal Enhancement
June 2025
Low
Approved
AI-Assisted Analytics Tool
March 2025
High
Approved with conditions

Recent Data Subject Requests

Access Request
November 12, 2025
Response: 12 days
Completed
Erasure Request
November 5, 2025
Response: 21 days
Completed
Access Request
October 28, 2025
Response: 15 days
Completed
Rectification
October 15, 2025
Response: 8 days
Completed

GDPR Compliance Framework

Data Breach Notification
Personal data breaches must be reported to the Supervisory Authority within 72 hours of becoming aware. High-risk breaches require notification to affected data subjects without undue delay.
Data Protection Officer
DPO: Dr. Sarah Mueller | The DPO monitors compliance, advises on DPIAs, cooperates with the Supervisory Authority, and serves as the contact point for data subjects.
Supervisory Authority
  • Lead Authority: Irish Data Protection Commission
  • Registration: Active
  • One-Stop-Shop Mechanism: Applicable
  • Last Communication: August 2025
Compliance Activities
  • ROPA Update: Quarterly
  • Privacy Notice Review: Annual
  • Staff Training: Bi-annual
  • Third-Party Assessment: Annual