EU Regulation 2016/679 · Supervisory authorities · Ongoing

FRAMEWORK

Data protectionas running infrastructure.

GDPR isn't a project you finish it's a posture you hold. Uproot builds your Record of Processing from real data flows and proves Article 32 security continuously.

Start GDPR Talk to a privacy lead

RoPA generated in minutes

Breach notification ready at 72 hours

app.uproot.security · /framework/gdpr

GDPREU

acme-eu · GDPR programme

controller + processor · EU/EEA

86%

in good standing

38 met7 in progress2 open

Obligation areas

47 controls

A.30

Records of processing

RoPA · live

96%

A.6

Lawful basis & consent

Art. 6–7

88%

III

Data subject rights

Art. 12–23 · DSARs

82%

A.32

Security of processing

Art. 32

93%

A.28

Processors & transfers · SCCs

Art. 28 · 44–49

74%

RoPA entries

42 live

DPAs signed

31 / 34

Breach clock

72h ready

→

RoPA updated automatically

A new analytics processor was detected. Art.30 records and the transfer basis updated in place.

Articles

The regulation runs to 99 articles and 173 recitals. A handful create the obligations you operate day to day.

Breach notification

72hours

Notifiable personal-data breaches must reach the supervisory authority within 72 hours of awareness.

Maximum fine

4%or €20M

Up to 4% of global annual turnover, or €20 million — whichever is higher.

Authority

EDPB

Enforced by national supervisory authorities, coordinated by the European Data Protection Board.

Status

Ongoing

Not a certificate. A continuous obligation — exactly what continuous evidence is built for.

What GDPR asks of you

Five obligation areas where most engineering orgs live.

GDPR is broad, but for a product team it concentrates into a few operational duties: know what you process, have a lawful reason, honour people's rights, secure the data, and govern who else touches it. Uproot operates all five from your real systems.

Art. 30

Records of processing

An inventory of what personal data you process, why, and for how long — the document every regulator asks for first.

Art. 30(1) Controller records · 30(2) Processor records · purposes · categories · retention

BasisArticle 30

Lawful basis & consent

Every processing activity needs a lawful basis — recorded and defensible.

Art. 6 Lawfulness · Art. 7 Consent · Art. 9 Special categories

BasisArticles 6–7

III

Data subject rights

Access, erasure, portability, and objection — answered within statutory deadlines, usually one month.

Art. 15 Access · Art. 17 Erasure · Art. 20 Portability

BasisCh. III · 12–23

Security of processing

Encryption, resilience, and testing — where your security posture becomes a privacy obligation.

Art. 32(1)(a) Encryption · (b) Resilience · (d) Testing

BasisArticle 32

Processors & transfers

DPAs with every sub-processor, and a valid transfer mechanism for data leaving the EEA.

Art. 28 Processor DPAs · Art. 44–49 Transfers · SCCs

BasisArt. 28 · 44–49

One obligation, end to end

A regulator's first request is almost always your Record of Processing. Article 30 decides the tone.

The RoPA is the document teams maintain by hand and dread updating. Uproot builds it from your actual data flows and keeps it true.

Article 30 — Records of processing activities

Controllers and processors must maintain a record of processing activities: purposes, categories of data and data subjects, recipients, transfers, retention periods, and security measures. Get this wrong and every other conversation with a regulator starts on the back foot.

"Uproot PtaaS offers the perfect suite of features to ensure the highest security standards for our clients. We are impressed by their dedication to continuous testing. Their seamless integration combined with the hacker mindset and thorough manual pentesting approach, truly sets them apart."

— Gaurav Kulkarni, CEO

ART. 30 · RECORDS OF PROCESSING

Record of processing activities

Last regenerated 09:14:02 UTC · 42 activities · sha256 verified

Current

The article

What Article 30 asks for

“Each controller shall maintain a record of processing activities under its responsibility… the purposes of the processing, a description of the categories of data subjects and personal data… and the envisaged time limits for erasure.”

Your real data flows

What we read from your systems

Uproot maps where personal data actually lives and moves — not a survey of what teams think they collect.

postgres ·schema.piisegment ·destinationsstripe ·customer.dataintercom ·contacts

Record assembled

Purposes, recipients, retention, transfers

Each activity is built with its lawful basis, recipients, retention period, and transfer mechanism — versioned and timestamped.

42 activities ·mappedprocessors ·34 linkedtransfers ·SCCs attached0 undocumented flows

For the regulator / DPO

Export-ready, always current

Your DPO — or a supervisory authority — gets a complete, current RoPA on demand, with the lineage showing where every entry came from.

Role · Controller + Processor · Activities· 42 · Gaps · 0

CCPA 1798.130ISO A.5.34SOC 2 P-series

Path to good standing

From first data map to a defensible GDPR programme.

GDPR is ongoing, so the goal isn't a certificate — it's a programme you can defend to a regulator on any given day.

✓

Day 0

Map personal data

Uproot discovers where personal data lives across your databases, SaaS, and processors — the foundation of everything else.

✓

Day 1–2

Generate the RoPA

Article 30 records built from real flows, each with purpose, lawful basis, recipients, and retention.

✓

Day 3–18

Close the gaps

Missing DPAs collected, transfer mechanisms attached, Article 32 measures verified, DSAR workflow stood up.

●

Day 19–30

Defensible

Programme documented, breach plan rehearsed, 72-hour clock ready. Able to answer a regulator or a customer DPA review.

Ongoing

Stay current

New processors, schema changes, and transfers update the RoPA automatically. Drift becomes a ticket, not a surprise.

The consultancy way

×
A RoPA rebuilt from interviews once a year — wrong the moment a team ships a new integration
×
DPAs scattered across inboxes and a deal desk, with no view of which sub-processors lack one
×
A breach plan in a slide deck that no one has run against the 72-hour clock
×
Article 32 security described in a policy, never tied to what’s actually deployed

With Uproot

✓
A RoPA generated from real data flows and regenerated when they change
✓
Every processor DPA and transfer mechanism tracked, gaps surfaced as tickets
✓
A breach workflow wired to your incident response, evidence and clock ready at hour zero
✓
Article 32 measures proven from the live environment, not asserted on paper

Evidence map

Where your GDPR posture actually lives. Uproot reads it there.

A partial map of the obligations Uproot evidences from source systems — data inventory, security measures, processors, and rights handling.

Data inventory

Postgres · PII columns
tagged
Segment · data flows
mapped
Snowflake · warehouse
classified
Retention schedule
live

Security measures

KMS · encryption at rest
all
TLS · in transit
1.2+
AWS · backup + DR
tested
Pen test · annual
on file

Processors

Sub-processor list
34
DPAs signed
31 / 34
SCCs · non-EEA
attached
Transfer impact assess
live

III

Rights & breach

DSAR workflow
≤30d
Consent records
versioned
Incident response · IRP
72h
Breach register
live

Supervisory authorities

Who you'll answer to — and what Uproot has ready when they ask.

GDPR has no certifying body; your lead supervisory authority is determined by your main establishment. Whichever it is, Uproot keeps the RoPA, security evidence, and breach record export-ready.

CNIL

france

DPC

ireland

BfDI

germany

AEPD

spain

Garante

italy

netherlands

ICO

uk gdpr

CNPD

luxembourg

Datatilsynet

denmark

IMY

sweden

EDPB

coordination

+ all 27

EU/EEA

GDPR, plainly

Questions we get every week. Answered the way an engineer would.

Can I be "GDPR certified"?+

Not in the way people mean. GDPR allows approved certification mechanisms (Article 42), but there's no universal certificate. Compliance is an ongoing posture you demonstrate — which is exactly what continuous evidence provides.

Do I need a Data Protection Officer?+

Only if your core activities involve large-scale monitoring or special-category data, or you're a public authority. Many companies appoint one anyway. Uproot gives whoever holds the role a live RoPA and evidence base to work from.

What is the RoPA and why does it matter?+

The Record of Processing Activities (Article 30) is the inventory of what you process and why. It's almost always a regulator's first request. Uproot generates it from your real systems so it's accurate, not aspirational.

What about data transfers out of the EU?+

Transfers to non-adequate countries need a mechanism — usually Standard Contractual Clauses plus a transfer impact assessment. Uproot tracks which processors are outside the EEA and whether a valid mechanism is attached.

How fast must I report a breach?+

Notifiable breaches go to the supervisory authority within 72 hours of becoming aware, and to affected individuals without undue delay if the risk is high. Uproot keeps incident evidence and the clock ready before an incident happens.

How does GDPR relate to CCPA?+

They share a spine — data inventory, rights handling, vendor governance — but differ in mechanics. If you run GDPR with Uproot, most of CCPA falls out of the same data map and processor tracking.

Hold the posture. Skip the binder.

Map your personal data, generate the RoPA by lunch, and keep processors, transfers, and Article 32 security provable. When a regulator asks, the record is already current.

Start GDPR →Talk to a privacy lead

$uproot init --framework gdpr

↳scanning for personal dataok

↳building Article 30 RoPA42

↳34 processors · 31 DPAs on file86%

→RoPA generated in 3m 22slive

Data protection.css-13o7eu2{display:block;}.css-1c2zu6s{color:var(--chakra-colors-fg);}as running infrastructure.