Does GDPR apply to small companies too?

Yes. GDPR applies regardless of company size. Individual obligations (e.g. appointing a DPO) are, however, tied to thresholds.

What is the difference between a controller and a processor?

The controller determines the purposes and means of processing; the processor processes data on the controller's behalf. The roles determine the respective obligations.

How quickly must a data breach be reported?

A reportable breach must generally be notified to the supervisory authority within 72 hours.

How high can fines be?

Up to €20M or 4% of global annual turnover — whichever is higher.

Does an ISO 27001 certification help with data protection?

It largely covers the technical and organizational measures (Art. 32) but does not replace the data-protection-specific obligations such as records of processing, lawful bases, and data subject rights. In Sightadel, the two can be linked.

ISO 27001 ISO 9001 ISO 42001 NIS2 GDPR BSI C5:2026 NIST CSF 2.0 SOC 2

GDPR · Data protection

GDPR: Making Data Protection Provable

The General Data Protection Regulation (GDPR) has applied directly across the entire EU since May 25, 2018. It affects nearly every organization that processes personal data — regardless of size. Violations can result in fines of up to €20M or 4% of global annual turnover. This page explains what GDPR requires, who it applies to (and who barely), which obligations are central, and how to implement data protection with Sightadel in a structured, provable way.

What Is GDPR?

GDPR (Regulation (EU) 2016/679) governs how personal data may be processed in the EU. In Germany it is supplemented by the Federal Data Protection Act (BDSG); supervision lies with the state data protection authorities and the BfDI.

At its center are the core principles of Article 5: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality — and, as an overarching obligation, accountability: you must not only ensure compliance but also be able to demonstrate it.

Who Does GDPR Apply To — and Who Barely?

GDPR applies to you if …

… your organization processes personal data of individuals in the EU — that is, data about customers, prospects, employees, suppliers, or website visitors. This applies to practically every company and public body, regardless of size. GDPR also has extraterritorial reach: it can apply to providers outside the EU who target EU residents.

Certain obligations are tied to thresholds — for example, the requirement to appoint a data protection officer or to carry out a data protection impact assessment for high-risk processing.

GDPR essentially does not apply to you if …

… a natural person processes data purely for personal or household purposes (e.g. a private address book). This "household exemption" is narrow and does not apply once a professional or commercial activity is involved.

Unlike with NIS2 or C5, the question here is rarely "Am I in scope?" — you almost always are — but "Which obligations apply to me, and to what extent?"

The Core Obligations of GDPR

A lawful basis per processing activity (Art. 6). Every processing activity needs a valid basis — such as consent, contract, or legitimate interest.
Records of processing activities (Art. 30). Documentation of all processing as the backbone of accountability.
Data subject rights. Access, rectification, erasure, restriction, portability, and objection — with defined deadlines.
Processor agreements (Art. 28, DPA). Contracts with service providers that process data on your behalf.
Data protection impact assessment (Art. 35, DPIA). Where processing is likely to result in a high risk to individuals.
Breach notification (Art. 33/34). Notification to the supervisory authority generally within 72 hours.
Technical and organizational measures (Art. 32, TOMs). An appropriate level of protection for the data.

The Typical Challenge in GDPR Implementation

Accountability without a system. GDPR requires evidence. If records of processing, DPAs, the deletion concept, and TOMs are scattered across documents, demonstrating compliance on request is laborious.
Static documentation. Processing activities, service providers, and data flows change. A record of processing created once goes out of date quickly.
Data protection and information security treated separately. The TOMs under Art. 32 overlap heavily with ISO 27001 and NIS2 — but are often maintained twice.

How Sightadel Simplifies GDPR Implementation

Sightadel is the compliance portal within the Pervigon Security Suite. It represents the GDPR obligations as a structured catalog and links the technical measures to your other security standards.

Faster to start. Pre-structured templates for records of processing, the DPA register, and the deletion concept. You populate your processing activities instead of building the structure from scratch.

Accountability at the press of a button. Obligations, owners, and evidence are linked. In the event of a supervisory authority inquiry, you produce the documented state rather than assembling it.

Always current. Processing activities, service providers, and measures are maintained centrally; reminders keep the records of processing alive.

Reuse of evidence. The technical and organizational measures under Art. 32 are mapped simultaneously to the corresponding requirements in ISO 27001 and NIS2. One piece of evidence, multiple frameworks.

No external consultants as a permanent crutch. The domain logic is built into the portal and supported by the neoAI core. Case-by-case legal assessment remains the task of your DPO or legal counsel — the ongoing maintenance is handled by your team.

GDPR with Sightadel in Practice

1
Record.Document processing activities, lawful bases, and service providers in the portal (records of processing, DPA register).
2
Assess.Identify high-risk processing and carry out a DPIA where required.
3
Safeguard.Maintain TOMs, and map data subject requests and notification processes with deadlines.
4
Maintain.Reminders, updates on changes, and a retrievable evidence state at any time.

Frequently Asked Questions About GDPR

Data Protection as a State, Not a Project

GDPR does not end with the first record of processing. Processing activities, service providers, and risks change continuously. Sightadel keeps your data protection evidence state continuously current — structured, auditable, and without every change requiring external support.

This page is a general explanation and not legal advice. For the legal assessment of your specific case, consult your data protection officer or legal counsel.

See your GDPR status in Sightadel.

Book a demo