EU · UK · GDPR

GDPR compliance for companies processing EU data.

Privacy Center, DSR inbox, consent records, breach notification workflow, and audit proof. One workspace for all GDPR obligations.

No credit card required. Privacy Center live in 15 minutes.

ARTICLE 83 PENALTY TIERS

The fines are designed to be significant.

The GDPR's two-tier penalty structure ensures proportionality — but the upper tier can reach 4% of global turnover for large companies.

Tier	Violations covered	Maximum
Upper tier	Violation of core principles, lawfulness, consent, data subject rights, international transfers	€20 Million or 4% of global turnover Whichever is higher
Lower tier	Breach of processor obligations, security requirements, DPA obligations, certification body obligations	€10 Million or 2% of global turnover Whichever is higher

Tier

Violations covered

Maximum

Upper tier

Violation of core principles, lawfulness, consent, data subject rights, international transfers

€20 Million or 4% of global turnover

Whichever is higher

Lower tier

Breach of processor obligations, security requirements, DPA obligations, certification body obligations

€10 Million or 2% of global turnover

Whichever is higher

The UK GDPR mirrors these thresholds in GBP. Companies subject to both EU and UK GDPR face independent enforcement from each authority.

YOUR OBLIGATIONS

Eight things the GDPR requires.

Lawful basis & privacy notice

Articles 6, 13–14

Every processing activity needs a lawful basis. Data subjects must be informed at the point of collection.

Consent management

Articles 7–8

Consent must be freely given, specific, informed, and withdrawable. Keep records of when and how consent was given.

Data subject rights

Articles 15–22

Access, rectification, erasure, restriction, portability, and objection. Respond within 30 days (extendable to 90).

Breach notification

Articles 33–34

72-hour notification to supervisory authority. Communication to affected persons when risk is high.

Record of Processing Activities

Article 30

Controllers must maintain records of all processing activities. Required for demonstrating compliance.

Data Protection by Design

Article 25

Privacy must be integrated into systems and processes by default. Conduct DPIAs for high-risk processing.

DPO & accountability

Articles 37–39

Certain organisations must appoint a Data Protection Officer. All must demonstrate accountability.

International transfers

Chapter V

Transfers outside the EEA require adequate safeguards: SCCs, BCRs, or adequacy decisions.

HOW CONDUIT COVERS EACH OBLIGATION

One workspace. Every GDPR requirement.

GDPR Obligation	How Privacy Conduit covers it
Lawful basis & privacy notice	Privacy Center with GDPR-specific rights descriptions and processing notices.
Consent management	Consent records module: granted, withdrawn, expired, and purpose-tagged entries.
Data subject rights	DSR inbox with 30-day SLA clock, auto-escalation, and per-right response templates.
Breach notification	Breach workflow with 72-hour countdown and DPA notification template.
Record of Processing Activities	Data inventory + RoPA export generated from your live inventory.
Data Protection by Design	DPIA generator workspace with structured assessment and sign-off workflow.
DPO & accountability	Audit trail, closure reports, and evidence packages for every case.
International transfers	Vendor & DPA management module tracks transfer mechanisms per processor.

GET STARTED

Start your GDPR workspace today.

Privacy Center live in 15 minutes. Full GDPR compliance toolkit included.

See full product