REGULATION (EU) 2016/679
The regulation, operationalized
GDPR teams need to know what personal data they process, why it is lawful, where it lives, and whether rights and breaches are handled on time. Rizzqo turns each obligation into owned work, grounded in the systems that actually process personal data.
ARTICLE 6
Every activity needs a lawful basis
No processing of personal data is lawful without one of the six bases in Article 6. Rizzqo keeps a lawful basis, and its justification, on record for every processing activity — so lawfulness is never left as an open question.
Consent
The data subject has given clear, freely-given consent for a specific purpose.
Contract
Processing is necessary to perform a contract with the data subject.
Legal obligation
Processing is required to comply with a legal duty you are subject to.
Vital interests
Processing protects the vital interests of the data subject or another person.
Public task
Processing is carried out in the public interest or under official authority.
Legitimate interests
Processing serves a legitimate interest, balanced against the rights of the data subject.
ARTICLES 15–22
Data-subject rights, ready to honour
When someone exercises a right, you have one month to respond. Each right maps to the same underlying question: which of our systems hold this person’s data? Rizzqo keeps that map current, so a request becomes a workflow, not a fire drill.
Access
Confirm what data you hold and provide a copy.
Rectification
Correct inaccurate or incomplete personal data.
Erasure
Delete data where there is no overriding ground to keep it.
Restriction
Pause processing while a dispute is resolved.
Portability
Export data in a structured, machine-readable format.
Objection
Stop processing based on legitimate interests or marketing.
Automated decisions
Human review of solely automated, significant decisions.
Withdraw consent
Withdraw consent as easily as it was given.
HOW RIZZQO RUNS GDPR
What Rizzqo gives GDPR teams
Rizzqo runs your privacy programme on the same system inventory that powers your security programme. Your records, lawful bases and rights mapping stay grounded in where personal data actually lives — not in a spreadsheet kept to one side.
Records of Processing, kept alive automatically
Article 30 requires a register of every processing activity — its purpose, the data involved, retention and recipients. Rizzqo keeps yours current from the systems you already run, so it is accurate the moment you need to produce it.
- Always current, never a year out of date
- Built from real systems, not a static file
- Cross-border transfers tracked, not forgotten
Answer a data-subject request without guessing
A subject request should not mean emailing every team to ask who holds what. Rizzqo resolves it to a precise picture of where that person’s data lives — so you answer with confidence, inside the month you have.
- Pinpoint the systems in scope, not a guess
- Respond within the one-month deadline
- Hand off to the right team with full context
Evidence a regulator will accept
Accountability means being able to demonstrate compliance, not just claim it. When a supervisory authority asks you to prove a processing activity was lawful on a given date, the answer is already on the record — not something you scramble to reconstruct after the request.
- Evidence tied to real systems, not a binder
- A dated record of what was true, and when
- DPIAs that stay part of the same picture
ARTICLE 32
Security of processing is a privacy obligation
Article 32 requires appropriate technical and organisational measures: encryption, resilience, access control and regular testing. These are the same controls your information-security programme already runs. Rizzqo keeps privacy and security on one shared evidence base, so a control proven once counts for both.
See information security on ISO 27001- Encryption and pseudonymisation of personal data
- Confidentiality, integrity, availability and resilience
- Regular testing and evaluation of measures
- Mapped to ISO 27001 / 27002 controls you already operate
ARTICLE 33
Ready for the 72-hour clock
A breach starts a 72-hour notification window. The difference between a controlled response and a penalty is knowing immediately which systems and which data are in scope.
Detect & scope
Identify affected systems and the personal data they hold from the live inventory.
Assess risk
Judge likely impact to data subjects and decide whether the threshold to notify is met.
Notify supervisory authority
Report to the authority with nature, scope and remediation already documented.
Inform data subjects
Where high risk, notify affected individuals (Article 34) with a clear record of who and when.
Make GDPR something you can prove
Connect every obligation to the systems that process personal data, and turn your next audit or data-subject request into a routine export.