REGULATION (EU) 2016/679

The regulation, operationalized

GDPR teams need to know what personal data they process, why it is lawful, where it lives, and whether rights and breaches are handled on time. Rizzqo turns each obligation into owned work, grounded in the systems that actually process personal data.

ARTICLE 6

Every activity needs a lawful basis

No processing of personal data is lawful without one of the six bases in Article 6. Rizzqo keeps a lawful basis, and its justification, on record for every processing activity — so lawfulness is never left as an open question.

01
Art. 6(1)(a)

Consent

The data subject has given clear, freely-given consent for a specific purpose.

02
Art. 6(1)(b)

Contract

Processing is necessary to perform a contract with the data subject.

03
Art. 6(1)(c)

Legal obligation

Processing is required to comply with a legal duty you are subject to.

04
Art. 6(1)(d)

Vital interests

Processing protects the vital interests of the data subject or another person.

05
Art. 6(1)(e)

Public task

Processing is carried out in the public interest or under official authority.

06
Art. 6(1)(f)

Legitimate interests

Processing serves a legitimate interest, balanced against the rights of the data subject.

ARTICLES 15–22

Data-subject rights, ready to honour

When someone exercises a right, you have one month to respond. Each right maps to the same underlying question: which of our systems hold this person’s data? Rizzqo keeps that map current, so a request becomes a workflow, not a fire drill.

Art. 15

Access

Confirm what data you hold and provide a copy.

Art. 16

Rectification

Correct inaccurate or incomplete personal data.

Art. 17

Erasure

Delete data where there is no overriding ground to keep it.

Art. 18

Restriction

Pause processing while a dispute is resolved.

Art. 20

Portability

Export data in a structured, machine-readable format.

Art. 21

Objection

Stop processing based on legitimate interests or marketing.

Art. 22

Automated decisions

Human review of solely automated, significant decisions.

Art. 7

Withdraw consent

Withdraw consent as easily as it was given.

Respond within one month (Article 12(3)).

HOW RIZZQO RUNS GDPR

What Rizzqo gives GDPR teams

Rizzqo runs your privacy programme on the same system inventory that powers your security programme. Your records, lawful bases and rights mapping stay grounded in where personal data actually lives — not in a spreadsheet kept to one side.

ARTICLE 30 · ROPA

Records of Processing, kept alive automatically

Article 30 requires a register of every processing activity — its purpose, the data involved, retention and recipients. Rizzqo keeps yours current from the systems you already run, so it is accurate the moment you need to produce it.

  • Always current, never a year out of date
  • Built from real systems, not a static file
  • Cross-border transfers tracked, not forgotten
ARTICLES 15–20 · DSAR

Answer a data-subject request without guessing

A subject request should not mean emailing every team to ask who holds what. Rizzqo resolves it to a precise picture of where that person’s data lives — so you answer with confidence, inside the month you have.

  • Pinpoint the systems in scope, not a guess
  • Respond within the one-month deadline
  • Hand off to the right team with full context
ARTICLE 5(2) · ACCOUNTABILITY

Evidence a regulator will accept

Accountability means being able to demonstrate compliance, not just claim it. When a supervisory authority asks you to prove a processing activity was lawful on a given date, the answer is already on the record — not something you scramble to reconstruct after the request.

  • Evidence tied to real systems, not a binder
  • A dated record of what was true, and when
  • DPIAs that stay part of the same picture

ARTICLE 32

Security of processing is a privacy obligation

Article 32 requires appropriate technical and organisational measures: encryption, resilience, access control and regular testing. These are the same controls your information-security programme already runs. Rizzqo keeps privacy and security on one shared evidence base, so a control proven once counts for both.

See information security on ISO 27001
Art. 32(1): Technical & organisational measures
  • Encryption and pseudonymisation of personal data
  • Confidentiality, integrity, availability and resilience
  • Regular testing and evaluation of measures
  • Mapped to ISO 27001 / 27002 controls you already operate

ARTICLE 33

Ready for the 72-hour clock

A breach starts a 72-hour notification window. The difference between a controlled response and a penalty is knowing immediately which systems and which data are in scope.

Hour 0

Detect & scope

Identify affected systems and the personal data they hold from the live inventory.

Hour 0–24

Assess risk

Judge likely impact to data subjects and decide whether the threshold to notify is met.

By hour 72

Notify supervisory authority

Report to the authority with nature, scope and remediation already documented.

Without delay

Inform data subjects

Where high risk, notify affected individuals (Article 34) with a clear record of who and when.

Make GDPR something you can prove

Connect every obligation to the systems that process personal data, and turn your next audit or data-subject request into a routine export.

Records that stay currentRights mapped to systemsAudit-ready evidence