News Banner for product updates, new resources & more goes here. Link
Please choose your language:

Visit us in:
Barcelona, Copenhagen, Hamburg, Hong Kong, Kochi, London, Madrid, Milan, Munich, New York, Paris, Vienna, Zurich

Show locations
  • EQS Cockpit
  • Whistleblowing
  • Insider Management
  • Policy manager
  • Investor Targeting
  • Disclosure
  • Webcast
  • Career
Request a demo
Ready to find out how EQS can make your regulatory workflows 10x more efficient? Schedule a zero-pressure demo to see how we can support your organization operationalize compliance, data privacy, sustainability management and investor relations.
  • Meet with an expert who will listen to your specific business needs
  • See our solutions in action, customized for you
We are here for you

Want to know more about our suite of solutions? Wondering if they are right for your specific business needs? Have feedback? Our global sales team is ready to answer all your questions and clear away those niggling doubts.

Looking for your next career opportunity?

Join us and make a difference
We are here for you

Want to know more about our suite of solutions? Wondering if they are right for your specific business needs? Have feedback? Our global sales team is ready to answer all your questions and clear away those niggling doubts.

Looking for your next career opportunity?

Join us and make a difference
Request a demo
Ready to find out how EQS can make your workflows 10x more efficient? Schedule a zero-pressure demo to see how we can support your organization operationalize sustainability management.
  • Meet with an expert who will listen to your specific business needs
  • See our solutions in action, customized for you
Compliance & Ethics
Solutions by objective
Policy & Procedure Management
Disclosure management
Third-party risk management
Anti-bribery & anti-corruption compliance
Whistleblowing & case management
Compliance awareness
Convercent by onetrust Support
Platform
All your compliance needs. One platform
Whistleblowing
Secure channels. Complete protection
Policies
Smart governance. Zero confusion
Approvals
Quick decisions. Total clarity
Insights
Advanced analytics. Complete visibility
Third Parties
Due diligence. Safer partnerships
AI at EQS
White Paper
White Paper
Case Study
Webinar
Event
Article
Why Whistleblowing Matters
FREE White Paper: Building Systems that Actually Work
Resources by type
Case Studies Webinars White Papers Articles Events Updates Service
Data Privacy
Solutions by objective
Privacy automation
Platform
Protect data. Build trust.
GDPR Compliance
Seamless protection. Peace of mind.
AI Compliance
Ethical innovation. Future-ready.
Privacy Risk Management
One risk view. Zero blind spots.
E-learning
Knowledge that sticks. Teams that deliver.
AI at EQS
White Paper
Case Study
Webinar
Event
Article
EU AI Act: Your free mini guide + checklist
Download our free EU AI Act mini guide with a 15-step checklist for AI compliance. Essential for DPOs, compliance, legal, and IT teams.
Resources by type
Case Studies Webinars White Papers Articles Events
P
Sustainability Management
Solutions by objective
Sustainability reporting
Platform
All use cases on one platform. The sustainability cockpit.
CSRD
Collect data across your organization. Compliant reporting.
CO2 Footprint
Calculate your CO2 footprint. Reduce emissions.
Double Materiality
Understand relevant sustainability topics. Take action.
VSME
Report and share essential ESG data.
Taxonomy
Measure taxonomy-alignment. Become more sustainable.
CO₂ Targets
Set science-based climate targets. Plan and achieve reductions.
Product Carbon Footprint
Analyze emissions per product. Optimize your portfolio sustainably.
AI at EQS
White Paper
Case Study
Webinar
Event
Article
Navigating sustainability reporting after the EU Omnibus Proposal
The rules are evolving – this guide helps you stay on track.
Resources by type
Case Studies Webinars White Papers Articles Events
Investor Relations
Solutions by objective
Webcasts / AGM / IR Websites & Tools
ESEF / XML filing & LEI
Platform
Smarter IR. Stronger engagement.
Insider Management
Secure control. Total compliance.
Disclosure
Global filing. Zero stress.
Newswire
Maximum reach. Instant impact.
CRM / Mailing
Smart targeting. Deeper connections.
Investor Targeting
Right investors. Real results.
White Paper
Case Study
Webinar
Event
Article
Best Practices for IR Websites
Best Practices and Leveraging Digital Tools
Resources by type
Case Studies Webinars White Papers Articles Events
About us
About our company
Who we are and why you should trust us
About EQS
Why EQS
Careers
Back to overview

How to Comply with the GDPR: A Step-by-Step Guide in 7 Key Actions

by Ola Mohty  | Updated: 25.02.2026

    GDPR compliance is not a fixed state but an ongoing process. Discover the key steps to effectively protect the personal data of your customers and employees.

    GDPR compliance is not a state, but a process

    The objective of a GDPR compliance project is to achieve a sufficient and adequate level of protection in view of the risks. This is to be able to demonstrate at any time, particularly in the event of security incidents, complaints or inspections, that all the necessary measures have been implemented to counter these risks.

    It is always possible to further secure one’s processing operations on a technical, organisational and legal level. Indeed, compliance with changes requires constant updating of internal procedures and policies.

    Mapping your processings

    What is processing mapping?

    A processing map consists of a guided inventory of all the personal data processed by your company.

    A data processing map is a census of all the personal data processing operations of an organisation. Establishing a processing map is one of the essential starting points for having an overall view of the personal data processing in circulation within the organisation.

    It allows employees to have a better access and understanding of the personal data processed and its origin.

    Good practices: What does the RGPD state?

    The mapping of processing operations is a recommendation of the CNIL to measure the level of compliance with the GDPR thanks, among other things, to the information inserted in the Record of data Processing Activities.

    Thus, it enables compliance to be monitored over time and to feed the register of processing activities to enable organisations to draw up action plans to ensure compliance.

    The processing map must include, as a minimum, the information that must be included in the register of processing activities, in particular :

    • the purpose of the processing
    • the categories of data
    • the data subjects
    • the recipients of the data
    • the security measures applied to the processing
    Carry out your processing mapping efficiently

    Get a complete overview of your personal data processing and ensure GDPR compliance with EQS Privacy Cockpit. Map your data, identify risks, and implement the right measures to protect your sensitive information.

    Explore EQS Privacy Cockpit

    Determine the processing’s purpose

    What is it?

    Determining the purpose of its personal data processing is an essential obligation imposed by the GDPR. The purpose of a data processing operation answers the question why is my company collecting this data?

    Thus, collecting data from prospects via a website form is an action whose general purpose may be commercial prospecting and whose specific purpose is to make contact in order to sell a good or a service.

    Firstly, the declared purpose of a processing operation sets the limit. It is indeed forbidden to process data for purposes incompatible with the initial purposes.

    In addition, the purposes of the processing operations carried out must be declared in the register of processing operations and brought to the attention of the data subjects.

    Finally, the duration of data retention depends directly on this purpose. Indeed, it is forbidden to keep personal data longer than is necessary to achieve the declared purpose.

    Use case

    Let us take a typical case of a violation of the purpose of processing. Data are collected in order to enable the registration of a person to a service. The purpose of the data collection is therefore the conclusion and performance of a contract.

    However, these data are subsequently used for commercial prospecting purposes. The data controller may only use the data for this purpose if he had informed the person of this purpose from the outset.

    Informing customers & employees

    Any person whose personal data are processed has the right to obtain from the controller a certain amount of compulsory information concerning the processing operations in question and the rights of that person with regard to his or her data.

    In the context of employment relationships, the employer is necessarily a data controller of his employees’ data: both the employment contract and the labour code oblige the employer to process certain data (staff register, payroll, evaluations, etc.).

    In the context of relations with its customers, a company will also be responsible for processing their data, even if it is only data relating to the follow-up of the contract.

    Use case

    As employment relations and customer relations are two common and essential areas of processing for companies (in BtC or BtBtC for customer relations), there is a well-established practice in these areas regarding RGPD information.

    In the context of employment relationships, the employment contract will contain a short clause relating to data processing and, if necessary, may refer to an information notice and/or an IT charter and/or a personal data and privacy charter.

    It is essential that these documents are part of the company’s internal rules, can be sanctioned and are permanently accessible to employees, for example via the company’s intranet.

    In the context of customer relations, this information may take the form of references in the general terms and conditions or a paper or digital privacy policy.

    Retain data for an appropriate period of time

    What is it?

    The GDPR agrees on limiting the retention of personal data over time. Indeed, they indicate that the retention must be proportionate to the purpose of the processing.

    3 types of archiving of personal data

    • Current archiving: Routine archiving refers to the need for data to be retained by the data controller in relation to the purpose of the processing. This period may be fixed contractually between the controller and the data subject.
    • Intermediate archiving: Intermediate archiving refers to the case where data can be kept longer than the period initially provided for contractually. This is the case when the law establishes a longer period than that provided for in the contract.
    • Permanent archiving: Some data cannot be permanently destroyed. This is particularly the case for data of public interest (historical, scientific, statistical)

    Use case

    Some laws set a retention period. In the absence of such laws, the controller is obliged to set a period of time that is proportionate to the objective and purpose. Once this period has been exceeded, the controller must delete or anonymise the personal data of the persons concerned.

    It should be remembered that the retention period for personal data begins when the contractual relationship ends or when the processing operation is completed.

    Examples of retention periods :

    • Data relating to payroll management: 5 years (Article L3243-4 of the Labour Code)
    • Personal data of prospects: 3 years if they have not responded to any solicitation for at least 3 years
    • Data processed by public or private health establishments: 20 years (Article R.1112-7 of the Public Health Code)
    • Data relating to personnel management: 5 years (Article R.1221-26 of the Labour Code)
    • Tax data: 6 years (Article L102 B of the Tax Procedures Book)
    • Electronic contracts: 10 years (Article L213-1 of the Consumer Code)
    • Video surveillance data: 1 month (Article L.252-3 of the Internal Security Code)

     

    To go further

    First of all, it should be remembered that the controller has an obligation to ensure the security of personal data in order to protect against risks, in particular those linked to loss, technical defects, etc. This obligation also applies to the processor acting on behalf of the controller. This obligation is also incumbent on the processor who acts on behalf of the controller. To ensure this, a new clause can be inserted into the subcontractor’s contract mentioning the security obligations.

    On the one hand, the french authority recommends that traceability systems be put in place for consultations of data that have been archived. In addition, it recommends a method of conservation according to the archiving. If it is a question of permanent archiving, it is recommended that this be carried out in a separate database, independent of the one commonly used, and that access be authorised only to a specific department or structure within the company.

    In the case of intermediate storage: the data controller may choose the means he/she wishes, provided that he/she has taken the necessary technical and organisational measures to protect the personal data, as well as limiting access to this storage to a specific department or structure of the company.

    Choose a legal basis

    GDPR Legal basis: What is it?

    Any processing of personal data must have a legal basis.

    Unlike the purpose of processing, which indicates the business objective of the processing, the legal basis is the legal title, the reason that authorises your company to process this data.

    Please note: as the legal bases for using an individual’s information are listed exhaustively in the GDPR, it is important to identify the appropriate legal basis, or not to process the data if this legal basis does not exist/no longer exists.

    This could be, for example, the consent of the individual, or the requirements of the performance of a contract.

    The lawful basis for processing must be made known to the data subject, and included in the record of processing activities to demonstrate that personal data is processed with respect for

    Use case

    Your company processes data because this processing is necessary for the performance of a contract.

    When the contract and the applicable limitation periods expire, the legal basis no longer exists, so your company must delete the data concerned. The only way you could continue to process it, for example for marketing purposes, would be on a new legal basis, asking the individual for consent for further processing.

     

    To go further

    The legal bases listed by the GDPR are the following, where the processing :

    • has been consented to by the data subject
    • is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the request of the data subject
    • is necessary for compliance with a legal obligation to which the controller is subject
    • necessary for the protection of the vital interests of the data subject or of another natural person
    • necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
    • is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of natural persons which require the protection of personal data prevail, in particular where the data subject is a child

    Where personal data are so-called “sensitive”, Article 9 of the GDPR lists the specific, stricter legal bases that may be chosen for the processing of such sensitive data.

    The collection of GDPR consent

    What is GDPR consent?

    The obligation to obtain the consent of the persons concerned is one of the legal bases provided for by the General Data Protection Regulation. This consent authorises the implementation of personal data processing and can be collected in different ways (checkbox, handwritten signature etc.)

    The GDPR defines data subjects’ consent as “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject signifies his or her agreement to personal data being processed”.

    What are the changes in the GDPR regarding data subjects’ consent?

    The GDPR has not fundamentally changed the notion of consent of data subjects, but rather consolidated its definition by adding safeguards, including :

      • The right to withdraw: the possibility for the data subject to withdraw his or her consent whenever he or she wishes
      • Proof of consent: The data controller must be able to demonstrate at any time that the person has consented (Article 7 § 1 of the GDPR)
      • Explicit consent: the consent of the data subject must be explicit, which must be manifested by an express declaration. This implies the implementation of specific mechanisms by the controller to obtain such consent. Explicit consent is necessary to process sensitive data, for example
      • Consent of minors: Age limits vary across EU Member States, ranging from 13 to 16 years. Below the applicable age, a person cannot lawfully consent to the processing of their personal data and requires both parental consent and the child’s own consent.

    How to collect GDPR consent?

    • The GDPR imposes 4 cumulative criteria for a valid request for consent:
      • Free: The consent of the data subjects of the processing must be free, in other words, they are free to accept or not the processing concerning them. It must not be coerced or influenced
      • Specific: Consent must only relate to the purpose to which the person is attached. In cases where a processing operation involves several purposes, the data subject must be able to consent to each of them
      • Informed: The data subject must have certain information before consenting, the controller must be able to provide him/her with certain information in order for the consent to be informed (the identity of the controller, the purposes pursued, the categories of data collected, the existence of a right to withdraw consent, whether or not the data collected are transferred to a country outside the EU)
      • Unambiguous: consent must be clearly expressed and unambiguous. The following do not constitute unambiguous consent: pre-ticked boxes; grouped consents (i.e. a single consent instead of several separate consents); inactivity (e.g. the absence of a response to an email does not constitute consent)

    Use cases

    Let us take a typical case of vitiated consent. A person subscribes to a service and has to provide personal information to do so. On the face of it, the data will only be used to conclude and execute the service contract. However, profiling is carried out in order to send marketing information to subscribers.

    This purpose is stated in an information notice which the individual is obliged to accept by clicking on a box “I consent to the processing of my data”. No reference to the information notice is made, the person has to contact the controller to obtain it.

    In such a case, the person has not really consented to the processing of his or her data for marketing purposes, so the processing is unlawful.

    The case of withdrawal of consent

    Article 7(3) of the GDPR provides for the right of the data subject to withdraw consent. Furthermore, the data subject may request the controller to withdraw consent at any time. The latter is obliged to inform the data subject of his or her right to withdraw consent prior to the collection of consent.

    Consent was already enshrined in the Data Protection Act, but the GDPR has strengthened the conditions for obtaining it, including the right to freely change one’s mind about the processing of data by the controller.

    Is consent required for every treatment?

    The GDPR establishes 6 legal bases for processing personal data, among them consent. In this respect, the lawfulness of the processing is not only admitted on the basis of the consent of the data subjects, it can be on the basis of the performance of a contract or in the legitimate interest of the controller. It is up to the controller to adapt the purpose of the processing to the appropriate legal basis.

    What about the validity of consent collected before the entry into force of the GDPR?

    Consent of data subjects collected before the entry into force of the GDPR on 25 May 2018 is considered valid as long as it meets the requirements provided for by the GDPR. Otherwise, the controller must ensure that the conditions required by the GDPR are met for the consent to be considered validly collected.

    Conclusion

    GDPR compliance is an ongoing process that involves clear mapping of data processing activities, defining purposes, informing data subjects, limiting data retention, selecting a legal basis, and obtaining consent. With EQS Privacy Cockpit, these steps can be managed efficiently, turning compliance into a real driver of trust and performance for your organization.

    Ola Mohty
    Ola Mohty

    Data Protection Expert – PhD in Law

    Passionate about privacy and data security, Ola has been helping organizations turn compliance into a true trust-building lever since 2018. Drawing on her deep legal expertise in personal data protection, she combines legal precision with a practical approach to support organizations of all sizes. Her mission: making data protection accessible, strategic, and value-driven.

    Contact