GDPR Violations — Breakdown by Type

What triggers this violation

• •Sending EU data to US servers without SCCs or adequacy decision
• •Using US-based SaaS tools without data processing agreements
• •Storing EU customer data in jurisdictions without adequate laws
• •Post-Schrems II non-compliance with Privacy Shield reliance

How to avoid it

• ✓Conduct a data transfer impact assessment (TIA/DTIA)
• ✓Implement Standard Contractual Clauses (SCCs) for all third-country transfers
• ✓Map all data flows including third-party processors
• ✓Check vendor sub-processor lists for US transfer exposure
• ✓Evaluate EU-based alternatives for high-risk data categories

What triggers this violation

• •Behavioural advertising without valid consent
• •Processing special category data (health, biometrics) without explicit consent
• •Retaining data beyond stated retention periods
• •Using legitimate interests where it is clearly overridden by individual rights

How to avoid it

• ✓Document a legal basis for every data processing activity
• ✓Maintain a Records of Processing Activities (RoPA)
• ✓Implement data minimisation and purpose limitation
• ✓Conduct Legitimate Interests Assessments (LIAs) where applicable
• ✓Enforce retention schedules with automated deletion

What triggers this violation

• •Cookie banners where refusal is harder than acceptance
• •Pre-ticked consent boxes
• •Bundled consent for multiple purposes
• •Telemarketing without clear prior opt-in
• •No valid withdrawal mechanism

How to avoid it

• ✓Implement a properly configured Consent Management Platform (CMP)
• ✓Make rejecting cookies as easy as accepting
• ✓Use granular consent per processing purpose
• ✓Audit your third-party cookie and tag inventory
• ✓Test consent flows for dark patterns

What triggers this violation

• •Unencrypted or poorly encrypted databases
• •Failure to patch known vulnerabilities
• •Insufficient access controls and privilege management
• •No intrusion detection or monitoring
• •Third-party vendor security failures without adequate oversight

How to avoid it

• ✓Conduct regular penetration testing
• ✓Implement encryption at rest and in transit
• ✓Apply least-privilege access principles
• ✓Run vulnerability management programme
• ✓Include security requirements in vendor contracts

What triggers this violation

• •Breach discovered but delayed reporting beyond 72 hours
• •Breach underreported to minimise perceived severity
• •No incident response plan or breach register
• •Failing to notify affected high-risk individuals

How to avoid it

• ✓Implement a documented breach response procedure
• ✓Define breach severity tiers and notification thresholds
• ✓Appoint a breach response owner
• ✓Test breach notification procedures in tabletop exercises
• ✓Maintain a breach register even for near-misses

What triggers this violation

• •Organisation meets DPO criteria but hasn't appointed one
• •DPO not properly positioned or resourced
• •DPO lacks required expertise
• •DPO has conflicting roles (e.g. also the CISO or General Counsel)

How to avoid it

• ✓Assess whether your processing activities require a DPO
• ✓If required, formally appoint and register the DPO with your DPA
• ✓Ensure DPO has sufficient resources and access to senior management
• ✓Consider an external DPO-as-a-service if in-house expertise is lacking