GDPR sets the rules for how organisations in the EU handle personal data. Trust OS turns the daily reality of GDPR — registers, lawful bases, retention, breach reporting — into one calm operating system that's always ready for an audit.
In May 2023 the Irish Data Protection Commission fined Meta €1.2 billion — the largest GDPR penalty to date — for transferring the personal data of European Facebook users to the United States without adequate safeguards. The decision followed a decade of legal back-and-forth that started with Austrian campaigner Max Schrems, ran through two European Court of Justice rulings (Schrems I in 2015 and Schrems II in 2020), and ended with the Court invalidating the EU-US Privacy Shield mechanism on which Meta had been relying.
The lesson isn't that one company misbehaved. It's that GDPR's accountability principle catches up with you slowly but completely: a single sub-processor relationship, a single transfer mechanism, a single retention period that you can't justify on paper, can compound into a regulatory event years after the original decision was made. The same year, the Commission also handed out fines to TikTok (€345m), Criteo (€40m) and dozens of smaller controllers — for issues as routine as missing legal bases for cookie tracking, unclear retention rules, or DSARs answered late.
The companies that handle these incidents calmly aren't the ones with the biggest legal team. They're the ones who can produce — within hours — the Article 30 register, the lawful basis documentation, the sub-processor list, the SCCs, and the breach playbook. That's exactly what Trust OS keeps continuously up to date.
The General Data Protection Regulation applies to every organisation in the EU that processes personal data, and to organisations outside the EU that target EU residents. It rests on six principles — lawfulness, purpose limitation, data minimisation, accuracy, storage limitation, and integrity & confidentiality — plus accountability: you must be able to demonstrate compliance, not just claim it.
In practice, that means six concrete obligations every controller has to operate continuously:
Sanctions for non-compliance run up to €20 million or 4% of global annual turnover, whichever is higher. Reputational damage and individual claims often hit harder than the fine itself.
Trust OS treats GDPR as living operations, not a one-off documentation exercise. Each obligation has a dedicated workspace inside the platform, and evidence is captured automatically as your team works.
A live, multi-tenant register that links every processing activity to the data items, retention period, lawful basis and balancing test. New activities flow into it through a 30-second form; the export to your supervisory authority is a single click.
Inbound DSARs land in Trust OS, get auto-classified (access / erasure / portability / etc.), and route to the right data-owner with a built-in 30-day SLA timer. The audit log captures every action automatically.
Pre-built DPIA templates for the most common high-risk scenarios. When something goes wrong, the breach playbook starts the 72-hour clock, prompts the right roles, and produces the notification packet for your supervisory authority — with the evidence trail attached.
A central register of every sub-processor with its sub-processing agreement, SCC annexes for non-EU transfers, and renewal date. Trust OS notifies you ahead of every renewal and keeps the public-facing list on your trust profile in sync.
GDPR doesn't sit alone in our platform. Most controls — access management, encryption, incident response, vendor governance — are shared with NIS2 and ISO/IEC 27001:2022. Trust OS maps each control once and reports against every framework, so a single piece of evidence covers all three.