Official source map

GDPR official sources

Primary GDPR sources for SMEs: official regulation text, European Commission SME guidance, EDPB guidance, key articles, and EuroComply checklists.

What official sources should SMEs cite for GDPR?

The primary GDPR source is Regulation (EU) 2016/679, supported by European Commission SME guidance and European Data Protection Board guidance. SMEs should cite GDPR articles for legal obligations and keep operational evidence for lawful basis, ROPA, processor contracts, data subject rights, breach notification and DPIAs.

Article 5: Principles
Article 6: Lawful basis
Article 30: ROPA
Article 33: Breach notification
Article 35: DPIA

Primary source	Regulation (EU) 2016/679
EuroComply source page	/sources/gdpr
Last reviewed	2026-05-11

Source: Regulation (EU) 2016/679Reviewed: 2026-05-11

Official links

Regulation (EU) 2016/679Official GDPR legal text.European Commission GDPR guidance for SMEsCommission guidance on GDPR applicability for SMEs.European Data Protection Board guidanceEU-level guidance from data protection authorities.

Key references

Reference	Topic	Why it matters
Article 5	Principles	Basis for accountability evidence.
Article 6	Lawful basis	Every processing purpose needs one.
Article 30	ROPA	Processing record obligation and SME exemptions.
Article 33	Breach notification	72-hour authority notification rule.
Article 35	DPIA	Required for high-risk processing.

Use the source map with an action plan

Official sources answer what the law says. EuroComply guides turn those references into owners, deadlines, evidence and dashboard-ready actions.

GDPR compliance for SMEs GDPR SME checklist Fine risk calculator GDPR compliance guide

EU AI Act official sources NIS2 official sources DORA official sources Data Act official sources Pay Transparency Directive official sources