🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
Compliance Coming Soon

CT GDPR Compliance

The GDPR Compliance Training teaches employees foundational GDPR principles, lawful bases, data subject rights, governance, and breach notification, enabling them to identify personal data, follow proper handling procedures, and ensure organizational compliance.

Who Should Take This

Front‑line staff, managers, and support personnel who process or handle EU/EEA personal data should take this course. It is designed for employees with basic data‑handling experience who need to understand GDPR obligations, respond to data‑subject requests, and act promptly on breach incidents to protect the organization.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

65 learning goals
1 GDPR Foundations and Key Concepts
2 topics

GDPR overview and scope

  • Identify the purpose and territorial scope of the GDPR including its application to organizations outside the EU that offer goods or services to, or monitor the behavior of, EU residents.
  • Describe the seven key principles of GDPR: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.
  • Identify the roles of data controller, data processor, and data subject and explain the distinct obligations and liabilities associated with each role under the GDPR.

Personal data definitions

  • Recognize the GDPR definition of personal data as any information relating to an identified or identifiable natural person including names, identification numbers, location data, and online identifiers.
  • Identify special categories of personal data including racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and sexual orientation.
  • Distinguish between personal data, pseudonymized data, and anonymized data and explain the different GDPR obligations that apply to each category.
  • Analyze workplace data examples to classify information as personal data, special category data, pseudonymized data, or anonymized data and determine applicable GDPR requirements.
2 Lawful Bases for Processing
3 topics

Six lawful bases

  • Identify the six lawful bases for processing personal data under Article 6: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
  • Describe the requirements for valid consent under GDPR including freely given, specific, informed, and unambiguous indication through a clear affirmative action.
  • Explain the legitimate interests basis including the requirement for a legitimate interests assessment (LIA) balancing the controller's interests against the data subject's rights.
  • Describe the additional conditions required for processing special category data under Article 9 including explicit consent, employment obligations, and vital interests.
  • Analyze processing scenarios to determine the most appropriate lawful basis and explain why the chosen basis applies while others do not.

Consent management

  • Identify requirements for obtaining valid consent including unbundled from other terms, no pre-ticked boxes, granular for different purposes, and easy to withdraw.
  • Describe the documentation requirements for consent including maintaining records of when and how consent was obtained and ensuring consent can be demonstrated to regulators.
  • Explain the additional requirements for children's consent including age verification, parental consent mechanisms, and the varying age thresholds across EU member states.

Purpose limitation and further processing

  • Describe the purpose limitation principle requiring personal data to be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.
  • Identify the compatibility test factors for determining whether further processing is compatible with the original purpose including relationship between purposes, context, nature of data, consequences, and safeguards.
  • Analyze a proposed secondary use of personal data to determine whether it is compatible with the original collection purpose or requires a new lawful basis.
3 Data Subject Rights
3 topics

Access and information rights

  • Identify the data subject's right of access under Article 15 including the right to obtain confirmation of processing, access to personal data, and information about the processing purposes.
  • Describe the transparency obligations under Articles 13 and 14 requiring controllers to provide clear information about data processing at the time of collection or within a reasonable period.
  • Explain the one-month response deadline for data subject access requests, conditions for extending to three months, and when a reasonable fee may be charged for excessive requests.

Rectification, erasure, and restriction

  • Describe the right to rectification under Article 16 requiring controllers to correct inaccurate personal data and complete incomplete data without undue delay.
  • Identify the grounds for exercising the right to erasure (right to be forgotten) under Article 17 and the exceptions where erasure may be refused including legal compliance and public interest.
  • Describe the right to restriction of processing under Article 18 including when it applies and the limited processing permitted during restriction periods.
  • Analyze data subject requests to determine which right applies, whether exceptions exist, and what the organization's response obligations are within the required timeline.

Portability, objection, and automated decisions

  • Describe the right to data portability under Article 20 including the requirement to provide data in a structured, commonly used, and machine-readable format.
  • Explain the right to object under Article 21 including objecting to processing based on legitimate interests, direct marketing, and research purposes.
  • Identify protections against automated individual decision-making and profiling under Article 22 including the right not to be subject to decisions based solely on automated processing with legal or significant effects.
  • Synthesize a data subject rights handling procedure incorporating request verification, routing to the appropriate right, deadline tracking, and response documentation.
4 Data Protection Governance
5 topics

Privacy by design and by default

  • Describe the principle of data protection by design requiring technical and organizational measures to implement data protection principles from the earliest stage of system development.
  • Explain data protection by default requiring that only personal data necessary for each specific purpose is processed and that data is not made accessible to an indefinite number of persons.

Data Protection Impact Assessments

  • Identify when a Data Protection Impact Assessment (DPIA) is required under Article 35 including systematic monitoring, large-scale processing, and special category data processing.
  • Describe the required contents of a DPIA including processing description, necessity and proportionality assessment, risk assessment, and planned mitigation measures.
  • Explain the requirement for prior consultation with the supervisory authority under Article 36 when a DPIA indicates high residual risk that cannot be mitigated.

Data Protection Officer

  • Identify when an organization must appoint a Data Protection Officer: public authorities, large-scale systematic monitoring, and large-scale processing of special category data.
  • Describe the DPO's responsibilities including advising on GDPR compliance, monitoring compliance activities, cooperating with supervisory authorities, and acting as a contact point for data subjects.
  • Explain the DPO's organizational independence requirements including no instructions regarding task exercise, no dismissal or penalty for performing duties, and direct reporting to highest management.

Records and accountability

  • Describe the requirement for controllers and processors to maintain records of processing activities (ROPA) under Article 30 including required content and exemptions for small organizations.
  • Explain the accountability principle requiring controllers to demonstrate compliance through documentation, policies, training records, and audit trails.

Data processing agreements

  • Identify the Article 28 requirement for controllers to use only processors providing sufficient guarantees and to formalize the relationship through a written data processing agreement.
  • Describe the mandatory content of data processing agreements including subject matter, duration, nature of processing, types of data, categories of data subjects, and controller's obligations.
  • Explain the restrictions on sub-processing including the requirement for prior written authorization from the controller and the obligation to impose equivalent data protection obligations on sub-processors.
  • Analyze a vendor relationship to determine whether a data processing agreement is required, what provisions it must contain, and whether the processor provides sufficient compliance guarantees.
5 Data Breach Notification
3 topics

Breach detection and assessment

  • Recognize the GDPR definition of a personal data breach as a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.
  • Identify common breach types including unauthorized access, data theft, ransomware, accidental disclosure, lost devices, and misdirected communications.
  • Describe the breach risk assessment process for determining whether a breach is likely to result in a risk or high risk to the rights and freedoms of data subjects.

Notification obligations

  • Describe the 72-hour notification requirement to the supervisory authority under Article 33 including required information, phased notification, and the exception for unlikely risk to rights and freedoms.
  • Identify when communication to affected data subjects is required under Article 34: high risk to rights and freedoms, and the exceptions when communication is not required.
  • Explain processor obligations to notify the controller without undue delay upon becoming aware of a personal data breach.
  • Analyze a breach scenario to determine notification obligations, assess the risk level to data subjects, and identify required actions within the 72-hour window.

Internal breach procedures

  • Identify the steps an employee should take upon discovering a potential data breach including immediate reporting to the DPO or privacy team, preserving evidence, and documenting the incident.
  • Describe the requirement to maintain a breach register documenting all breaches including those not reported to the supervisory authority for accountability purposes.
  • Synthesize a breach response workflow incorporating detection, containment, assessment, supervisory authority notification, data subject communication, and lessons learned documentation.
6 Cross-Border Transfers and Enforcement
3 topics

International data transfers

  • Identify the GDPR restriction on transferring personal data to countries outside the EU/EEA and the requirement for appropriate safeguards or derogations.
  • Describe adequacy decisions by the European Commission and explain how they enable unrestricted data transfers to approved countries.
  • Explain the role of Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and codes of conduct as transfer mechanisms when no adequacy decision exists.
  • Analyze a cross-border data flow to identify which transfer mechanism applies and evaluate whether supplementary measures are needed based on the destination country's data protection framework.

Enforcement and penalties

  • Identify the two tiers of GDPR administrative fines: up to EUR 10 million or 2% of annual global turnover for procedural violations, and up to EUR 20 million or 4% for substantive violations.
  • Describe the factors supervisory authorities consider when determining fine amounts including nature and gravity of infringement, intentional character, mitigation measures, and prior infringements.
  • Identify supervisory authority corrective powers beyond fines including warnings, reprimands, ordering compliance, imposing processing bans, and ordering data erasure.
  • Analyze enforcement case studies to identify which GDPR provisions were violated and evaluate the proportionality of imposed penalties based on the violation's severity and organizational response.

Practical compliance in the workplace

  • Recognize common GDPR compliance failures in daily work including collecting unnecessary data, failing to update privacy notices, ignoring data subject requests, and sharing data without a lawful basis.
  • Describe best practices for GDPR-compliant data handling including data minimization in emails, secure file sharing, clean desk policies, and regular data reviews.
  • Explain employee responsibilities for handling data subject requests including recognizing a request, recording receipt, escalating to the appropriate team, and not processing beyond authorization.
  • Synthesize a personal data handling checklist for a department incorporating data minimization, purpose limitation, storage limitation, access controls, and breach reporting procedures.

Scope

Included Topics

  • General Data Protection Regulation (GDPR) compliance training for employees in organizations that collect, process, or store personal data of EU/EEA residents.
  • Personal data definitions, special categories of data (racial/ethnic origin, health data, biometrics, political opinions, religious beliefs), and pseudonymized vs anonymized data distinctions.
  • Data subject rights including right of access, right to rectification, right to erasure (right to be forgotten), right to restrict processing, right to data portability, right to object, and rights related to automated decision-making and profiling.
  • Six lawful bases for processing personal data: consent, contract performance, legal obligation, vital interests, public interest, and legitimate interests including how to select and document the appropriate basis.
  • Data Protection Impact Assessments (DPIAs), records of processing activities, privacy by design and by default principles, and data protection governance structures.
  • Data breach notification requirements including the 72-hour notification window to supervisory authorities and communication requirements to affected data subjects.
  • Data Protection Officer (DPO) role, responsibilities, and organizational independence requirements.
  • Cross-border data transfer mechanisms including adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and derogations.
  • Enforcement and penalties including administrative fines up to 4% of annual global turnover or EUR 20 million, supervisory authority powers, and judicial remedies.

Not Covered

  • Detailed comparison of all EU member state implementing legislation and national derogations beyond awareness level.
  • Technical implementation of data protection technologies such as encryption algorithms, differential privacy mechanisms, or anonymization techniques.
  • ePrivacy Directive and ePrivacy Regulation cookie consent requirements beyond their relationship to GDPR.
  • Sector-specific EU data protection regulations (health data directives, financial services data requirements) beyond GDPR scope.
  • Legal defense strategies, litigation procedures, or detailed case law analysis from the Court of Justice of the European Union.

CT GDPR Compliance is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified