GDPR & DPIA Compliance Workbook

Built on April 2026 research: EU-US DPF survived the Latombe challenge (General Court, 3 Sept 2025 — upheld but still appealable), EDPB Pseudonymisation Guidelines 01/2025 baked into the safeguards tabs, Omnibus IV pending (would raise 250→750 employee threshold 1 July 2026), and 127 DPA corrective actions 2023–2024 on transfers informing the TIA methodology.

20-tab architecture (67 formulas, zero errors):

Cover → Dashboard → Ecosystem → Exemption Test → ROPA Controller → ROPA Processor → DSR Log → Lawful Basis → Breach Register → Adequacy Countries → DPF Certification → Transfer Register → TIA Template → Supplementary Measures → DPIA Template → Processor Contracts → Pseudonymisation → Training Log → Policy Register → Enforcement Reference

Live formulas: 72-hour breach deadline auto-calculation, 30-day DSR SLA with overdue conditional formatting, WP29 9-factor DPIA trigger test with COUNTIF-to-result logic, Dashboard KPIs pulling from all data tabs, exemption test interactive result.

Controller ROPA + Processor ROPA — pre-seeded with 13 vendor DPAs across common categories (cloud infrastructure, analytics, email, CRM, support, AI/LLM). The seeded vendors are the hook that makes a blank ROPA suddenly feel like real work already done.

Transfer Register + TIA Template — post-Schrems II methodology following EDPB Recommendations 01/2020, updated for the post-Latombe DPF reality. Supplementary Measures register covers encryption, pseudonymisation, contractual, technical, and organizational measures.

DPIA Template — WP29-compliant 9-factor necessity test, risk assessment matrix, and mitigations register. DPA consultation trigger logic built in.

Blue/indigo palette — deliberately distinct from the teal US Privacy workbook so buyers stacking both can visually distinguish EU vs US regulatory territory at a glance.

User Guide (37 pages, 7 sections + 2 appendices): Worked examples specifically cover onboarding Anthropic for customer support AI (traces through 12 tabs), Article 17 erasure request from a German customer (9 tabs), and 72-hour breach escalation (6 tabs). Enforcement reference covers Meta €1.2B, Uber €290M, LinkedIn €310M precedents.