Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

How to choose your GDPR-framework

Which GDPR Control Framework should you enable?

When working with GDPR in ComplyCloud, your first step is to select the control framework that matches your organization's role. You can do this by:

  1. Navigating to Maintain & Control > Controls

  2. Clicking ‘Open framework’ on either

    • GDPR as a controller, or

    • GDPR as a processor (ISAE 3000)

  3. Then select ‘Enable framework’

GDPR as a controller

Choose this framework if your organisation decides why and how personal data is processed. Enabling this framework will generate a total of around 40 tasks. This framework typically applies when you handle data about:

  • Your own employees

  • Customers or users

  • Leads and marketing contacts

This framework helps you document your GDPR compliance as a data controller.
As a rule of thumb, you should always activate this framework unless you've specifically decided to only use ComplyCloud in your role as a data processor.

GDPR as a processor (ISAE 3000)

Select this framework if your organisation processes personal data on behalf of another organisation. Enabling this framework will generate a total of around 80 tasks. This framework is typically relevant if:

  • You provide a SaaS solution where your clients are data controllers

  • You host or manage data that doesn’t belong to your organisation

Note: Do you operate in both roles? Many organisations act as both a data controller and a data processor. You can use both frameworks in ComplyCloud. See below for details.

Can You use both frameworks simultaneously?

Yes - many organisations act as both data controller and data processor.

If you activate both frameworks:

  • They will appear separately in your Controls overview and you can work on them independently 

  • If you activate the 'GDPR as processor (ISAE3000) framework' , we recommend creating a Statement of Applicability (SoA) to document which controls apply to your processing activities. Read more about how to make a SoA below.

Creating a Statement of Applicability (SoA) for ISAE 3000

What is a SoA in the context of ISAE 3000?

A SoA helps you tailor your control work by identifying which controls are relevant to your role as a data processor – and which are not.

For each control, you assess:

  • Is this control relevant for the processing we carry out?

  • If not – can we exclude it with a justified explanation?

The SoA provides a clear and documented overview of your decisions.

When Does It Make Sense to Exclude Controls?

Not all controls are relevant for all data processors – and that’s perfectly fine. Your SoA helps you document intentional exclusions when a control doesn’t apply to your service or product.

Tip: Example: If you don’t use any sub-processors, you can reasonably exclude all controls in Section F (sub-processor controls) - see below.

Commonly excluded Controls

Below are examples of ISAE 3000 controls that may not be relevant in your context:

Control ID Title in ComplyCloud Typical reason for exclusion
F1–F6 Use and control of sub-processors If you do not use any sub-processors
G1–G3 Transfers to third countries If all data is processed within the EU/EEA

How to Create Your SoA in ComplyCloud

  1. Go to Maintain & Control > Controls

  2. Select the “GDPR as a processor (ISAE 3000)” framework

  3. Assess whether the control applies to your processing activities

  4. If not applicable, click: ‘Archive as non-Applicable’ and add a short justification in the comment field.

Once you’ve reviewed the full framework, your SoA will automatically be available under: ‘Actions’ > ‘Archived controls’