What is the primary objective of GDPR?

The primary objective of GDPR is to protect the fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data, while ensuring the free movement of personal data within the EU. Enacted as Regulation (EU) 2016/679 and enforceable since May 25, 2018, it replaces the fragmented 1995 Data Protection Directive by establishing uniform rules through its seven core principles in Article 5: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

Who is legally or professionally required to comply with GDPR?

GDPR applies to any controller or processor established in the EU, or any non-EU entity offering goods/services to or monitoring the behaviour of EU data subjects, regardless of location. Under Article 3's extraterritorial scope, this includes controllers determining processing purposes and processors handling data on their behalf. Public authorities and large-scale processors of special categories (e.g., health data) or systematic monitoring must appoint a Data Protection Officer (DPO) per Article 37.

Does GDPR require an external audit or third-party certification?

No, GDPR does not mandate external audits or third-party certification for compliance. Article 42 encourages voluntary certification mechanisms, seals, and marks by supervisory authorities or accredited bodies to demonstrate compliance with principles like data protection by design (Article 25). Organizations must self-demonstrate accountability via Records of Processing Activities (Article 30) and Data Protection Impact Assessments (DPIAs) for high-risk processing (Article 35).

How often should an assessment for GDPR be performed?

GDPR requires ongoing, risk-based assessments rather than fixed intervals, with reviews triggered by changes in processing activities or risk levels. Article 32 mandates "appropriate technical and organisational measures" reflecting the state of the art, implying continuous evaluation. DPIAs (Article 35) must be conducted prior to high-risk processing and reviewed if risks evolve, while breach assessments (Articles 33-34) demand evaluation within 72 hours of awareness.

What are the consequences of non-compliance with GDPR?

Non-compliance with GDPR can result in administrative fines up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher, for severe infringements. Tiered penalties under Article 83 apply: up to €10 million or 2% for lesser violations (e.g., records, DPO duties). Supervisory authorities enforce via the one-stop-shop mechanism (Article 56), with additional remedies including data subject compensation (Article 82) and injunctions.

Can GDPR be mapped to other international frameworks?

Yes, GDPR principles such as accountability, data minimisation, and lawful processing bases can be mapped to international frameworks like Brazil's LGPD, California's CCPA/CPRA, and Japan's APPI. Its global influence stems from the "Brussels Effect," where extraterritorial scope (Article 3) compels alignment, though divergences exist (e.g., GDPR's opt-in consent vs. CCPA's opt-out). Adequacy decisions (Article 45) facilitate transfers to equivalent regimes like Japan.

What is the first step to begin implementing GDPR?

The first step to implement GDPR is conducting a comprehensive data mapping exercise to identify all personal data processing activities, legal bases, and associated risks. This informs Records of Processing Activities (Article 30) and determines DPIA needs (Article 35), enabling controllers to establish accountability (Article 5(2)) and appoint a DPO if required (Article 37).

What is the primary objective of AS9120B?

AS9120B establishes a quality management system (QMS) for organizations that procure, store, split, and resell aerospace parts without altering product characteristics. Built on ISO 9001:2015’s 10-clause structure, it adds over 100 aerospace-specific requirements addressing distribution risks like traceability loss, counterfeit parts, documentation errors, and external provider controls. The standard ensures chain-of-custody integrity through operational controls in Clause 8, including identification/traceability, preservation, configuration management, and prevention of suspected unapproved parts.

Who is legally or professionally required to comply with AS9120B?

AS9120B applies to aviation, space, and defense distributors, stockists, and pass-through organizations that procure, store, split, or resell parts without modifying conformity. It targets entities reliant on OEM/Tier-1 supply chains, where certification is a commercial requirement for OASIS listing and contract eligibility (2,442 global certifications as of March 2026). It excludes value-added distributors altering products or MRO entities; scope must justify non-applicability (e.g., Clause 8.3 design) without impacting conformity.

Does AS9120B require an external audit or third-party certification?

AS9120B requires third-party certification through accredited bodies for formal recognition and OASIS listing. Certification involves Stage 1 (documentation review) and Stage 2 (on-site effectiveness audit) per AS9101G, with ongoing surveillance audits. Internal audits (Clause 9.2) at planned intervals ensure conformity, but external certification demonstrates market readiness to OEMs and primes.

How often should an assessment for AS9120B be performed?

AS9120B requires internal audits at planned intervals to cover the QMS annually, plus management reviews at defined frequencies ensuring suitability and effectiveness. Clause 9.2 mandates audit programs evaluating all processes, risks, and Clause 9.3 inputs like performance trends and supplier metrics. Surveillance audits occur yearly post-certification, with recertification every three years.

What are the consequences of non-compliance with AS9120B?

Non-compliance with AS9120B risks commercial exclusion, supply chain rejection, and safety liabilities from traceability failures or counterfeit parts. Lacking certification bars OEM contracts and OASIS visibility; audit findings trigger corrective actions, potential decertification, recalls, or legal exposure for product nonconformities affecting aviation safety.

Can AS9120B be mapped to other international frameworks?

AS9120B aligns directly with ISO 9001:2015’s high-level structure, enabling seamless mapping of its 10 clauses. Aerospace additions (e.g., counterfeit prevention, traceability) build on ISO baseline without exclusions, supporting integrated QMS for distributors transitioning from generic standards while maintaining standalone applicability.

What is the first step to begin implementing AS9120B?

The first step is conducting a gap analysis against AS9120B clauses using cross-functional teams to map current processes. Document context (Clause 4), justify scope/non-applicability, and prioritize distributor risks like supplier controls and traceability, yielding a risk register and implementation backlog.

Standards Comparison

GDPR vs AS9120B

GDPR

Mandatory

2016

EU regulation for personal data protection and privacy rights

AS9120B

Mandatory

2016

Aerospace QMS standard for parts distributors.

Quick Verdict

GDPR mandates data privacy protection for EU residents worldwide, enforcing rights and accountability with hefty fines. AS9120B certifies aerospace distributors' quality systems for traceability and counterfeit prevention. Organizations adopt GDPR for legal compliance, AS9120B for market access.

Data Privacy

GDPR

Regulation (EU) 2016/679 General Data Protection Regulation

Cost

€€€€

Complexity

Medium

Implementation Time

18-24 months

Key Features

Applies extraterritorially to non-EU organizations targeting EU residents
Enforces accountability principle requiring demonstrated compliance via DPIAs
Imposes fines up to 4% of global annual turnover
Grants data subjects rights to erasure and portability
Mandates 72-hour personal data breach notifications

Quality Management

AS9120B

AS9120B Quality Management Systems - Requirements

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Counterfeit and suspected unapproved parts prevention
Traceability and chain-of-custody for split lots
Risk-based external provider evaluation and controls
Configuration management in distribution operations
Product safety and ethical behavior awareness

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

GDPR Details

What It Is

Regulation (EU) 2016/679, known as the General Data Protection Regulation (GDPR), is a directly applicable EU law protecting natural persons' personal data. It modernizes privacy rules with extraterritorial scope, applying to any entity processing EU residents' data. Core approach is accountability-based, requiring organizations to demonstrate compliance via risk assessments like DPIAs.

Key Components

Seven principles: lawfulness, purpose limitation, minimization, accuracy, storage limitation, integrity/confidentiality, accountability.
Enhanced data subject rights: access, rectification, erasure, portability, objection.
Obligations: appoint DPOs, maintain processing records, breach notifications.
Enforcement: fines up to €20M or 4% global turnover; no formal certification, but ongoing compliance audited by DPAs.

Why Organizations Use It

Mandated for EU data processors; reduces legal risks, builds trust, enables global data flows. Enhances reputation, avoids penalties, supports Digital Single Market.

Implementation Overview

Risk-based rollout: gap analysis, policy updates, training, DPIAs. Applies universally to controllers/processors; high complexity for SMEs. Two-year transition originally; continuous audits by EDPB and national authorities.

AS9120B Details

What It Is

AS9120B is the IAQG's quality management system standard for aerospace distributors, fully titled AS9120B Quality Management Systems – Requirements. This certification standard augments ISO 9001:2015's high-level structure with over 100 distributor-specific requirements. Its primary purpose is ensuring safe, traceable resale of parts without alteration, employing a risk-based PDCA approach to address supply chain vulnerabilities like counterfeits and traceability loss.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operations, evaluation, improvement
Distributor emphases: counterfeit prevention, traceability for split lots, external provider controls, configuration management
Built on ISO 9001 baseline plus aerospace additions
Certification model via accredited bodies with OASIS registration

Why Organizations Use It

Commercial gatekeeper for OEM/Tier-1 supply chains
Mitigates risks of nonconformities, recalls, legal liabilities
Enhances efficiency, customer satisfaction, market access (2,442 global certifications)
Builds stakeholder trust through auditable chain-of-custody

Implementation Overview

Phased 6-12 months: gap analysis, process design, training, internal audits
Suited for aviation/space/defense distributors worldwide
Requires Stage 1/2 audits for certification

Key Differences

Aspect	GDPR	AS9120B
Scope	Personal data protection and privacy rights	Aerospace distribution quality management
Industry	All sectors worldwide targeting EU data	Aerospace distributors globally
Nature	Mandatory EU regulation with fines	Voluntary certification standard
Testing	DPIAs, audits by supervisory authorities	Internal audits, certification body reviews
Penalties	Up to 4% global turnover fines	Loss of certification, no legal fines

Scope

GDPR

Personal data protection and privacy rights

AS9120B

Aerospace distribution quality management

Industry

GDPR

All sectors worldwide targeting EU data

AS9120B

Aerospace distributors globally

Nature

GDPR

Mandatory EU regulation with fines

AS9120B

Voluntary certification standard

Testing

GDPR

DPIAs, audits by supervisory authorities

AS9120B

Internal audits, certification body reviews

Penalties

GDPR

Up to 4% global turnover fines

AS9120B

Loss of certification, no legal fines

Frequently Asked Questions

Common questions about GDPR and AS9120B

GDPR FAQ

AS9120B FAQ

You Might also be Interested in These Articles...

TISAX Tabletop Exercises for EV Battery Suppliers: Ransomware Drill Scripts and AAR Templates with 2025 ENX Podcast Breakdown

Practical TISAX tabletop scripts for EV battery suppliers facing 'Very High' ASLP. Download ransomware AAR templates, get 2024 ENX lessons & 2025 podcast on VDA

The Human-AI Synergy: How Modern Compliance Tools Amplify Your Team's Strategic Impact

Unlock human-AI synergy with modern compliance tools. Automate monitoring, cut non-compliance risks 3x, and boost strategic decision-making. Elevate your team's

ISO 27701 2025 Update: Navigating Standalone Certification Myths, Audit Realities, and a 90-Day PIMS Launch Plan

Debunk ISO 27701 2025 standalone certification myths vs ISO 27001. Get a 90-day PIMS launch roadmap, checklists & audit prep to certify faster amid global priva

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how GDPR and AS9120B compare against other standards

Other GDPR Comparisons

Other AS9120B Comparisons

What It Is

Key Components

Seven principles: lawfulness, purpose limitation, minimization, accuracy, storage limitation, integrity/confidentiality, accountability.

Enhanced data subject rights: access, rectification, erasure, portability, objection.

Obligations: appoint DPOs, maintain processing records, breach notifications.

Enforcement: fines up to €20M or 4% global turnover; no formal certification, but ongoing compliance audited by DPAs.

What It Is

Key Components

Clauses 4-10 cover context, leadership, planning, support, operations, evaluation, improvement

Distributor emphases: counterfeit prevention, traceability for split lots, external provider controls, configuration management

Built on ISO 9001 baseline plus aerospace additions

Certification model via accredited bodies with OASIS registration

Aspect

GDPR

AS9120B

Scope

Personal data protection and privacy rights

Aerospace distribution quality management

Industry

All sectors worldwide targeting EU data

Aerospace distributors globally

Nature

Mandatory EU regulation with fines

Voluntary certification standard

Testing

DPIAs, audits by supervisory authorities

Internal audits, certification body reviews

Penalties

Up to 4% global turnover fines

Loss of certification, no legal fines