Checklists
Practical GDPR checklists for common business scenarios — free to use.
These checklists cover the most common data protection scenarios. They are practical starting points, not exhaustive legal compliance frameworks. Use them as a guide — and consult a data protection professional for your specific situation.
New Website / Cookie Banner Checklist
- Privacy policy present and GDPR-compliant (Art. 13 GDPR)
- Cookie banner implemented — non-essential cookies only loaded after consent
- Cookie banner allows granular choice (not just Accept All)
- Consent can be withdrawn as easily as given
- Google Analytics / Tracking tools configured to require consent
- Contact form has privacy notice and, if required, consent checkbox
- SSL/HTTPS active on all pages
- Imprint / Legal Notice present (German Impressumspflicht)
- DPAs in place with all website tool providers (Analytics, CMS, hosting, etc.)
New Employee Onboarding Checklist
- Employee informed about data protection obligations (Art. 29 GDPR)
- Commitment to confidentiality / data secrecy signed
- IT security policy acknowledged
- Access rights granted on a need-to-know basis
- Multi-factor authentication activated on relevant systems
- Clean desk policy explained
- Data protection training completed and documented
- Employee data added to RoPA HR processing activity
New Supplier / Sub-Processor Checklist
- Is the supplier a processor? (Do they process personal data on your behalf?)
- Data Processing Agreement (DPA) signed before data sharing begins
- DPA content compliant with Art. 28 GDPR requirements
- Sub-processor list reviewed — do they use further sub-processors?
- Transfer outside EU/EEA? Standard Contractual Clauses (SCCs) in place?
- Transfer Impact Assessment completed if applicable
- Supplier added to your Records of Processing Activities
- Supplier security practices verified (TOMs review or questionnaire)
Data Breach Response Checklist
- Incident discovered and contained — stop ongoing breach if possible
- Scope assessed: what data was involved? How many people?
- Risk to individuals assessed: low / medium / high risk?
- Report to Data Protection Officer immediately
- If risk to individuals: notify supervisory authority within 72 hours (Art. 33 GDPR)
- If high risk: notify affected individuals without undue delay (Art. 34 GDPR)
- Internal breach register entry created (Art. 33(5) GDPR)
- Root cause analysis conducted and remediation measures implemented
Need more specific checklists or a customized compliance review? Contact us →