GDPR Checker

GDPR privacy policy must include: 1) Data controller identity and contact. 2) Data Protection Officer contact (if required). 3) Processing purposes and legal basis. 4) Data categories collected. 5) Recipients/transfers (third parties, international). 6) Retention periods. 7) Data subject rights (access, deletion, portability, objection). 8) Right to withdraw consent. 9) Right to lodge complaint with supervisory authority. 10) Automated decision-making disclosure. Must be: clear, concise, accessible, free. Update when processing changes.

GDPR cookie consent requirements: 1) Explicit consent before non-essential cookies. 2) Pre-ticked boxes invalid. 3) Granular options (analytics, marketing separately). 4) Easy to withdraw consent. 5) No cookie walls (blocking access). 6) Clear information (cookie purpose, duration, third parties). 7) Consent proof/records. Essential cookies (session, security) do not need consent. Cookie banner must: appear before loading cookies, allow rejection, be easy to understand. Validate: cookies not loaded before consent, withdrawal functional.

Eight data subject rights: 1) Right to be informed (privacy policy). 2) Right of access (data copy, SAR response within 30 days). 3) Right to rectification (correct inaccurate data). 4) Right to erasure (deletion, "right to be forgotten"). 5) Right to restrict processing (limit use). 6) Right to data portability (structured export). 7) Right to object (opt-out). 8) Rights related to automated decision-making (human review). Organizations must: verify identity, respond within 30 days, free (unless excessive).

Six lawful bases under GDPR: 1) Consent - explicit, informed, freely given (used for marketing). 2) Contract - necessary for contract performance (order processing). 3) Legal obligation - compliance with law (tax records). 4) Vital interests - life/death situations (emergency services). 5) Public task - official functions (government). 6) Legitimate interests - business interests not overridden by data subject rights (fraud prevention, security). Choose most appropriate basis - affects data subject rights. Document basis in privacy policy.

DPO required when: 1) Public authority (except courts). 2) Core activities involve large-scale systematic monitoring (tracking, profiling). 3) Core activities involve large-scale processing of special category data (health, biometric, criminal). "Large-scale" undefined - consider: number of data subjects, volume of data, duration, geographic scope. DPO must: be independent, have expert knowledge, report to highest management, not be dismissed for performing duties. Can be: internal employee, external contractor, shared DPO (for small organizations).

Data breach is security incident causing accidental/unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data. Examples: ransomware, phishing, lost laptop, misconfigured database, insider theft. GDPR obligations: 1) Document all breaches. 2) Notify supervisory authority within 72 hours (if risk to rights). 3) Notify data subjects without delay (if high risk). Notification includes: nature, categories/records affected, consequences, mitigation measures, DPO contact. Penalties for failure to notify: fines up to €10M/2% revenue.

GDPR audit checklist: 1) Data inventory (what data collected, where stored, who accesses). 2) Lawful basis documentation (consent records, legitimate interest assessments). 3) Privacy policy review (complete, current, accessible). 4) Cookie consent validation (banner functional, preferences saved). 5) Data subject rights procedures (SAR process, deletion, portability). 6) Third-party processors (DPAs signed, security validated). 7) Security measures (encryption, access controls, backups). 8) Breach response plan. 9) Staff training. 10) Documentation (processing records, DPIAs). Audit annually minimum.

No, automated GDPR scans only check visible technical elements like cookies and consent banners. Full GDPR compliance requires proper data processing agreements, privacy policies, data subject rights procedures, and internal documentation that cannot be verified by a scan alone.