DSGVO Compliance Checklist

Data Mapping & Inventory

Document all personal data collection points, storage locations, and processing flows.

0/4

Identify all data categories collected

Name, email, phone, IP address, location, preferences, etc.

Critical

Map data flows (collection → processing → storage)

From website forms, CRM, analytics, email campaigns, etc.

Critical

Document retention periods for each data type

How long you store customer data, logs, backups, etc.

High

Identify third-party processors and vendors

Email provider, hosting, analytics, payment processor, etc.

Critical

Legal Basis & Consent

Establish lawful basis for all data processing activities (consent, contract, legal obligation, legitimate interests, etc.).

0/4

Define legal basis for each processing activity

Consent, contract, legal obligation, vital interest, public task, legitimate interest

Critical

Implement explicit opt-in consent mechanism

Cookie banner, consent forms, double opt-in for email

Critical

Log consent records with timestamp and version

Proof of consent, consent version, language, withdrawal options

High

Allow easy consent withdrawal mechanism

Link to withdraw consent, unsubscribe button in emails

High

Data Subject Rights Implementation

Ensure individuals can exercise their GDPR rights (access, rectification, deletion, portability, objection).

0/5

Process Data Subject Access Requests (DSAR)

Respond within 30 days, provide all data in machine-readable format

Critical

Enable data deletion (Right to be Forgotten)

Delete personal data upon request; exemptions: legal storage, legitimate interests

Critical

Support data correction and rectification

Allow users to update their profile and contact info

High

Provide data portability export (GDPR Article 20)

Export user data in machine-readable format (CSV, JSON)

High

Honor objection to marketing & automated processing

Unsubscribe, do-not-track, opt-out of profiling

Medium

Data Processing Agreements (DPA)

Establish legal contracts with all data processors (vendors, subcontractors, cloud providers).

0/4

Obtain signed Data Processing Agreements (DPA)

With every vendor that processes personal data

Critical

Ensure Standard Contractual Clauses (SCCs) for non-EU transfers

US cloud providers require SCCs post-Schrems II decision

Critical

Review subcontractor policies and approvals

Ensure processor only uses approved sub-processors

High

Maintain processor register and audit trail

Document all DPAs, update dates, contact persons

Medium

Technical & Organizational Measures (TOM)

Implement security controls to protect personal data from unauthorized access, loss, and breaches.

0/6

Encrypt data in transit (HTTPS/TLS) and at rest

SSL certificates, encryption for sensitive fields, encrypted backups

Critical

Implement access controls and role-based permissions

Only authorized employees access personal data, principle of least privilege

Critical

Maintain audit logs and access monitoring

Log who accessed data, when, and why; retention 1+ year

High

Establish data backup and disaster recovery plan

Regular backups, tested recovery procedures, offsite copies

High

Conduct data protection training for employees

Annual GDPR training, password security, phishing awareness

Medium

Perform regular security audits and vulnerability assessments

Penetration testing, code review, patch management

Medium

Breach Notification & Incident Response

Prepare processes for detecting, reporting, and managing data breaches within required timeframes.

0/4

Establish incident response plan and team

Designated incident coordinator, escalation procedures, contact list

Critical

Report breach to authority within 72 hours

Notify German supervisory authority (Datenschutzbehörde) of high-risk breaches

Critical

Notify affected individuals without undue delay

If high risk to their rights/freedoms (email, letter, notification)

Critical

Document breach investigation and remediation steps

Keep records for supervisory authority review and audit trail

High

Data Protection Officer (DPO) & Governance

Determine DPO necessity and establish governance structures for ongoing compliance oversight.

0/4

Assess DPO requirement under GDPR Article 37

Public authority or large-scale systematic monitoring (typically required for startups with data processing)

Medium

Appoint DPO or Data Protection Contact if needed

Provide contact details on website and to supervisory authority

Medium

Create and maintain Records of Processing Activities (ROPA)

Document all processing, purposes, categories, retention periods

Critical

Conduct Data Protection Impact Assessments (DPIA) for high-risk processing

Profiling, automated decision-making, large-scale data, special categories

High