What is required in a GDPR privacy policy?

GDPR privacy policy must include: 1) Data controller identity and contact. 2) Data Protection Officer contact (if required). 3) Processing purposes and legal basis. 4) Data categories collected. 5) Recipients/transfers (third parties, international). 6) Retention periods. 7) Data subject rights (access, deletion, portability, objection). 8) Right to withdraw consent. 9) Right to lodge complaint with supervisory authority. 10) Automated decision-making disclosure. Must be: clear, concise, accessible, free. Update when processing changes.

What are GDPR cookie consent requirements?

GDPR cookie consent requirements: 1) Explicit consent before non-essential cookies. 2) Pre-ticked boxes invalid. 3) Granular options (analytics, marketing separately). 4) Easy to withdraw consent. 5) No cookie walls (blocking access). 6) Clear information (cookie purpose, duration, third parties). 7) Consent proof/records. Essential cookies (session, security) do not need consent. Cookie banner must: appear before loading cookies, allow rejection, be easy to understand. Validate: cookies not loaded before consent, withdrawal functional.

What are data subject rights under GDPR?

Eight data subject rights: 1) Right to be informed (privacy policy). 2) Right of access (data copy, SAR response within 30 days). 3) Right to rectification (correct inaccurate data). 4) Right to erasure (deletion, "right to be forgotten"). 5) Right to restrict processing (limit use). 6) Right to data portability (structured export). 7) Right to object (opt-out). 8) Rights related to automated decision-making (human review). Organizations must: verify identity, respond within 30 days, free (unless excessive).

What is lawful basis for data processing?

Six lawful bases under GDPR: 1) Consent - explicit, informed, freely given (used for marketing). 2) Contract - necessary for contract performance (order processing). 3) Legal obligation - compliance with law (tax records). 4) Vital interests - life/death situations (emergency services). 5) Public task - official functions (government). 6) Legitimate interests - business interests not overridden by data subject rights (fraud prevention, security). Choose most appropriate basis - affects data subject rights. Document basis in privacy policy.

When is a Data Protection Officer required?

DPO required when: 1) Public authority (except courts). 2) Core activities involve large-scale systematic monitoring (tracking, profiling). 3) Core activities involve large-scale processing of special category data (health, biometric, criminal). "Large-scale" undefined - consider: number of data subjects, volume of data, duration, geographic scope. DPO must: be independent, have expert knowledge, report to highest management, not be dismissed for performing duties. Can be: internal employee, external contractor, shared DPO (for small organizations).

What is a data breach under GDPR?

Data breach is security incident causing accidental/unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data. Examples: ransomware, phishing, lost laptop, misconfigured database, insider theft. GDPR obligations: 1) Document all breaches. 2) Notify supervisory authority within 72 hours (if risk to rights). 3) Notify data subjects without delay (if high risk). Notification includes: nature, categories/records affected, consequences, mitigation measures, DPO contact. Penalties for failure to notify: fines up to €10M/2% revenue.

How to conduct a GDPR compliance audit?

GDPR audit checklist: 1) Data inventory (what data collected, where stored, who accesses). 2) Lawful basis documentation (consent records, legitimate interest assessments). 3) Privacy policy review (complete, current, accessible). 4) Cookie consent validation (banner functional, preferences saved). 5) Data subject rights procedures (SAR process, deletion, portability). 6) Third-party processors (DPAs signed, security validated). 7) Security measures (encryption, access controls, backups). 8) Breach response plan. 9) Staff training. 10) Documentation (processing records, DPIAs). Audit annually minimum.

Does passing a GDPR scan mean my website is fully compliant?

No, automated GDPR scans only check visible technical elements like cookies and consent banners. Full GDPR compliance requires proper data processing agreements, privacy policies, data subject rights procedures, and internal documentation that cannot be verified by a scan alone.

Home/Tools/Compliance/GDPR Checker

GDPR Checker

Assess GDPR compliance for your website including privacy policy, cookie consent, and data processing practices

100% Private - Runs Entirely in Your Browser

No data is sent to any server. All processing happens locally on your device.

Loading GDPR Checker...

Website URL

Cookie Consent

Third-Party Trackers

Contact Info

Loading interactive tool...

JavaScript Required

This interactive tool requires JavaScript to function. Please enable JavaScript in your browser to use the full features.

The tool description and documentation above provide information about this tool's capabilities. For the best experience, please enable JavaScript and refresh the page.

Simplify Compliance

Navigate HIPAA, SOC 2, NIST, and other regulations with expert guidance.

Learn About Compliance Services Explore vCISO Services

What Is GDPR Compliance Checking

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law that governs how organizations collect, process, store, and share personal data of EU and EEA residents. A GDPR compliance check evaluates an organization's data processing practices against the regulation's requirements, identifying gaps that could result in penalties of up to EUR 20 million or 4% of global annual revenue.

GDPR applies to any organization worldwide that processes personal data of EU residents, regardless of where the organization is based. This extraterritorial scope means that U.S. companies, Asian businesses, and any entity with EU customers or website visitors must comply.

GDPR Core Principles

Principle	Article	Requirement
Lawfulness, fairness, transparency	Art. 5(1)(a)	Process data lawfully with a valid legal basis and transparent privacy notices
Purpose limitation	Art. 5(1)(b)	Collect data for specified, explicit, legitimate purposes only
Data minimization	Art. 5(1)(c)	Collect only the data that is adequate, relevant, and necessary
Accuracy	Art. 5(1)(d)	Keep personal data accurate and up to date
Storage limitation	Art. 5(1)(e)	Retain data no longer than necessary for its purpose
Integrity and confidentiality	Art. 5(1)(f)	Protect data with appropriate security measures
Accountability	Art. 5(2)	Demonstrate compliance with all principles

Common Use Cases

Website compliance audit: Check whether your website's cookie consent, privacy policy, data collection forms, and analytics setup comply with GDPR requirements
Pre-launch assessment: Evaluate a new product or service for GDPR compliance before launch, identifying required privacy features and documentation
Vendor due diligence: Assess whether third-party vendors and data processors meet GDPR requirements before sharing personal data
Annual compliance review: Conduct periodic assessments to ensure ongoing compliance as your data processing activities evolve
Data subject request readiness: Verify that your organization can fulfill data subject rights (access, deletion, portability, objection) within the required 30-day timeframe

Best Practices

Identify your legal basis — Every data processing activity must have a valid legal basis: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Document the basis for each activity.
Implement privacy by design — Build data protection into new systems from the start rather than retrofitting. GDPR Article 25 requires this approach.
Maintain Records of Processing Activities — Article 30 requires documented records of all processing activities, including purposes, data categories, recipients, and retention periods.
Prepare for data subject requests — Implement automated processes to handle access, deletion, portability, and objection requests within 30 days. Manual processes break down at scale.
Conduct DPIAs for high-risk processing — Data Protection Impact Assessments are required for processing that is likely to result in high risk to individuals (profiling, large-scale processing of sensitive data, public monitoring).

References & Citations

European Commission. (2024). General Data Protection Regulation (GDPR). Retrieved from https://gdpr.eu/ (accessed January 2025)
European Data Protection Board. (2020). Guidelines on consent under Regulation 2016/679. Retrieved from https://edpb.europa.eu/our-work-tools/documents/public-consultations/2020/guidelines-052020-consent-under-regulation_en (accessed January 2025)
UK Information Commissioner's Office. (2024). ICO Guide to GDPR. Retrieved from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ (accessed January 2025)

Note: These citations are provided for informational and educational purposes. Always verify information with the original sources and consult with qualified professionals for specific advice related to your situation.

Key Security Terms

Understand the essential concepts behind this tool

GDPR

The General Data Protection Regulation is the EU's comprehensive data privacy law that governs how organizations collect, process, and protect personal data.

Learn more →

View all terms in our glossary →

Frequently Asked Questions

Common questions about the GDPR Checker

General Data Protection Regulation (GDPR) is EU law regulating personal data processing. Applies to: EU organizations, non-EU organizations processing EU residents data. Key requirements: lawful basis for processing, consent for non-essential cookies, privacy policy, data subject rights (access, deletion, portability), breach notification (72 hours), Data Protection Officer (if required), data processing agreements. Penalties: up to 4% global revenue or €20M. Enforcement: EU Data Protection Authorities. Applies since May 2018.