GDPR Compliance Checklist
Controller perspective with processor items flagged. Covers accountability, lawfulness, transparency and rights, processors, international transfers, security and breach, DPIAs.
Counsel-grade external checklist for Regulation (EU) 2016/679 (GDPR). Controller perspective, with processor-specific items flagged. Competent authority in Sweden: IMY (Integritetsskyddsmyndigheten); other Member States apply their own DPA. This checklist is a working reference, not legal advice.
A. Scope and accountability foundation
- Territorial scope position (Art. 3) documented — establishment in the EU, or targeting / monitoring of EU data subjects; non-EU entities: EU representative appointed (Art. 27).
- Controller / processor / joint-controller role determined per processing activity, not per company; joint-controller arrangements in place where applicable (Art. 26).
- Records of processing activities (Art. 30) complete and current — the document every DPA audit starts with: purposes, categories of data and data subjects, recipients, transfers, retention, security measures.
- DPO requirement assessed (Art. 37: public body, large-scale systematic monitoring, large-scale special categories); appointment made or a documented negative assessment; DPO independence and reporting line secured.
- Accountability file: ability to demonstrate compliance (Art. 5(2)) — policies, assessments, decisions, training logs.
B. Lawfulness, purposes, minimisation
- Lawful basis mapped per processing purpose (Art. 6) — no basis-stacking or retrofitting; basis stated in the privacy notice.
- Legitimate interest assessments (LIA) on file for every Art. 6(1)(f) reliance — three-part test documented.
- Consent, where used, meets Art. 7: freely given, specific, informed, unambiguous, withdrawable as easily as given; records of consent kept.
- Special categories (Art. 9) and criminal-conviction data (Art. 10): explicit condition identified; national-law hooks checked.
- Children's data: age-verification and parental-consent position where information-society services are offered to children (Art. 8, national age threshold).
- Purpose limitation and minimisation enforced in practice: new purposes trigger a compatibility assessment (Art. 6(4)); fields collected match documented purposes.
- Retention schedule per data category with deletion actually executed (automated where feasible) — the most commonly failed audit item.
C. Transparency and data-subject rights (Arts. 12–22)
- Privacy notices meet Art. 13 / 14 in full — layered, plain language, at point of collection; Art. 14 notices for indirectly-collected data (often missed).
- Rights-handling procedure: access, rectification, erasure, restriction, portability, objection — one-month deadline (+ two-month extension with notice), identity verification proportionate, free of charge.
- Access-request (DSAR) capability tested end-to-end: can you actually extract everything about one person across systems?
- Automated decision-making with legal or similarly significant effects (Art. 22): identified, safeguards implemented (human intervention, contest right), disclosed.
- Objection to direct marketing: absolute right, suppression-list mechanism working.
D. Processors and sharing (Art. 28)
- Processor inventory reconciled against the RoPA and the actual vendor list.
- DPA (Art. 28(3)) with every processor containing all mandatory clauses; sub-processor authorisation and flow-down verified.
- Processor due diligence: security posture reviewed before onboarding, periodically thereafter.
- Data-sharing with independent controllers documented (basis, transparency).
E. International transfers (Chapter V)
- Transfer map: every third-country recipient — including support access and sub-processors — identified.
- Transfer tool per recipient: adequacy decision, SCCs (2021 set, correct module), or BCRs; for US recipients, DPF certification status checked.
- Transfer impact assessment (TIA) on file for SCC-based transfers (Schrems II); supplementary measures implemented where needed.
- Onward-transfer and government-access clauses operational, not just signed.
F. Security and breach (Arts. 32–34)
- Art. 32 measures documented and risk-based: encryption, pseudonymisation, resilience, restore capability, regular testing — mapped to an actual security framework.
- Personal-data breach register covering all breaches — including non-notified ones, with reasoning.
- 72-hour DPA notification process rehearsed: detection → assessment → notification decision documented; processor-to-controller notification "without undue delay" contractually enforced.
- High-risk breaches: data-subject communication process (Art. 34).
G. By design and DPIA (Arts. 25, 35–36)
- Privacy by design and default embedded in the development lifecycle — a privacy review gate in the product / feature process.
- DPIA screening criteria applied to all new high-risk processing (systematic monitoring, large-scale special categories, innovative technology including AI); DPIAs on file with mitigations; prior consultation (Art. 36) where residual risk remains high.
- National DPA's DPIA blacklist checked (each authority publishes one).
H. People and proof
- Role-based privacy training with completion records; confidentiality commitments for staff handling personal data.
- Sanctions exposure understood: up to €20m or 4% of global turnover (upper tier); €10m or 2% (lower tier).
- Interplay mapped: GDPR breach notification runs in parallel with NIS2, DORA and MDR incident reporting — one incident can trigger several regimes on different clocks.
Related
Last reviewed: July 2026. EDPB guidelines and Member State DPA practice evolve — verify current guidance before relying on specific positions.