--- title: "EU GDPR Checklist (Regulation (EU) 2016/679)" canonical_url: "https://www.sorena.io/artifacts/eu/gdpr/checklist" source_url: "https://www.sorena.io/artifacts/eu/gdpr/checklist" author: "Sorena AI" description: "An audit-ready GDPR checklist: scope and role mapping, lawful basis and consent, transparency and notices, DSAR workflows, DPIA governance, security measures." keywords: - "GDPR checklist" - "GDPR compliance checklist" - "GDPR audit checklist" - "GDPR readiness checklist" - "GDPR DSAR checklist" - "GDPR DPIA checklist" - "GDPR SCC checklist" - "GDPR processor contract checklist" - "audit readiness" - "DSAR" - "DPIA" - "international transfers" - "vendor management" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU GDPR Checklist (Regulation (EU) 2016/679) An audit-ready GDPR checklist: scope and role mapping, lawful basis and consent, transparency and notices, DSAR workflows, DPIA governance, security measures. *Checklist* *EU* ## EU GDPR Checklist A checklist designed for execution: owners, evidence, acceptance criteria. Use it to build a compliance program that is provable under pressure. GDPR is not a policy exercise. It is a set of controls, registers, and timed workflows that need to survive product change, vendor change, transfer change, and incident pressure. This checklist is strongest when used as a program backbone: scope and role mapping, lawful-basis control, rights workflows, RoPA upkeep, DPIA governance, breach readiness, vendor clauses, transfer packs, and a single evidence index. ## 1) Scope, roles, and inventory (foundation) Goal: a defensible applicability decision and a processing inventory baseline. If you cannot explain scope, everything else becomes inconsistent. - Article 2-3 applicability memo (material + territorial scope) with facts and evidence. - Role mapping per activity: controller vs processor vs joint controller (owners and obligations). - Processing inventory: systems, data categories, purposes, recipients, and retention (baseline). ## 2) Lawful basis, consent, and transparency (make the legal model real) Goal: each processing purpose has a lawful basis and a corresponding transparency record. Avoid lawful basis drift where teams change the purpose but keep the old basis. - Lawful basis map per purpose (Article 6) with decision rationale and owner. - Consent design (where used): capture, withdrawal, versioning (Article 7) + consent proof schema. - Privacy notices and layered transparency (Articles 12-14) tied to product flows and data collection points. ## 3) DSAR workflow (Articles 12-22) - operationalize requests Goal: DSAR handling is measurable, consistent, and explainable across systems and vendors. DSAR failures are usually process failures: intake, identity checks, search scope, and deadline tracking. - DSAR intake channels and identity verification rules with abuse protections. - Search playbook: systems to search, log formats, and response format standards. - SLA tracking: 1-month target + extension criteria and notification templates. - Evidence: request logs, decisions, response packages, and escalation approvals. ## 4) DPIA and risk management (Articles 35-36) - high-risk governance Goal: identify high-risk processing early and control it with documented assessments. DPIAs must be usable by engineering teams: controls, mitigations, and residual risk decisions. - DPIA triggers and screening checklist; DPIA template and review workflow. - Mitigation tracking linked to product backlog (privacy by design controls). - If needed: prior consultation process artifacts and decision records. - Evidence: DPIA register, approvals, and residual risk sign-offs. ## 5) Security of processing + breach response (Articles 32-34) Goal: security controls are mapped to personal data processing risks and are testable. Breach response must be executable: awareness timekeeping, risk tests, and notification templates. - Security controls mapped to data and threats (access control, encryption, logging, monitoring). - Breach workflow: classification, awareness timestamp, Article 33 risk test, Article 34 high-risk test. - Evidence pack: incident timeline, logs, decisions, communications, and remediation. ## 6) Vendor/processor contracts (Article 28) + ongoing vendor governance Goal: vendor contracts and oversight reflect actual processing and transfer reality. A signed DPA without operational controls is a common enforcement failure. - Article 28 contract clauses present and tailored to processing reality (sub-processors, audits, security). - Vendor inventory mapped to processing purposes, data categories, and transfer destinations. - Ongoing monitoring: SOC/ISO evidence, incident reporting, sub-processor change notifications. ## 7) International transfers (Chapter V) - SCCs, TIA, supplementary measures Goal: Chapter V compliance is engineered: transfer map, mechanism choice, and operational controls. Treat SCCs as an implementation project: configuration, logging, and governance-not a legal PDF. - Transfer map: exporters/importers, data categories, destinations, and onward transfers. - Mechanism selection: adequacy vs SCCs vs other safeguards; document decisions. - TIA + supplementary measures playbook; evidence of implementation and monitoring. ## Evidence index (the fastest way to be audit-ready) Goal: export evidence quickly and consistently. Aim for coherence, not volume. - Scope memo + role mapping + processing inventory baseline. - Lawful basis map + notice versions + consent logs (if applicable). - DSAR logs + response packages + search playbooks. - DPIA register + mitigations + approvals. - Breach playbook + incident logs + notification artifacts. - Vendor contracts + sub-processor list + audit evidence. - Transfer map + SCC packs + TIA + supplementary measures evidence. *Recommended next step* *Placement: after the checklist block* ## Turn EU GDPR Checklist into an operational assessment Assessment Autopilot can take EU GDPR Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on EU GDPR can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for EU GDPR Checklist](/solutions/assessment.md): Start from EU GDPR Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through EU GDPR](/contact.md): Review your current process, evidence gaps, and next steps for EU GDPR Checklist. ## Primary sources - [GDPR full text - Regulation (EU) 2016/679](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02016R0679-20160504&ref=sorena.io) - Primary legal baseline for the checklist. - [EDPB Guidelines 01/2022 on the right of access](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-012022-data-subject-rights-right-access_en?ref=sorena.io) - Useful official guide for DSAR workflow design. - [EDPB Guidelines 9/2022 on breach notification](https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-92022-personal-data-breach-notification-under-gdpr_en?ref=sorena.io) - Useful official guide for incident workflow design. - [European Commission: Standard Contractual Clauses overview](https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en?ref=sorena.io) - Official transfer-tool baseline for Chapter V checklist items. ## Related Topic Guides - [EU GDPR Compliance Guide | Build a Repeatable Program: Inventory, Controls, Evidence, and Operating Cadence](/artifacts/eu/gdpr/compliance.md): An execution-oriented GDPR compliance guide for Regulation (EU) 2016/679: program setup, governance, control design, evidence exports. - [EU GDPR FAQ | Practical Answers: Scope, Consent, DSAR, DPIA, Breach (72h), Transfers/SCCs, Vendor Contracts](/artifacts/eu/gdpr/faq.md): Frequently asked GDPR questions answered with practical implementation guidance: does GDPR apply (Article 3), what counts as personal data. - [EU GDPR Requirements (Regulation (EU) 2016/679) | Obligations Map: Scope, Rights, Security, DPIA, Vendors, Transfers + Evidence Index](/artifacts/eu/gdpr/requirements.md): A practical GDPR requirements breakdown: scope (Articles 2-3), principles (Article 5), lawful basis (Article 6-7), transparency (Articles 12-14). - [GDPR Applicability Test (Article 2-3) | Territorial Scope, Establishment vs Targeting, Roles, and Edge Cases](/artifacts/eu/gdpr/applicability-test.md): A practical GDPR applicability test for Regulation (EU) 2016/679: check material scope (Article 2), territorial scope (Article 3), establishment vs targeting. - [GDPR Breach Notification (72 Hours) | Article 33-34 Workflow, Awareness Timestamp, Risk Test, and Evidence Pack](/artifacts/eu/gdpr/breach-notification-72-hours.md): An execution-ready guide to GDPR breach notification built on Articles 33 and 34, the EDPB breach-notification guidelines. - [GDPR Data Subject Rights + DSAR Workflow | Articles 12-22 Playbook: Intake, Identity, Search, Response, Exceptions, Evidence](/artifacts/eu/gdpr/data-subject-rights-and-dsar-workflow.md): A practical DSAR (data subject access request) playbook for GDPR Articles 12-22: build intake and identity verification, define system search scope. - [GDPR Deadlines and Compliance Calendar | DSAR 1-Month SLA, Breach 72 Hours, DPIA Cadence, Vendor Reviews, Transfer Monitoring](/artifacts/eu/gdpr/deadlines-and-compliance-calendar.md): A grounded GDPR compliance calendar that combines fixed legal milestones, 27 April 2016 adoption, 25 May 2018 application, the 2021 SCC overhaul. - [GDPR DPIA (Article 35) + Risk Management | Triggers, Template, Controls, Residual Risk Sign-off, and Prior Consultation (Article 36)](/artifacts/eu/gdpr/dpia-and-risk-management.md): A practical DPIA guide for GDPR Articles 35-36: how to screen for DPIA triggers, run a risk assessment focused on rights/freedoms. - [GDPR International Transfers (Chapter V) + SCCs | Transfer Map, Adequacy, SCC Packs, TIA, Supplementary Measures, and Monitoring](/artifacts/eu/gdpr/international-transfers-and-sccs.md): A practical guide to GDPR international transfers (Chapter V): how to build a transfer map, choose mechanisms (adequacy vs SCCs). - [GDPR Lawful Basis (Article 6) + Consent (Article 7) | How to Choose, Document, Implement, and Prove Compliance](/artifacts/eu/gdpr/lawful-basis-and-consent.md): A practical guide to GDPR lawful bases (Article 6) and consent (Article 7): how to select a lawful basis per purpose, when consent is appropriate vs risky. - [GDPR Penalties and Fines | Articles 83-84 Explained + Risk Reduction Controls and Evidence](/artifacts/eu/gdpr/penalties-and-fines.md): A practical penalties guide for GDPR enforcement: how administrative fines work under Articles 83-84, what factors drive exposure (purpose drift. - [GDPR Processor Contracts (Article 28) + Vendor Management | DPA Checklist, Sub-processors, Security Evidence, Transfers/SCCs](/artifacts/eu/gdpr/processor-contracts-and-vendor-management.md): A practical vendor management guide for GDPR: how to operationalize Article 28 processor contracts, define controller vs processor roles. - [GDPR RoPA Template (Article 30) | Record of Processing Activities: Fields, Examples, and Evidence Tips](/artifacts/eu/gdpr/record-of-processing-activities-template.md): A practical Record of Processing Activities (RoPA) template for GDPR Article 30: controller and processor fields. - [GDPR vs CCPA/CPRA | Key Differences in Scope, Rights, Legal Bases, and Operational Compliance (DSAR, Vendors, Transfers)](/artifacts/eu/gdpr/gdpr-vs-ccpa.md): A practical comparison of GDPR (EU) and CCPA/CPRA (California): differences in applicability triggers, roles, legal bases versus sale/share models. - [GDPR vs UK GDPR | Practical Differences for Scope, Enforcement, Transfers (EU SCCs vs UK IDTA/Addendum), and Evidence](/artifacts/eu/gdpr/gdpr-vs-uk-gdpr.md): A practical comparison of EU GDPR and UK GDPR: territorial scope triggers, regulator structure (one-stop-shop vs ICO), cross-border processing implications. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/gdpr/checklist