Artifact GuideEU

EU GDPR Checklist

Check whether a product, service, vendor, dataset, or workflow has the GDPR basics covered: scope, role, lawful basis, transparency, rights, DPIA, RoPA, contracts, transfers, breach response, retention, security, and accountability evidence.

Built from official EU text and regulator guidance; designed for privacy, legal, product, security, procurement, support, HR, marketing, and data governance teams.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Use this checklist before launching or materially changing processing of personal data. It does not supersede legal interpretation guidance, but it gives teams a concrete GDPR control record: what was checked, which owner approved it, which evidence exists, and what must be reopened when the processing changes.

Section 1

Scope, role, lawful basis, and transparency

Start by proving that the activity is or is not GDPR processing. Record the personal data, data subjects, processing operations, controller or processor role, establishment or EU-targeting facts, and whether any special category or criminal-offence data is involved.

For each purpose, assign one Article 6 lawful basis before collection or use. If consent is used, keep the consent wording, capture event, withdrawal route, and evidence that consent was freely given, specific, informed, and unambiguous. If legitimate interests is used, keep the interest, necessity analysis, balancing outcome, and objection route.

  • Scope check: identify whether personal data is processed by automated means or in a filing system, and document any Article 2 or Article 3 reason the GDPR does or does not apply.
  • Role check: name the controller, joint controller, processor, or sub-processor and record who determines purposes and means.
  • Lawful-basis check: map every processing purpose to Article 6; add Article 9 or Article 10 handling where special category or criminal-offence data is present.
  • Transparency check: ensure Articles 13 and 14 notices state controller identity, DPO contact where applicable, purposes, legal basis, recipients, transfers, storage period or criteria, rights, complaint route, and automated decision-making details where relevant.
  • Design check: confirm data minimisation, purpose limitation, accuracy, storage limitation, integrity, confidentiality, and accountability controls are reflected in product requirements and operational runbooks.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Supports the checklist items for material and territorial scope, definitions, Article 5 principles, Article 6 lawful bases, Article 9 special-category conditions, and Articles 13-14 transparency content.
Section 2

Rights, DSARs, retention, erasure, and RoPA

Create a rights workflow that can receive, verify, triage, fulfil, refuse, or extend requests without relying on ad hoc inbox searches. The access workflow should cover confirmation of processing, the personal data itself, required processing information, transfer safeguards, and a copy of the data where required.

Keep the RoPA close to the actual processing inventory. A useful RoPA is not a policy pointer; it lists processing activities, owners, data subject categories, personal data categories, recipients, transfers, erasure time limits where possible, and security measures where possible.

  • DSAR intake: record request channel, receipt date, requester identity check, requested right, systems to search, response owner, and deadline; Article 12 generally requires action without undue delay and within one month, with a possible two-month extension for complex or numerous requests.
  • Access response: include confirmation whether processing occurs, purposes, data categories, recipients, storage period or criteria, rights, complaint route, source information where data was not collected from the requester, automated decision-making information where relevant, and Article 46 safeguards for third-country transfers.
  • Erasure and restriction: check whether Article 17 erasure grounds apply, whether another legal basis or retention duty prevents deletion, and whether recipients must be told about rectification, erasure, or restriction.
  • Retention: tie each data category to a purpose and erasure time limit or criteria; do not keep data because a future use might appear later.
  • RoPA: maintain controller and processor records in writing, including electronic form, and make sure they are self-contained enough to be provided to a supervisory authority on request.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Supports Article 12 request timing and modalities, Article 15 access content, Article 17 erasure grounds, Article 19 recipient notification, Article 30 records, and storage limitation under Article 5.
Irish DPC - Records of Processing Activities under Article 30 GDPR
Supports the RoPA checklist, including granular business-function records, retention detail, security-measure descriptions, update discipline, and self-contained records.
Section 3

DPIA, processors, transfers, and breach response

Treat DPIA, vendor, transfer, and incident checks as launch gates. They should be complete before high-risk processing begins, before a processor receives data, before a third-country transfer starts, and before incident teams need to make 72-hour notification decisions.

Do not treat SCCs as a signature-only exercise. The transfer record should identify the exporter, importer, countries, data, transfer tool, SCC module and annexes, safeguards, and review trigger for legal or technical changes that could affect the transfer.

  • DPIA trigger: run a DPIA before processing likely to result in high risk; document processing description, necessity and proportionality, risks to rights and freedoms, safeguards, DPO advice where applicable, data-subject views where appropriate, sign-off, and review triggers.
  • Processor contract: before a processor starts, check sufficient guarantees, documented instructions, confidentiality, Article 32 security, sub-processor authorisation and flow-down, rights assistance, breach assistance, return or deletion at service end, audit cooperation, and written or electronic contract form.
  • Transfer check: identify all third-country access, including remote support and cloud access; verify adequacy or another Chapter V transfer tool; for SCC transfers, keep the signed clauses, module selection, annexes, transfer description, safeguards, and review trigger.
  • Breach workflow: detect and escalate security incidents quickly, decide whether a personal data breach occurred, assess risk to individuals, notify the supervisory authority without undue delay and where feasible within 72 hours unless unlikely to result in risk, and communicate to individuals without undue delay when high risk is likely.
  • Breach record: document all personal data breaches, including facts, effects, remedial action, risk assessment, notification decision, reasons for delay if applicable, and controller or processor hand-offs.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Supports Article 28 processor contracts, Article 32 security, Articles 33-34 breach notification and communication, Article 35 DPIA requirements, and Chapter V transfer rules.
Irish DPC - Data Protection Impact Assessments
Supports operational DPIA checks, including early project-stage assessment, stakeholder input, DPO advice, processor assistance, sign-off, and review of residual risk.
European Commission - Standard Contractual Clauses
Supports the SCC transfer-tool checklist and Commission resources for international data-transfer clauses.
Section 4

Security, accountability, and evidence to keep

Close the checklist only when the evidence shows both compliance design and operating reality. For each processing activity, keep the source citation, control owner, approval, implementation proof, and reopening trigger together.

Security evidence should be risk-based. Article 32 points to measures such as pseudonymisation, encryption, confidentiality, integrity, availability, resilience, restoration capability, and regular testing, but the selected controls must fit the nature, scope, context, purposes, and risk of the processing.

  • Minimum evidence pack: processing map, role analysis, lawful-basis record, notice text, DSAR procedure, RoPA row, DPIA screening or DPIA report, processor contract review, transfer assessment, breach runbook, retention schedule, and security-control mapping.
  • Security proof: record access controls, encryption or pseudonymisation decisions, logging, backup and restoration tests, vulnerability or control testing, incident escalation, staff confidentiality and training, and processor security evidence.
  • Accountability proof: keep approvals by privacy, legal, product, security, vendor, and business owners; record exceptions with rationale, compensating controls, expiry date, and escalation owner.
  • Reopen triggers: new purpose, new data category, special-category data, new recipient, new processor or sub-processor, new third-country access, high-risk processing change, incident, DSAR failure, retention change, or material security-control change.
  • Quality check: every checklist item should answer who owns the control, what source supports it, what evidence proves it, where the evidence is stored, and when the item must be reviewed.
Sources for this answer
Regulation (EU) 2016/679 (GDPR)
Supports accountability under Article 5(2), controller responsibility under Article 24, data protection by design and default under Article 25, and security of processing under Article 32.
ENISA - Handbook on Security of Personal Data Processing
Supports risk-based security checks for confidentiality, integrity, availability, and technical and organisational measures.
Irish DPC - Records of Processing Activities under Article 30 GDPR
Supports keeping RoPA evidence granular, current, self-explanatory, and ready to provide on request.
Recommended next step

Use the checklist to assign owners and close evidence gaps

Sorena can turn the GDPR checks on this page into cited tasks, owner assignments, evidence requests, and reusable review records for privacy, product, security, vendor, and support teams.

Research workflow
Open Research Copilot for EU GDPR

Ask source-linked questions about GDPR scope, lawful basis, DSARs, DPIAs, RoPA, processors, transfers, breach handling, and evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your GDPR checklist owners, source support, transfer records, processor contracts, and evidence gaps with Sorena.

Explore next step
Primary sources

References and citations

Irish DPC - Data Protection Impact Assessments
dataprotection.ie
Referenced sections
  • Supports operational DPIA checks, including early project-stage assessment, stakeholder input, DPO advice, processor assistance, sign-off, and review of residual risk.
"high risk processing projects"
Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Supports accountability under Article 5(2), controller responsibility under Article 24, data protection by design and default under Article 25, and security of processing under Article 32.
"able to demonstrate compliance"
Related guides

Explore more topics

Does the EU GDPR apply outside the EU under Article 3?
A grounded GDPR Article 3 territorial-scope FAQ covering EU establishment, offering goods or services, monitoring behavior in the EU, and Article 27 representatives.
EU GDPR Applicability Test for Products, Vendors, and Data Flows
A concrete GDPR scope test for personal data, controller and processor roles, EU establishment, EU targeting or monitoring, special-category and child data, transfers, vendors, and evidence.
EU GDPR Article 30 RoPA Intake Workflow
Use this GDPR Article 30 RoPA intake workflow to capture controller and processor fields, owners, transfers, retention, security measures, and evidence before a processing activity goes live.
EU GDPR Article 6 Legal Bases FAQ
FAQ on the six Article 6 GDPR lawful bases, consent caveats, legitimate interests, public-task and legal-obligation limits, and Article 9 special-category data.
EU GDPR Automated Decision-Making and Profiling: Article 22 Scope, Safeguards, and Evidence
source-linked GDPR guide for automated decision-making and profiling: Article 22 scope, profiling definition, transparency, lawful basis, DPIA triggers, human review rights, and evidence.
EU GDPR Breach Notification 72 Hours: Article 33 and 34 workflow
Source-grounded EU GDPR breach notification workflow covering awareness, 72-hour supervisory authority notices, processor escalation, high-risk data-subject communication, delay reasons, and evidence logs.
EU GDPR Breach Notification Workflow: 72-hour clock, risk assessment, and records
A concrete EU GDPR breach notification workflow for detecting and triaging incidents, starting the awareness clock, assessing risk, notifying authorities or data subjects, and keeping Article 33 records.
EU GDPR Children and Special-Category Data Guide
source-linked GDPR guide for Article 8 children's consent, Article 9 special-category data, DPIA triggers, transparency, safeguards, and evidence records.
EU GDPR Compliance Checklist: scope, rights, DPIA, RoPA, transfers
Practical EU GDPR compliance guide for mapping scope, lawful basis, notices, data-subject rights, DPIAs, RoPA, processor terms, breaches, transfers, retention, security, and penalties.
EU GDPR Controller, Processor, and Joint Controller Roles
source-linked GDPR guide for classifying controllers, processors, and joint controllers, with Article 28 contract checks, Article 26 transparency, and vendor evidence.
EU GDPR Data Subject Rights and DSAR Workflow
source-linked GDPR DSAR workflow for intake, identity checks, request scope, the one-month response clock, extensions, refusals, processor escalation, and evidence.
EU GDPR deadlines and compliance calendar
source-linked GDPR calendar entries for applicability, DSAR response timing, breach notification, DPIA review, prior consultation, transfer reviews, and retention checks.
EU GDPR DPIA and Prior Consultation Workflow
Screen high-risk processing, run a GDPR Article 35 DPIA, record mitigation, and identify when Article 36 prior consultation is required.
EU GDPR DPIA and risk management under Articles 35 and 36
EU GDPR DPIA guide covering Article 35 triggers and contents, CNIL and DPC PIA methods, residual risk, mitigation records, and prior consultation limits.
EU GDPR DSAR Exceptions: refusal, extensions, identity checks
FAQ on when EU GDPR controllers may extend, charge for, narrow, redact, or refuse a data subject access request under Articles 12 and 15.
EU GDPR DSAR Workflow: Intake, Clock, Rights, and Evidence
Run a GDPR DSAR workflow for intake, identity checks, rights scoping, one-month response timing, extensions, refusals, processor handoffs, and evidence records.
EU GDPR FAQ: scope, lawful basis, rights, DPIA, breaches, transfers
Direct EU GDPR FAQ answers on scope, controller and processor roles, lawful basis, data subject rights, DPIAs, breach notification, international transfers, and Article 83 fine tiers.
EU GDPR International Transfers and SCCs: Chapter V evidence guide
source-linked guide to GDPR Chapter V transfers, adequacy decisions, SCCs, transfer impact assessments, supplementary measures, and EU-US DPF checks.
EU GDPR Lawful Basis and Consent Guide
Focused GDPR guide to Article 6 lawful bases, consent conditions, legitimate interests, special category data, withdrawal, and evidence records.
EU GDPR Lawful Basis and LIA Workflow for Article 6(1)(f)
Assess GDPR legitimate interests with a purpose, necessity, balancing, Article 21 objection, and evidence-record workflow grounded in Article 6(1)(f).
EU GDPR Lead Supervisory Authority and One-Stop-Shop
How GDPR main establishment, cross-border processing, Article 56 lead authority competence, and Article 60 cooperation fit together.
EU GDPR LIA Template for Article 6(1)(f)
Use this EU GDPR legitimate interests assessment template to document Article 6(1)(f) purpose, necessity, balancing, safeguards, objection rights, and evidence.
EU GDPR penalties and fines: Article 83 tiers and evidence
EU GDPR penalties and fines guide covering Article 83 fine tiers, assessment factors, Article 58 powers, and evidence records for controllers and processors.
EU GDPR Processor Contracts and Vendor Management | Article 28 Evidence Guide
EU GDPR Article 28 guide for processor contracts, sub-processor controls, controller-processor role boundaries, vendor evidence, and SCC transfer clauses where applicable.
EU GDPR Record of Processing Activities Template: Article 30 RoPA Fields
Build a GDPR Article 30 record of processing activities with separate controller and processor fields for purposes, data categories, recipients, transfers, erasure time limits, and security measures.
EU GDPR Requirements: scope, rights, security, DPIA, RoPA, and transfers
Overview of core EU GDPR requirements covering scope, principles, lawful basis, notices, data-subject rights, processors, RoPA, security, breaches, DPIAs, and international transfers.
EU GDPR Retention and Erasure Schedule
Build an EU GDPR retention and erasure schedule around storage limitation, Article 17 erasure grounds, Article 12 rights handling, Article 19 recipient notices, and Article 30 RoPA fields.
EU GDPR SCC Transfer Impact Assessment FAQ
source-linked FAQ on when SCC transfer impact assessments are needed, what Clause 14 records, and when supplementary safeguards or transfer suspension are required.
EU GDPR Transfer TIA and SCC Workflow
A GDPR workflow for checking adequacy, selecting SCC modules, documenting transfer impact assessments, and recording supplementary measures for third-country transfers.
EU GDPR Transparency Notices: Articles 12, 13 and 14
Source-grounded GDPR guide to privacy notices under Articles 12, 13 and 14: direct collection, third-party data sources, recipients, transfers, retention, rights, and lawful basis.
EU GDPR vs Brazil LGPD: GDPR-led comparison and source gaps
Compare EU GDPR duties with Brazil LGPD only where the available sources support the comparator, with GDPR rows for lawful basis, rights, breach, transfers, roles, and evidence.
EU GDPR vs California CCPA: grounded GDPR comparison limits
Compare GDPR implementation duties with source-limited California CCPA/CPRA context, showing where the available grounding supports a claim and where it does not.
EU GDPR vs ePrivacy Directive: personal data, cookies, consent, and communications
Compare the EU GDPR and ePrivacy Directive for personal data processing, consent and lawful basis, cookies and terminal access, electronic communications, and parallel compliance.
EU GDPR vs UK GDPR: source-limited compliance comparison
Compare EU GDPR obligations with source-limited UK GDPR transfer notes grounded in EU GDPR sources, covering scope, lawful basis, rights, accountability, records, DPIAs, security, and transfers.
GDPR processor vs controller: role boundaries and evidence
Decide whether a party is a GDPR controller, processor, or joint controller using purpose-and-means tests, Article 28 terms, Article 26 arrangements, and Article 30 records.
GDPR vs EU AI Act: privacy controls for AI systems
Compare GDPR privacy duties with the EU AI Act only where the GDPR source pack supports the point: lawful basis, notices, DPIA, ADM, RoPA, rights, and source limits.
GDPR vs EU Data Act: personal data safeguards and source limits
Compare GDPR obligations with the EU Data Act only where the available GDPR grounding supports the fact pattern, with clear safeguards for personal data, rights, transfers, and accountability.
When does the EU GDPR require a DPIA?
Answer the EU GDPR DPIA threshold question with Article 35 triggers, high-risk criteria, supervisory-authority list checks, and DPIA content requirements.
When does the GDPR 72-hour breach notification clock start?
GDPR breach-awareness FAQ covering the Article 33 clock, processor escalation, delayed or phased notifications, risk assessment, and records to keep.