Data Controller

Key HIGHLIGHTS GDPR compliance

Achieving GDPR Compliance may seem complicated. This basic checklist will help you to see where your company stands and which areas should be further addressed in line with the GDPR.

If your organisation determines the purposes and means of the processing of personal data, it is considered acontroller. If your organisationprocesses personal data on behalf of the controller, it is considered aprocessor. It is possible for your organisation to have both roles. This list is far from a legal exhaustive document; it merely tries to help you to pinpoint the key GDPR requirements.


Where processing is based on consent, such consent must be freely given, specific, informed, and revocable

If your website collects personal datain some way, you should have an easily visible link to your privacy policy and confirm that the user is informed on your terms and conditions. In general, consent requires an affirmative action, so pre-ticked boxes are not permitted. Examples are:subscribing for a newsletter or asking consent for the use of cookies.

Read more: GDPR Article 7 — Conditions for consent

Your privacy policy should be written in clear and understandable

It should be written in clear and simple terms and not conceal it’s intent in any way. Failing to do so could void the relationship or agreement with your customer entirely.

Read more: GDPR Article 7.2 — Conditions for consent

It should be as easy for your customers to withdraw consent as it was to give it in the first place

The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

Read more: GDPR Article 7.3 — Conditions for consent

If you process children’s personal data, verify their age and ask consent from their parent or legal guardian

For children you need to make sure a parent or legal guardian has given consent for data processing. If consent is given via your website, you should try to make sure approval was actually given by the parent or legal guardian (and not by the child). In most countries a data subject is considered a child when younger than 16 years (please check per country).

Read more: GDPR Article 8 — Conditions applicable to child’s consent in relation to information society services

When you update your privacy policy on essential points, you inform existing customers

For example, by emailing upcoming changes of your privacy policy or by showing a banner on your website. Your communication should explain in a simple way what has changed.

Read more: GDPR Article 7 — Conditions for consent

You automatically delete data that your business no longer has any use for

You should automate deletion of data you no longer need. For example, you should automatically delete data for customers whose contracts have not been renewed.

Read more: GDPR Article 5 — Principles relating to processing of personal data

Your data

Your company keeps a register of data processing activities, containing the source of data, who you share it with, what you do with it and how long you will keep it

This is a list of the actual types (columns) of data being held (e.g. name, social security nr, address, telephone number, e-mail address, etc.). For each category, a source should be documented, the parties with whom this data is shared in — and/or outside the EEA (EU , Norway, Liechtenstein and Iceland), the purpose(s) of processing of this data, the retention periods and the technical and organizational security measures taken to protect personal data

Read more: GDPR Article 30 — Records of processing activities

Your company has a list of places where it keeps personal data

This could be a list of databases (e.g. MySQL), but it could also include offline datastores (paper).

Read more: GDPR Article 30 — Records of processing activities

Your company has a publicly accessible internal company privacy policy that outlines all processes related to personal data.

You should include information about all processes related to the handling of personal data. This document should include (or have links to) the types of personal data the company holds, and where it holds them. Please note, this is an internal company privacy policy and not a privacy statement as communicated to customers and other data subjects as set out above.

Read more: GDPR Article 30 — Records of processing activities

Your internal company privacy policy and privacy statement should include a lawful basis to explain why the company needs to process personal data

It should contain a reason for data processing, e.g. the fulfilment of a contract, consent of the data subject or a legitimate interest

Read more: GDPR Article 6 — Lawfulness of processing

Accountability & management

Check whether your company is obliged to designate a Data Protection Officer (DPO)

A DPO is required in three scenarios: (1) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity; (2) the core activities of the business consist of processing operations which, by virtue of their nature, scope, and/or purposes, require regular and systematic monitoring of data subjects on a large scale, or (3) the core activities of the business consist of processing on a large scale special categories of data (sensitive data) pursuant to Article 9 and personal data relating to criminal convictions or offenses pursuant to Article 10. If a DPO is required, the DPO should have knowledge of GDPR guidelines as well as knowledge about the internal processes that involve personal information.

Read more: GDPR Article 37 — Designation of the data protection officer

There is awareness among decision makers about GDPR

Make sure key people and decision makers have up-to-date knowledge about the data protection legislation.

Read more: GDPR Article 25 — Data protection by design and by default

Your technical security is up to date.

The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

Read more: GDPR Article 25 — Data protection by design and by default

If your business operates outside the EU, you have appointed a representative within the EU.

If you have a business outside of the EU and you collect data on EU citizens, you should assign a representative in one of the member states for your business. This person should handle all issues related to processing. In particular, a local authority should be able to contact this person.

Read more: GDPR Article 27 — Representatives of controllers or processors not established in the Union

You report data breaches involving personal data to the local authority and to the persons (data subjects) involved when necessary

In general, personal data breaches should be reported within 72 hours to the local authority. You should report which data has been lost, what the consequences are and what countermeasures you have taken. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons (data subjects), you should also communicate and report the breach to the person (data subject) whose data you lost.Your company should have a data breach policy in place to assist the organization in determining the next steps in the case of a data breach, such as whether or not to notify the local data protection authority or data subjects ubjects involved.

Read more: GDPR Article 33 — Notification of a personal data breach to the supervisory authority
GDPR Article 34 — Communication of a personal data breach to the data subject

A Data Processing Agreement (DPA) is required when using (sub) Processors

The DPA should contain explicit instructions for the storage or processing of data by the processor. The DPA should set out the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. For example, this could include a contract with your hosting provider. The same contract requirements apply when a processor engages a sub-processor to assist it in fulfilling processing activities on behalf of the controller

Read more: GDPR Article 28 — Processor
GDPR Article 29 — Processing under the authority of the controller or processor

New rights

Your customers can easily request access to their personal data

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. And where that is the case, access to that data.

Read more: GDPR Article 15 — Right of access by the data subject

Your customers can easily update their own personal information to keep it accurate

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Read more: GDPR Article 16 — Right to rectification

Your customers can easily request deletion of their personal data

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.

Read more: GDPR Article 17 — Right to erasure (‘right to be forgotten’)

Your customers can easily request that you stop processing their data

Under certain conditions the data subject shall have the right to obtain from the controller restriction of processing

Read more: GDPR Article 18 — Right to restriction of processing

Your customers can easily request that their data be delivered to themselves or a 3rd party

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

Read more: GDPR Article 20 — Right to data portability

Your customers can easily object to profiling or automated decision making that could impact them

This is only applicable if your company uses profiling or any other automated decision making.

Read more: Article 22 — Automated individual decision-making, including profiling


You regularly review policies for changes, effectiveness, changes in handling of data and changes to the state of affairs of other countries your data flows to.

You should follow up on best practices and changes to the policies in your local environment.

Read more: GDPR Article 25 — Data protection by design and by default


Your business understands when you must conduct a DPIA for high-risk processing of sensitive data.

This is only applies to businesses carrying out large-scale data processing, profiling and other activities with high risk to the rights and freedoms of people. A special assessment should be carried out in these cases.

Read more: GDPR Article 35 — Data protection impact assessment

You should only transfer data outside of the EEA to countries that offer an appropriate level of protection

You should also disclose these cross-border data flows in your privacy policy.

Read more: GDPR Article 45 — Transfers on the basis of an adequacy decision

Summary — key highlights gdpr compliance

Each company (controller) who processes personal data can ask the following questions with respect to GDPR compliance (please note: this list is not limited!):