⚖️
Art. 6–9
Lawful Basis & Consent
GDPR Articles 6–9 require a documented lawful basis for every processing activity involving personal data. Consent must be freely given, specific, informed, and unambiguous. Special category data requires explicit consent or another Art. 9 condition.
Q1 · Domain 1
Legal basis documented for every personal data processing activity in your inventory?
Q2 · Domain 1
Consent mechanisms are specific, informed, freely given, and withdrawable at any time?
Q3 · Domain 1
Records of Processing Activities (RoPA) maintained and updated per Article 30?
Q4 · Domain 1
Special category data (Art. 9) identified with explicit consent or alternative legal basis?
Q5 · Domain 1
Data processing agreements (DPAs) in place with all third-party data processors?
👤
Art. 15–22
Data Subject Rights
GDPR Articles 15–22 grant individuals rights to access, rectify, erase, restrict, port, and object to processing of their personal data. Organisations must respond within one calendar month.
Q1 · Domain 2
Process to respond to subject access requests (SARs) within 30 days established?
Q2 · Domain 2
Right to erasure ("right to be forgotten") operational with documented deletion procedures?
Q3 · Domain 2
Data portability process provides data in machine-readable format upon request?
Q4 · Domain 2
Privacy notices up to date, written in plain language, and easily accessible?
Q5 · Domain 2
Objection and opt-out processes implemented, tested, and communicated to data subjects?
🏗️
Art. 25
Data Protection by Design & Default
GDPR Article 25 requires organisations to implement data protection principles from the outset of system design and default to the most privacy-protective settings. This includes appointing a DPO where required under Article 37.
Q1 · Domain 3
Privacy by design principles embedded in all new product and system development processes?
Q2 · Domain 3
Data minimisation enforced — only minimum necessary personal data collected and retained?
Q3 · Domain 3
Pseudonymisation or anonymisation applied where technically and organisationally feasible?
Q4 · Domain 3
Data Protection Impact Assessments (DPIAs) conducted for all high-risk processing activities?
Q5 · Domain 3
Data Protection Officer (DPO) appointed where required and accessible to data subjects?
🚨
Art. 33–34
Breach Detection & Reporting
GDPR Articles 33–34 require notification to the supervisory authority within 72 hours of becoming aware of a personal data breach. High-risk breaches must also be communicated to affected data subjects without undue delay.
Q1 · Domain 4
Personal data breach detection capability and real-time logging implemented?
Q2 · Domain 4
72-hour supervisory authority notification procedure documented and tested?
Q3 · Domain 4
High-risk breach communication procedure for affected data subjects established?
Q4 · Domain 4
Breach register maintained with full details of all incidents and organisational responses?
Q5 · Domain 4
Annual incident response exercises specifically covering data breach scenarios conducted?
🌍
Art. 44–49
International Data Transfers
GDPR Articles 44–49 restrict transfers of personal data to countries outside the EEA unless appropriate safeguards are in place — including Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules (BCRs).
Q1 · Domain 5
All cross-border personal data transfers to third countries identified and documented?
Q2 · Domain 5
Appropriate transfer mechanisms (SCCs, adequacy decisions, BCRs) in place for all transfers?
Q3 · Domain 5
Vendors in third countries assessed for data protection equivalence to EU standards?
Q4 · Domain 5
Transfer Impact Assessments (TIAs) conducted for transfers to non-adequate countries?
Q5 · Domain 5
Contractual transfer obligations reviewed and updated following Schrems II and regulatory guidance?