AGIDAT – Datenschutz | Informationssicherheit

Checklists

Practical GDPR checklists for common business scenarios — free to use.

These checklists cover the most common data protection scenarios. They are practical starting points, not exhaustive legal compliance frameworks. Use them as a guide — and consult a data protection professional for your specific situation.

New Website / Cookie Banner Checklist

  • Privacy policy present and GDPR-compliant (Art. 13 GDPR)
  • Cookie banner implemented — non-essential cookies only loaded after consent
  • Cookie banner allows granular choice (not just Accept All)
  • Consent can be withdrawn as easily as given
  • Google Analytics / Tracking tools configured to require consent
  • Contact form has privacy notice and, if required, consent checkbox
  • SSL/HTTPS active on all pages
  • Imprint / Legal Notice present (German Impressumspflicht)
  • DPAs in place with all website tool providers (Analytics, CMS, hosting, etc.)

New Employee Onboarding Checklist

  • Employee informed about data protection obligations (Art. 29 GDPR)
  • Commitment to confidentiality / data secrecy signed
  • IT security policy acknowledged
  • Access rights granted on a need-to-know basis
  • Multi-factor authentication activated on relevant systems
  • Clean desk policy explained
  • Data protection training completed and documented
  • Employee data added to RoPA HR processing activity

New Supplier / Sub-Processor Checklist

  • Is the supplier a processor? (Do they process personal data on your behalf?)
  • Data Processing Agreement (DPA) signed before data sharing begins
  • DPA content compliant with Art. 28 GDPR requirements
  • Sub-processor list reviewed — do they use further sub-processors?
  • Transfer outside EU/EEA? Standard Contractual Clauses (SCCs) in place?
  • Transfer Impact Assessment completed if applicable
  • Supplier added to your Records of Processing Activities
  • Supplier security practices verified (TOMs review or questionnaire)

Data Breach Response Checklist

  • Incident discovered and contained — stop ongoing breach if possible
  • Scope assessed: what data was involved? How many people?
  • Risk to individuals assessed: low / medium / high risk?
  • Report to Data Protection Officer immediately
  • If risk to individuals: notify supervisory authority within 72 hours (Art. 33 GDPR)
  • If high risk: notify affected individuals without undue delay (Art. 34 GDPR)
  • Internal breach register entry created (Art. 33(5) GDPR)
  • Root cause analysis conducted and remediation measures implemented

Need more specific checklists or a customized compliance review? Contact us →