top of page
GDPR Compliance Checker:
European Union - General Data Protection Regulation (Regulation (EU) 2016/679) - EU GDPR
Created by: Ankit Bhargava.
If you have customers located in the EU, this compliance checker can help you identify what privacy rules apply to you and what steps you need to take next. It's free, easy, and simple. No email or sign up required.
When your users/customers are located in: EU only.
Your Takeaway:
Your customers are based in the EU. That means the EU General Data Protection Regulation – GDPR – applies to you, even if your own company is outside Europe. GDPR is known for being strict, but it’s not impossible. The key is to focus on a few core principles: lawfulness, fairness, transparency, and accountability.
Your Privacy Best Practices:
– Identify who all in your business will be the data owner and what their roles & responsibilities.
– Do a quick “data inventory”: write down every place you collect customer data (forms, emails, CRM, spreadsheets).
How I Can Help:
I will help you create a consolidated “data inventory” for each data type you collect, assigning ownership to each data type and fixing accountability.
Select Your Scenario Below — I'll Show You What To Fix & How.
QUESTION 1: What type of personal data do you collect?
QUESTION 3: What is your legal basis for processing personal data?
QUESTION 5 : Do you share customer personal information with others or third parties?
QUESTION 2: Why do you collect customer data?
QUESTION 4: How long do you keep customer personal information?
We collect only basic personal data of our users/customers:
Your Takeaway:
You collect only basic personal identification details like name, email, phone number, or address. Under GDPR, this is considered lower risk compared to sensitive data, but that doesn’t mean you can ignore the rules. You still need a valid legal reason to hold this data, a well transparent privacy notice that tells people what you’re doing, and a plan for how long you’ll keep their personal information. The good news: basic data is much easier to manage and defend if someone complains.
Your Privacy Best Practices:
– Create a document listing each type of basic data you collect and why you need it.
– Write a privacy notice that says: “We collect your name and email to deliver our product/service. We keep it for XXX years after your last purchase. We do/don’t share it with XXX parties/anyone.”
– Set a calendar reminder for example, every six months to review whether you still need old customer data.
How I Can Help:
I will help you create a consolidated “data inventory” for each data type you collect and a basis for collecting your users' personal information.
We collect both basic and sensitive personal data of our users/customers.
Your Takeaway:
You collect sensitive data – things like health records, financial account details, biometrics, or criminal history. Under GDPR, this is called “special category data” and the rules are much tighter. You cannot rely on a simple “I have a contract” or “it’s in our business interest”. You need explicit, written consent from each customer, or one of a very few other specific conditions. You also almost certainly need a Data Protection Impact Assessment (DPIA) before you start processing. This is high risk, and regulators take it seriously.
Your Privacy Best Practices:
– First, ask yourself honestly: do you really need this sensitive data? Could you deliver the same service without it? Many businesses collect more than they actually need.
– If you truly need it, get explicit written consent. Not a pre‑ticked box. Not a hidden clause. A clear “yes, I agree” that you store as proof.
– Conduct a DPIA – it sounds scary, but it’s really just a structured way to think through risks and write them down.
– Limit access to sensitive data to only those employees who absolutely need it for their job.
How I Can Help:
I can help you run a DPIA specific to your business operation(s). We’ll go through each sensitive data field together, identify where things could go wrong, and write down the required fixes. If we find that you don’t actually need the sensitive data, I’ll help you plan a safe deletion process.
We collect our users'/customers' personal data for Selling our products/services.
Your Takeaway:
Your customers expect you to use their data only to deliver what they bought from you. That’s the cleanest and lowest‑risk expectation. As long as you don’t secretly use their data for anything else – like marketing, analytics, or selling to third parties – you’re in a good position. You still need a privacy notice, but it can be very short and direct. The biggest risk here is accidentally crossing the line without realising it.
Your Privacy Best Practices:
– Write a one‑sentence notice on your checkout page: “We use your information only to complete your purchase and for essential customer support.”
– Do not add customers who bought from you to a marketing list unless they separately agreed.
– Train your team: if someone asks, "Can we use this customer’s email for a newsletter?” the answer is no unless there’s a separate opt‑in.
How I Can Help:
I’ll look at your checkout process, order confirmation emails, and any automated messages you send. I’ll tell you exactly where you might be accidentally using data beyond “delivery only” – and how to fix it.
We collect our users'/customers' personal data for Marketing & Promotion.
Your Takeaway:
Your customers expect you to use their data for marketing or promotions. That’s fine, but only if they actually know and agreed to it. Under GDPR, marketing requires explicit opt‑in consent. You cannot use pre‑ticked boxes, and you cannot hide consent inside your terms and conditions. You also need to keep records of who consented, when, and what they consented to. And you must make it just as easy to unsubscribe as it was to sign up.
Your Privacy Best Practices:
– Add an unchecked checkbox to your signup forms that says something like, "Yes, please send me occasional offers and updates.”
– Keep a simple spreadsheet or database log with columns: customer email, date of consent, and exact wording they agreed to.
– In every marketing email, include a one‑click unsubscribe link that works immediately – no “log in to manage preferences” nonsense.
How I Can Help:
I’ll review your current signup forms and email marketing setup. I’ll tell you which forms are safe and which ones could get you a warning letter from a regulator. If you need to re‑obtain consent from existing customers,
We collect our users'/customers' personal data for Monitoring & Profiling.
Your Takeaway:
You monitor customer behaviour – for example, tracking which pages they click, how long they stay, or what products they look at – and you might build profiles based on that behaviour. Under GDPR, this kind of monitoring requires consent unless it’s strictly necessary for the service you’re providing. “Necessary” means the service literally wouldn’t work without it. Profiling that leads to legal or similarly significant effects (like automatically rejecting a loan application) is heavily restricted under Article 22 and should be avoided unless you have very specific legal grounds.
Your Privacy Best Practices:
– Separate your tracking tools into two groups: “essential for service” (e.g., shopping cart) and “everything else” (e.g., Google Analytics, heatmaps, and personalisation). Get consent for the second group.
– Use a cookie consent banner that lets people say no to non‑essential tracking – and honour that choice.
– If you use profiling that affects customers (credit scoring, job applications, insurance pricing), stop immediately and get legal advice.
How I Can Help:
If you’re doing any kind of automated profiling, I’ll help you assess whether it’s allowed or if you need to change it.
We collect our users'/customers' personal data for Third‑Party sharing.
Your Takeaway:
You share customer data with third parties – for example, analytics providers, advertising networks, or business partners. Under GDPR, you must disclose every single recipient in your privacy notice. For sharing that isn’t strictly necessary for your service (like sharing with advertisers), you usually need separate, explicit consent from the customer. You also need a written Data Processing Agreement (DPA) with each third party that processes data on your behalf.
Your Privacy Best Practices:
– Create a simple table: third party name, what data they see, where they are located, and why you share with them. Put this table on your website – not buried, but easy to find.
– For each third party, ask, "Do they really need this data?” If not, stop sharing.
– Sign a DPA with every third party that processes customer data. Many vendors (like Stripe, Mailchimp, AWS) have standard DPAs – you just need to accept them.
How I Can Help:
I can review your existing DPA and tell you which vendors are safe, which ones need a DPA, and which ones you should stop using. I also help you prepare a new DPA in plain English which you can send to any vendor that doesn’t have their own.
We have not informed our users/customers anything.
Your Takeaway:
If haven’t told your customers what you do with their data. Under GDPR, this is a direct violation of Article 13 – the right to be informed. It’s also the most common and easiest violation to fix. Regulators don’t expect perfection overnight, but they do expect you to take immediate steps to inform people.
Your Privacy Best Practices:
– Publish a privacy notice ASAP. It doesn’t have to be perfect. Start with: “We collect [list data]. We use it for [list purposes]. We keep it for [time period]. We share it with [list third parties, or ‘no one’]. Contact us at [email].”
– Put a link to your privacy notice everywhere you collect data: signup forms, checkout, email footers, and website footers.
– If you already have customer data, send them a short email or notification: “We’ve updated our privacy notice. You can read it here.”
How I Can Help:
I can help you design & create a well-drafted privacy notice compliant with your concerned privacy law(s) specifically for businesses that only collect basic data. I can also review your existing template and point out any missing pieces of mandatory requirements. We can finalise where to place your policy link so you’re fully covered.
We do 'personal data processing' based on our users’/customers’ consent.
Your Takeaway:
You rely on customer consent as your legal basis. Under GDPR, consent is valid – but it’s also the most misunderstood basis. Consent must be freely given, specific, informed, and unambiguous. Silence, pre‑ticked boxes, or inactivity do not count. You also need to keep records of when, how, and what the customer agreed to. And you must make withdrawal as easy as giving consent. If you can’t prove consent, you don’t have consent.
Your Privacy Best Practices:
– Use a double opt‑in process for important data: the customer checks a box, then you send a confirmation email and they click a link to verify.
– Keep a consent log: customer ID, date and time, exact wording they saw, and a copy of what they agreed to.
– On every consent form, include a sentence: “You can withdraw your consent at any time by [clicking here / emailing us].”
– Never bundle consent with terms of service – they must be separate.
How I Can Help:
I’ll review your consent forms and consent logs. I’ll tell you if they would survive an inspection by a regulator. If not, I’ll show you exactly how to fix them – usually with required wording changes. I can also help you set up a consent logging system for your users’ consent management.
We do 'personal data processing' based on contract.
Your Takeaway:
You rely on contract as your legal basis. This means you collect and process data only because you need it to fulfil a contract with the customer – for example, delivering a product, providing a service, or sending an invoice. A contract is a strong basis, but it has a hard limit: you can only process data that is strictly necessary for that contract. You cannot use a contract as an excuse to collect data for marketing, analytics, or anything else. If the customer doesn’t provide the data, you can refuse to enter into the contract.
Your Privacy Best Practices:
– In your signup or checkout form, clearly mark which fields are “required for contract” and which are “optional”.
– Create a list: each piece of data you collect and a one‑sentence explanation of why it’s necessary for the contract.
– Do not use contract‑collected data for any other purpose unless you have a separate legal basis (like consent).
– After the contract ends (e.g., customer stops using your service), delete the data unless another basis applies.
How I Can Help:
I’ll help you separate your “contract necessary” data from your “nice to have” data. We’ll go through your forms together, and I’ll point out which fields you can remove or make optional. This often simplifies your business and reduces your privacy risk at the same time.
We do 'personal data processing' based on legal obligation.
Your Takeaway:
You collect data because a specific law requires you to – for example, tax laws, anti‑money laundering rules, or health and safety regulations. Under GDPR, this is a valid basis, but you must be able to point to the exact law that creates the obligation. You cannot collect more data than that law requires, and you cannot keep it longer than the law says. This basis is narrow – don’t stretch it.
Your Privacy Best Practices:
– For each legal obligation data point, write down the exact law name and article number (e.g., “Article 226 of the EU VAT Directive”).
– Keep a one‑page “legal basis register” that lists the following: data point → law → retention period required by law.
– Do not use data collected for legal reasons for any other purpose (like marketing) without a separate basis.
– Review your legal obligations once a year – laws change.
How I Can Help:
I’ll help you create a legal basis register. You fill in what you collect and why. I’ll review it and tell you if any of your claimed legal obligations are actually too broad. I’ve seen many businesses claim “legal obligation” for things that aren’t really required – I’ll help you clean that up.
We do 'personal data processing' based on legitimate interest.
Your Takeaway:
You believe it’s in your legitimate business interest to collect and process the data – for example, to prevent fraud, improve your website, or send certain types of communications. Under GDPR, legitimate interest is allowed, but you must conduct a Legitimate Interest Assessment (LIA) before you start. You need to balance your interest against the customer’s rights and expectations. If the customer wouldn’t reasonably expect the processing, or if it causes harm, legitimate interest fails. Marketing by email almost never qualifies.
Your Privacy Best Practices:
– Conduct a simple LIA using a three‑question template:
1) What is our interest?
2) Is the processing necessary for that interest? 3) Do the customer’s rights override our interest? Write down your answers.
– Be honest: if you’re unsure, switch to consent instead.
– Do not use legitimate interest for sensitive data, marketing emails, or tracking behaviour across websites.
– Keep your LIA on file in case a regulator asks.
How I Can Help:
I’ll help you conduct a LIA pre-processing of personal data. I’ll review your answers and tell you if your legitimate interest claim would hold up. If it won’t, I’ll help you switch to a safer basis like consent or contract.
We are not sure about our lawful basis of users' personal data processing.
Your Takeaway:
You don’t have a clear legal reason for collecting customer data. Under GDPR, this means you are likely processing personal data unlawfully. Article 6 requires a legal basis – there’s no exception for “I didn’t know” or “everyone does it”. This is urgent. You should stop collecting any data you can’t justify immediately, and for data you already have, assign a legal basis as soon as possible. Consent and contract are your safest starting points.
Your Privacy Best Practices:
– Stop all optional data collection right now – you can always restart after you have a legal basis.
– For existing data, go through each type and ask, "Do we have a contract with this person? If yes, the contract may work. If no, can we get consent? If not, delete it.”
– Document every legal basis you assign. Write it down simply: “Data type X → Basis: contract because we need it to deliver service.”
– If you cannot assign a basis within two weeks, delete the data.
How I Can Help:
If you are unsure about your legal basis for processing your personal data, I can assist you in deciding the appropriate lawful basis to use for your users’ personal data processing.
We keep our users’/customers’ personal information for a Definite time.
Your Takeaway:
You keep customer data only for a defined period of time – for example, two years after their last purchase. This is exactly what GDPR’s storage limitation principle requires. You’ve already avoided one of the most common compliance mistakes. The only remaining tasks: document that definite time in writing, include it in your privacy notice, and make sure your team actually follows the rule. Also, “only with us” means no sharing – but double‑check that your cloud provider, email service, or analytics tool doesn’t count as sharing.
Your Privacy Best Practices:
– Write down your retention periods in a simple document: For example: “Customer data → deleted 2 years after last activity. Transaction data → deleted 7 years for tax purposes.”
– Add a sentence to your privacy notice: For example: “We keep your data for [X years] after your last interaction.”
– Set up an automated reminder or script to delete old data – don’t rely on memory.
– For cloud tools, check their data retention policies. Some keep data even after you delete it from your account.
How I Can Help:
I’ll review your current retention practices. I’ll ask you a few simple questions about each data type, and then I’ll write a custom retention schedule for you – including exactly what to put in your privacy notice.
We keep our users’/customers’ personal information for an Indefinite time
Your Takeaway:
You keep customer data for an indefinite period – basically, forever. Under GDPR, this is a direct violation of the storage limitation principle (Article 5). Regulators have fined companies for this exact practice. You need to set a retention period, even a rough one, and you need to be able to delete data when that period ends. You also need to be able to delete an individual customer’s data within one month if they ask. Indefinite retention is not “safe” – it’s actually riskier than having a short retention period.
Your Privacy Best Practices:
– Pick a default retention period. For most small businesses, for example, 2 years after last activity works well. Write it down.
– Go through your existing customer data. Delete anything older than your new retention period.
– Set a calendar reminder every quarter to review and delete old data.
– Make sure you can find and delete one customer’s data within one month – test this with a colleague pretending to be a customer.
How I Can Help:
I’ll help you set up a simple retention policy specific to your business. We’ll decide on retention periods for each data type, write them down in a document, and add the right wording to your privacy notice. I’ll also help you create a step‑by‑step process for deleting old data from common tools like your CRM, email platform, and cloud storage.
We do No Sharing of our users’/customers’ personal information with others/third parties.
Your Takeaway:
You don’t share customer data with anyone outside your business. Under GDPR, this is the cleanest and lowest‑risk scenario. However, “outside your business” includes third‑party tools like your website hosting provider, email delivery service, analytics tool, and customer support software. If any of those tools can see customer data, that counts as sharing. You need to verify each tool carefully. Even with no sharing, you still need a privacy notice and a legal basis.
Your Privacy Best Practices:
– List every single online tool your business uses, including free ones. For each tool, ask: “Does this tool ever see a customer’s name, email, IP address, or any other personal data?”
– If the answer is yes, you are sharing. Update your answer and follow the "yes sharing” best practices below.
– If the answer is truly no (rare), document your verification and keep it on file.
– Even with no sharing, publish a privacy notice that says “We do not share your data with anyone.”
How I Can Help:
I’ll help run a “data flow scan” of your business. We can identify which tools are silently receiving customer data – you’re often surprised. Once we have the real picture, I’ll help you either stop the sharing or disclose it properly.
Yes, We Do Share our users’/customers’ personal information with others/third parties.
Your Takeaway:
You share customer data with third‑party vendors or business partners. Under GDPR, this is allowed but comes with serious obligations. First, you must disclose every single recipient in your privacy notice (Article 13). Second, you need a valid legal basis – for sharing that isn’t strictly necessary for your service, you usually need explicit consent. Third, you must sign a Data Processing Agreement (DPA) with each vendor that processes data on your behalf. Fourth, if the vendor is outside the EU, you need Standard Contractual Clauses (SCCs) or another approved transfer mechanism. These are not optional – they are the law.
Your Privacy Best Practices:
– Create a vendor table: vendor name, what data they see, where they are located, and whether they are a “processor” (acting on your instructions) or a “controller” (using data for their own purposes).
– For every processor, sign a DPA. Most major vendors (Google, Stripe, Mailchimp, AWS, and Zoom) have DPAs in their legal centre – you just need to accept them.
– For vendors outside the EU, add SCCs to your DPA. Many vendors provide these automatically.
– Put your vendor table on your website as part of your privacy notice. Be honest – customers appreciate transparency.
How I Can Help:
I’ll review your vendor list and tell you exactly what’s missing. I can also help you create a plain English DPA template you can send to any vendor that doesn’t have their own. If you have cross-border transfers, I’ll help you add SCCs (if required).
Ready to take your next step?
Let's put people first in your data & technology.
I'm just one click away!
Spread the word. Someone out there may need this.
Disclaimer: This information is for general informational purposes only and does not constitute legal advice. Privacy laws vary by jurisdiction and change over time. Feel free to connect with me for further clarification or your specific case matter.
bottom of page