GDPR Compliance Assessment

Evaluate compliance with EU General Data Protection Regulation requirements for processing personal data of EU residents

BiotechHealthcareResearchCannabis20 minutes22 questions

1. Lawful Basis & Consent

Have you identified a lawful basis for each processing activity?*

Article 6: Consent, contract, legal obligation, vital interests, public task, legitimate interests

For processing based on consent, is consent freely given, specific, informed, and unambiguous?*

Article 7: Valid consent must be granular and withdrawable

Do you obtain explicit consent for processing special category data (health, genetic, biometric)?*

Article 9: Heightened consent requirements for sensitive personal data

Can data subjects withdraw consent as easily as they provided it?*

Article 7(3): Withdrawal mechanisms must be straightforward

2. Data Subject Rights

Do you have processes to respond to data subject access requests (SARs) within 30 days?*

Article 15: Right of access with one-month response deadline

Can data subjects rectify inaccurate personal data?*

Article 16: Right to rectification of incorrect or incomplete data

Do you support the right to erasure ("right to be forgotten")?*

Article 17: Deletion when data no longer necessary or consent withdrawn

Can data subjects receive their data in a portable, machine-readable format?*

Article 20: Right to data portability for automated processing

Do data subjects have the right to object to processing?*

Article 21: Objection to direct marketing and legitimate interests processing

3. Data Protection by Design

Do you conduct Data Protection Impact Assessments (DPIAs) for high-risk processing?*

Article 35: DPIA required for large-scale sensitive data, profiling, systematic monitoring

Are privacy considerations integrated into new systems and processes?*

Article 25: Data protection by design and by default

Do you implement pseudonymization and encryption where appropriate?*

Article 32: Technical measures to ensure data security

Have you appointed a Data Protection Officer (DPO) if required?*

Article 37: DPO required for public authorities and large-scale special category processing

4. Data Processing Records

Do you maintain Records of Processing Activities (RoPA)?*

Article 30: Detailed inventory of all processing activities

Does your privacy notice/policy clearly explain data processing purposes?*

Articles 13-14: Transparent information about processing

Are data retention periods defined and documented?*

Article 5(1)(e): Storage limitation principle

5. Data Transfers

Do you use approved transfer mechanisms for non-EU data transfers?*

Chapter V: Standard Contractual Clauses, Binding Corporate Rules, adequacy decisions

Have you assessed adequacy of data protection in recipient countries?*

Schrems II: Transfer impact assessments required

Are Data Processing Agreements (DPAs) in place with all processors?*

Article 28: Processor contracts with mandatory clauses

6. Breach Notification

Can you detect and report data breaches to supervisory authorities within 72 hours?*

Article 33: Notification deadline from breach awareness

Do you notify affected data subjects of high-risk breaches without undue delay?*

Article 34: Individual notification when likely to result in high risk

Do you maintain a register of all data breaches?*

Article 33(5): Documentation of all breaches, including those not reported

Please answer all required questions to see your results