liminfo

GDPR Compliance Checklist

Free reference guide: GDPR Compliance Checklist

25 results

About GDPR Compliance Checklist

This GDPR Reference is a searchable article-by-article quick-reference guide for the EU General Data Protection Regulation. It covers 26 key GDPR provisions organized across six categories, including the seven processing principles (Art. 5), six lawful bases (Art. 6), special category data restrictions (Art. 9), consent requirements (Art. 7), and core definitions (Art. 4) for personal data, controllers, processors, and data subjects.

The reference provides detailed coverage of data subject rights (access, erasure/right to be forgotten, data portability, automated decision-making), controller obligations (Privacy by Design, processor agreements, ROPA, breach notification within 72 hours, DPIA, DPO appointment), international transfer mechanisms (adequacy decisions, SCC modules, BCR), and enforcement provisions (administrative fines up to EUR 20 million or 4% of global revenue, judicial remedies, and damages).

Designed for data protection officers, privacy lawyers, compliance managers, IT security professionals, and companies operating in the EU, this guide enables quick lookup of GDPR articles with practical explanations, compliance checklists, GDPR vs Korean PIPA comparisons, and cookie/ePrivacy regulations.

Key Features

  • Article-by-article GDPR reference covering Art. 5 processing principles through Art. 83 administrative fines
  • Six lawful bases for processing (Art. 6) with consent requirements and legitimate interest balancing test guidance
  • Data subject rights reference for access (Art. 15), erasure (Art. 17), portability (Art. 20), and automated decisions (Art. 22)
  • Controller obligation guide covering Privacy by Design (Art. 25), DPA contracts (Art. 28), ROPA (Art. 30), and DPO (Art. 37-39)
  • Data breach notification procedures with 72-hour supervisory authority timeline and high-risk data subject notification
  • International transfer mechanisms including adequacy decisions, SCC four-module system, BCR, and Schrems II implications
  • Administrative fine tiers: EUR 10M/2% for controller obligations and EUR 20M/4% for processing principles and rights violations
  • GDPR vs Korean PIPA comparison and ePrivacy cookie regulation guide with consent banner requirements

Frequently Asked Questions

What GDPR articles does this reference cover?

This reference covers 26 key GDPR provisions across six categories: Core Principles (Art. 4 definitions, Art. 5 processing principles, Art. 6 lawful bases, Art. 7 consent, Art. 9 special categories), Data Subject Rights (Art. 12-14 transparency, Art. 15 access, Art. 17 erasure, Art. 20 portability, Art. 22 automated decisions), Controller Obligations (Art. 25 Privacy by Design, Art. 28 processors, Art. 30 ROPA, Art. 32 security, Art. 33-34 breach notification, Art. 35 DPIA, Art. 37-39 DPO), International Transfers (Art. 44-49 mechanisms, SCC), Enforcement (Art. 77-79 remedies, Art. 83 fines), and Comparison/Reference (GDPR vs PIPA, cookies, compliance checklist).

What are the six lawful bases for processing under GDPR?

Article 6 establishes six lawful bases: (a) consent of the data subject, (b) contractual necessity, (c) legal obligation, (d) vital interests, (e) public task, and (f) legitimate interests. Consent must be freely given, specific, informed, and unambiguous, and must be as easy to withdraw as to give. Legitimate interests requires a balancing test weighing the controller's interests against the data subject's rights.

How does the GDPR handle data breach notification?

Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to rights and freedoms. Article 34 requires notification to affected data subjects without undue delay when the breach is likely to result in high risk, with exceptions for encrypted data or when public notification is more practical than individual contact.

What is a DPIA and when is it required?

A Data Protection Impact Assessment (Art. 35) is mandatory when processing is likely to result in high risk, specifically for: automated decision-making including profiling, large-scale processing of special category data, and systematic monitoring of publicly accessible areas. The DPIA must include a systematic description of processing, necessity/proportionality assessment, risk evaluation, and risk mitigation measures. DPO consultation is required.

How does the GDPR regulate international data transfers?

Articles 44-49 establish three transfer mechanisms: adequacy decisions by the EU Commission (Art. 45), appropriate safeguards including Standard Contractual Clauses and Binding Corporate Rules (Art. 46), and derogations such as explicit consent and contractual necessity (Art. 49). Following Schrems II, organizations using SCCs must conduct Transfer Impact Assessments and implement supplementary measures like encryption.

What are the GDPR fine amounts?

Article 83 establishes two tiers: up to EUR 10 million or 2% of worldwide annual revenue (whichever is higher) for controller/processor obligation violations, and up to EUR 20 million or 4% of worldwide annual revenue for violations of processing principles, consent requirements, data subject rights, or international transfer provisions.

How does this reference compare GDPR with Korean PIPA?

The comparison entry maps GDPR concepts to Korean equivalents: DPO to CPO, DPIA to privacy impact assessment, 72-hour breach notification in both, SCC to standard contracts. Key differences include PIPA's special protection for resident registration numbers, GDPR's legitimate interest basis, PIPA's 3% revenue fine cap (2023 amendment) versus GDPR's 4%, and PIPA's unified jurisdiction under the Personal Information Protection Commission.

Is this reference free to use?

Yes, this GDPR reference is completely free with no usage limits or account required. All content loads in your browser with no server processing. It is part of liminfo.com's collection of free online reference tools for privacy and compliance professionals.