Free checklist

Every document you need for GDPR compliance -- personalized by company size and data processing type

Select company size (small, medium, large) and data processing type
Check off documents as you prepare them -- progress saves automatically
Copy the report, share the link, or print it for your compliance files

Proof: Covers 6 compliance categories, 30 documents, and 3 company size profiles

Get a personalized list of every document needed for GDPR compliance -- based on your company size and the type of data you process.

Covers legal basis documentation, consent forms, data processing agreements, privacy notices, data subject rights procedures, breach response plans, and governance policies.
Adapts to company size: small (<50), medium (50-250), and large (250+) with different obligations for each.
Differentiates between basic, sensitive, and large-scale data processing with additional requirements for higher-risk activities.

Free, no signup, and your progress saves automatically in your browser.

GDPR compliance requires documented evidence across legal bases, processing records, privacy notices, data subject rights, security measures, and governance. Missing a single document can mean fines up to 4% of global turnover. This tool builds a complete checklist tailored to your organization so nothing falls through the cracks.

Free, no signup, and progress saves in your browser until you need it.

Compliance checklist

Select your company size and data processing type below. Check off documents as you prepare them.

Disclaimer: This checklist is for informational purposes only and does not constitute legal advice regarding GDPR compliance. Data protection requirements vary by organization and processing activities. Consult a qualified data protection officer or legal professional for compliance guidance specific to your situation.

Last updated: January 2026

0 of 25 documents complete

Lawful basis documentation for each processing activityRequiredArt. 6

Consent forms with clear opt-in languageRequiredArt. 7

Consent withdrawal mechanism documentationRequiredArt. 7(3)

Legitimate interest assessments (LIA)RequiredArt. 6(1)(f)

Record of processing activities (ROPA) -- controllerRequiredArt. 30(1)

Data processing agreements (DPAs) with all processorsRequiredArt. 28

Sub-processor list and agreementsRequiredArt. 28(2)

International transfer documentation (SCCs, adequacy decisions)RequiredArt. 46-49

Website privacy policyRequiredArt. 13-14

Employee privacy noticeRequiredArt. 13

Customer-facing privacy noticeRequiredArt. 12-13

Cookie policy and consent mechanismRequiredArt. 13 + ePrivacy

Third-party data collection noticeRecommendedArt. 14

Subject access request (SAR) procedureRequiredArt. 15

Data portability process documentationRequiredArt. 20

Right to erasure/deletion procedureRequiredArt. 17

Right to rectification processRequiredArt. 16

Data breach response planRequiredArt. 33-34

Breach notification templates (authority + data subjects)RequiredArt. 33-34

Security measures documentationRequiredArt. 32

Employee data protection training recordsRequiredArt. 39(1)(b)

Data protection policy (internal)RequiredArt. 24

Data retention scheduleRequiredArt. 5(1)(e)

Privacy by design checklistRequiredArt. 25

Annual compliance review documentationRequiredArt. 24(1)

Why GDPR documentation matters

GDPR is not just about having a privacy policy. Supervisory authorities expect documented evidence of compliance across your entire data processing lifecycle.

Fines up to 4% of revenue

The most serious GDPR violations carry fines of up to 20 million euros or 4% of annual global turnover -- whichever is higher. Having documented compliance evidence is the most effective way to reduce risk during an investigation.

Customer trust and retention

Transparent data handling builds trust. Customers increasingly choose vendors who can demonstrate GDPR compliance with proper documentation. A data breach without proper procedures in place can destroy years of customer relationships overnight.

Competitive advantage

Enterprise buyers require GDPR compliance evidence during procurement. Having your documentation in order means faster sales cycles, fewer deal blockers, and access to markets that competitors without proper documentation cannot reach.

Preparing for a GDPR audit? Auto-organize your compliance documents as they come in.

Drop DPAs, privacy policies, DPIA reports, and consent records into renamed.to. The AI reads each document, extracts the document type and date, and organizes everything into a clean compliance folder structure -- ready for your next audit.

Try renamed.to free See how it works

50 free renames, no credit card required.

Frequently asked questions

Does this checklist adapt to my company size?

Yes. The checklist filters documents based on your company size. Small companies (under 50 employees) see a streamlined set of core requirements, while medium (50-250) and large (250+) organizations see additional obligations like processor ROPA records and mandatory DPO appointment.

What is the difference between basic and sensitive data processing?

Basic processing covers standard personal data like names, emails, and addresses. Sensitive processing involves special categories under Article 9 -- health data, biometric data, racial or ethnic origin, political opinions, and similar categories. Sensitive processing triggers additional requirements like explicit consent documentation, DPIAs, and potentially DPO appointment.

Can I save my progress?

Yes. Your progress saves automatically in your browser using local storage. You can close the tab, come back days later, and pick up exactly where you left off. No account or signup required. Progress is saved separately for each company size and processing type combination.

What are the penalties for GDPR non-compliance?

GDPR fines can reach up to 20 million euros or 4% of annual global turnover, whichever is higher, for the most serious violations. Lower-tier infringements can result in fines up to 10 million euros or 2% of turnover. Beyond fines, non-compliance can lead to enforcement orders, processing bans, and significant reputational damage.

Does this checklist replace legal advice?

No. This checklist is a free reference tool to help you identify and track the documents typically required for GDPR compliance. It does not constitute legal advice. Every organization should consult with a qualified data protection professional or legal advisor to ensure their specific compliance requirements are met.