TermsDock

May 28, 2026

GDPR Website Compliance Checklist: What Every Site Must Have

GDPR applies to any website accessible to EU users. Here's a complete checklist of what your website must have to be GDPR compliant — and how to generate the required documents free.

Who Needs to Comply With GDPR?

The General Data Protection Regulation applies to any organization that:

  • Is established in the European Union, OR
  • Offers goods or services to EU residents, OR
  • Monitors the behavior of EU residents

This means a US-based website with EU visitors must comply — even if you have zero physical presence in Europe.

GDPR Website Compliance Checklist

1. Privacy Policy

Your privacy policy must include (under GDPR Article 13/14):

  • ✅ Identity and contact details of the data controller (you)
  • ✅ Contact details of a Data Protection Officer (if required)
  • ✅ Purposes and legal basis for processing (consent, legitimate interest, contract, legal obligation)
  • ✅ Categories of personal data collected
  • ✅ Recipients or categories of recipients (third-party services you share data with)
  • ✅ International transfers and safeguards (if data is transferred outside the EU)
  • ✅ Data retention periods
  • ✅ User rights: access, rectification, erasure, restriction, portability, objection
  • ✅ Right to withdraw consent
  • ✅ Right to lodge a complaint with a supervisory authority
  • ✅ Whether providing data is a statutory/contractual requirement

2. Cookie Policy and Consent

  • ✅ Cookie policy listing all cookies by type
  • ✅ Cookie consent banner before non-essential cookies are set
  • ✅ Granular consent options (essential, analytics, advertising)
  • ✅ Easy opt-out mechanism
  • ✅ Consent records stored for compliance evidence

3. Data Subject Rights Mechanism

  • ✅ Process for handling data access requests (within 30 days)
  • ✅ Process for deletion requests ("right to be forgotten")
  • ✅ Process for data portability requests (machine-readable format)
  • ✅ Contact email or form for privacy requests

4. Legal Basis Documentation

For each type of data processing, document your legal basis:

  • ✅ Consent: recorded with timestamp, IP, and mechanism
  • ✅ Legitimate interest: balancing test documented
  • ✅ Contract: link to applicable terms
  • ✅ Legal obligation: cite applicable law

5. Third-Party Data Processors

  • ✅ Data Processing Agreements (DPAs) with all third-party processors (Google, Stripe, Mailchimp, etc.)
  • ✅ List of sub-processors disclosed to users

6. Data Breach Procedures

  • ✅ Breach detection and response plan
  • ✅ Notification to supervisory authority within 72 hours (if breach is likely to affect rights and freedoms)
  • ✅ Notification to affected users if high risk

Generate Your GDPR Documents

TermsDock's Privacy Policy Generator and Cookie Policy Generator create GDPR-compliant documents covering all required disclosure categories. For full compliance, supplement with a DPA review from a privacy attorney.

Free Legal Document Tools

🔒Privacy Policy Generator📜Terms of Service Generator🤝NDA Generator💼Freelance ContractCease & Desist Letter🍪Cookie Policy Generator↩️Return & Refund Policy💿EULA Generator⚠️Disclaimer Generator
← Back to Blog