Lawscan.org

Privacy and GDPR

1. Privacy Policy present and up-to-date – 3 points

What it means: A document explaining how personal data is collected, processed, and protected on your website.
Why it matters: Legally required under GDPR and builds user trust.
How to implement:

  • Write it in clear, plain language.
  • Keep it updated whenever tools or services change.
  • Add an easy-to-find link (usually in the footer).

Read more Privacy Policy Present and Up-to-Date

2. Clear information on personal data collection – 2 points

What it means: Users must know exactly what data you collect and why.
Why it matters: Transparency is mandatory under GDPR and helps avoid complaints.
How to implement:

  • List every type of data collected (name, email, IP, etc.).
  • Explain the purpose (newsletter, analytics, profiling, etc.).
  • Include examples in your Privacy Policy.

3. Data controller identified with contact info / DPO (if appointed) – 2 points

What it means: You must clearly state who is responsible for data processing and how to contact them.
Why it matters: Users need a direct way to exercise their GDPR rights.
How to implement:

  • Include company name and contact details (email, phone).
  • Add DPO contact if appointed.
  • Mention this information in the Privacy Policy.

4. Legal basis for data processing declared – 2 points

What it means: You must explain the legal grounds for each type of data processing (e.g., consent, contract, legal obligation).
Why it matters: Every processing activity under GDPR must have a lawful basis.
How to implement:

  • Specify the legal basis for each data category.
  • Clearly state it in your Privacy Policy or data collection forms.

5. Data retention period specified – 2 points

What it means: Users must know how long their data will be stored.
Why it matters: GDPR requires data minimization and prevents indefinite storage.
How to implement:

  • Define retention periods (e.g., 24 months for contact requests).
  • Include this in your Privacy Policy.
  • Automate data deletion where possible.

6. Cookie Policy present – 2 points

What it means: A dedicated page detailing what cookies are used, why, and how users can manage them.
Why it matters: Required by GDPR and ePrivacy regulations.
How to implement:

  • Describe technical, analytics, and marketing cookies.
  • Explain how users can accept or reject cookies.
  • Place a link in the footer or cookie banner.

7. Cookie banner compliant: explicit consent, no pre-ticked boxes – 4 points

What it means: When a visitor lands on your site, they must actively give consent before non-essential cookies are used.
Why it matters: Required under GDPR and ePrivacy.
How to implement:

  • No pre-selected checkboxes.
  • Include “Accept all”, “Reject all”, and “Customize” options.
  • Use compliant tools like Klaro!, Complianz, or custom-built banners.

8. Consent recorded, traceable, and easily revocable – 3 points

What it means: You must store proof of consent and allow users to withdraw it at any time.
Why it matters: GDPR requires that consent is demonstrable and revocable.
How to implement:

  • Log date, time, and method of consent.
  • Provide a clear way to withdraw consent (e.g., via link or cookie settings).
  • Use double opt-in for newsletters.

9. Contact form with consent checkbox – 2 points

What it means: Every contact or request form must include a mandatory checkbox for privacy consent.
Why it matters: Ensures lawful data collection through explicit user consent.
How to implement:

  • Add an unchecked, required consent box.
  • Include a link to the Privacy Policy.
  • Block submission if unchecked.

10. Newsletter opt-in separate (double opt-in recommended) – 2 points

What it means: Users must voluntarily subscribe to your newsletter, ideally confirming via email.
Why it matters: Ensures valid consent and prevents spam complaints.
How to implement:

  • Use a separate subscription form.
  • Send a confirmation email (double opt-in).
  • Log subscription and confirmation details.

11. Right to erasure / data deletion manageable – 2 points

What it means: Users can request deletion of their personal data at any time.
Why it matters: GDPR includes the “right to be forgotten.”
How to implement:

  • Create a clear deletion request process.
  • Automate via CRM or plugin when possible.
  • Include timing and instructions in your Privacy Policy.

12. Ability to download/export personal data – 2 points

What it means: Users can request a copy of the personal data you store about them.
Why it matters: GDPR gives users the right to data portability.
How to implement:

  • Allow export in a readable format (CSV, PDF, JSON).
  • Verify user identity before release.
  • Provide a secure request form or email channel.

13. Extra-EU data transfers managed (SCC or equivalent) – 2 points

What it means: If you transfer data outside the EU, you must ensure adequate protection.
Why it matters: GDPR mandates safeguards for international data transfers.
How to implement:

  • Use Standard Contractual Clauses (SCCs) or equivalent safeguards.
  • Document transfers in your Privacy Policy and internal records.
  • Avoid non-compliant third-party services.

14. Internal record of processing activities – 2 points

What it means: An internal document listing all data processing activities within your company.
Why it matters: Required under GDPR Article 30 and demonstrates accountability.
How to implement:

  • Include type of data, purpose, legal basis, and retention period.
  • Update whenever a new processing activity starts.
  • Keep it available for inspection if requested by authorities.