Plain-language guides to the obligations that actually affect EU SMBs: breach response, subject access requests, the records of processing, processor contracts, privacy policies, and retention schedules. Each guide pairs with a document template you can generate, redline with counsel, and ship in 10 minutes.
Pay only after you preview every document. No subscription.
The GDPR is a 99-article regulation written for harmonisation across 27 member states. Most of it does not bind a five-person SaaS the same way it binds a bank — but the obligations thatdo apply are unforgiving when ignored, and the case law lives in supervisory-authority decisions that nobody publishes in plain English.
These guides distil the operative parts: what to do, by when, with what evidence on file. Every guide cites the specific Articles, Recitals, and EDPB Guidelines we relied on, and every guide pairs with a CookieSentry document template that makes the obligation operational. The point is not to teach you GDPR; the point is to put the obligation in your hands in a form a regulator would accept.
The guides are written by an engineer, drafted against current EU and national law (DE / PL / LT for the document templates), and updated when EDPB or a national authority publishes operationally relevant guidance. They are not legal advice — they are a practical reference, and the templates they pair with are intended for review by qualified counsel before publication for high-risk processing.
6 guides live · more shipping each sprint, mapped to the 6-document GDPR pack.
The 72-hour DPA notification window, the 3-band decision rule for whether to notify, the breach register schema (Art. 33(5)), and five common scenarios walked through.
How to verify identity, the one-month response window, the two-month extension, when you can refuse a manifestly unfounded request, and the response-letter template.
What every controller has to record per processing activity, when the small-business exemption (Art. 30(5)) actually applies, and how to keep the register current without rebuilding it every year.
The eight mandatory clauses, sub-processor approval, international-transfer mechanics post-Schrems II, and the audit-rights wording that survives counsel review.
What information you owe data subjects when you collect from them directly versus from third parties, how to surface lawful basis without legalese, and where the most-cited template gaps appear.
Storage limitation in practice: how to set retention triggers, when statutory periods (tax, HR, accounting) override your defaults, and the deletion-method choices that actually withstand audit.
Privacy Policy, Cookie Policy, Data Retention, Breach Procedure, DPA, and ROPA in one wizard. Bilingual EN with DE / PL / LT, with country-specific overlays for the supervisory authority, statutory retention periods, and national-law citations. Word + PDF export, ready for counsel redline.
Free 32-question self-assessment across the 8 obligations a supervisory authority expects to see on file. Get a score, a category breakdown, and the documents that close your gaps.
OpenFree interactive checklist for the first 72 hours of a personal data breach. Tick each step, record the facts, print or save as PDF for your incident records. No signup.
OpenFree interactive tracker for handling a data subject access request inside the one-month window. Auto-computes the due date, walks the six-step process, prints a filled DSAR log entry.
OpenSearchable directory of common tracking cookies — what they do, who sets them, expiry, and whether they require consent. Pairs with the Cookie Policy template.
OpenThe questions SMB founders actually ask before paying for templates: validity, counsel review, audit posture, refunds, and how the wizard handles edge cases.
OpenGenerate the full 6-document pack — Privacy Policy, Cookie Policy, Data Retention, Breach Procedure, DPA, ROPA — in 10 minutes. Bilingual EN + DE/PL/LT, counsel-redlinable Word + PDF.
OpenEach guide explains the obligation in plain language and points to the document that operationalises it. Buy the pack and you ship the documents; read the guide and you understand what you're shipping. Either entry point gets you to the same audit-ready posture, which is the only posture that matters when a regulator or a procurement team asks for the documents on file.
Generate the document pack now and have the artefacts a supervisory authority asks to see on file before you need them. Read the guides at your own pace — they will be here when the next obligation is the one keeping you up.
Generate the GDPR packThese guides summarise the GDPR and selected national-law overlays for orientation. They are a practical reference, not legal advice; the application of any provision to a specific fact pattern depends on circumstances only counsel familiar with your jurisdiction can assess. CookieSentry templates are drafted to current EU and national law and are intended for review by qualified counsel before publication for high-risk processing.