32 questions across the 8 obligations a supervisory authority expects to see on file. Get a score, a category breakdown, and a list of documents that close the gaps. Print or save your report as a PDF — no signup, your answers stay in your browser.
Answer Yes / Unsure / No across the obligations a supervisory authority would expect to see on file. Get a score, a category breakdown, and a list of documents that close the gaps.
Answer the questions below to compute your score. Everything is autosaved to your browser — nothing is sent to any server.
Articles 5, 6, 13, 14 — what you collect, why, and what you tell the people whose data it is.
Do you have a published privacy notice that data subjects can read before or at the point of collection?
Does the notice list the controller's identity, the purposes of processing, and the lawful basis for each purpose under Article 13(1)?
Does the notice cover retention periods, the data subject's rights, and the right to lodge a complaint with the supervisory authority (Article 13(2))?
Have you documented a lawful basis for every processing activity, not only the customer-facing ones?
Article 7 GDPR plus the ePrivacy Directive overlays for cookies and electronic marketing.
Is your cookie banner strictly opt-in (no pre-ticked boxes, no implied consent from continued browsing)?
Can users withdraw consent as easily as they gave it (Article 7(3)) — for example, via a persistent preferences link?
Do you store consent metadata (timestamp, choice, banner version) so you can demonstrate Article 7(1) on request?
Do you publish a cookie policy listing each cookie's purpose, provider, and duration?
Articles 12–22 — how you handle access, rectification, erasure, portability, restriction, and objection.
Have you documented a written procedure for handling subject access requests within the one-month window (Article 12(3))?
Can you locate every piece of data on a single subject across your systems, including backups and sub-processors, within that month?
Do you verify the requester's identity proportionately under Article 12(6) — without over-collecting documents?
Can you produce a structured, commonly used machine-readable export for portability requests (Article 20)?
Articles 32–34 — the technical and organisational measures and what happens when they fail.
Do you have a written Breach Procedure with the 72-hour decision rule for notifying the supervisory authority?
Do you maintain a breach register that captures every incident, regardless of whether notification was required (Article 33(5))?
Have you defined a response team with 24/7 contact details and at least one decision-maker authorised to declare a breach?
Are your technical and organisational security measures (encryption, access control, logging) documented and reviewed at least annually?
Article 5(1)(c)(e) — keep only what you need, only as long as you need it, on a documented schedule.
Do you have a written Data Retention Policy specifying retention periods per data category?
Do those retention periods reflect statutory minimums for tax, accounting, and employment records in your jurisdiction?
Have you defined deletion triggers (account closure, contract end, consent withdrawal, fiscal-year end) for each retention rule?
Is the backup-rotation behaviour for deleted data documented (typical age-out window, when subjects can stop appearing in restorations)?
Articles 5(2) and 30 — the registers that demonstrate compliance to a supervisory authority during an audit.
Do you maintain a Record of Processing Activities (ROPA) per Article 30, even if you fall under the small-business exemption claim?
Does the ROPA capture all mandatory items: purposes, data categories, recipient categories, retention, security measures, and international transfers?
Is the controller / processor role explicitly documented for each processing activity?
Are special-category (Article 9) and criminal-data (Article 10) processings flagged separately in the ROPA?
Article 28 plus the diligence obligations under Article 32(1)(d) — every vendor that touches personal data needs a paper trail.
Do you have a signed Data Processing Agreement (Article 28) with every processor handling personal data on your behalf?
Do those agreements include the eight clauses required by Article 28(3): instructions, confidentiality, security, sub-processors, rights assistance, breach notification, deletion, audit?
Is your sub-processor list documented and kept current as vendors are added or replaced?
Do you carry out a basic vendor pre-assessment (security questionnaire, certifications, hosting region) before signing?
Articles 44–49 — moving personal data outside the EEA needs a documented mechanism and, post-Schrems II, a transfer impact assessment for high-risk flows.
Do you know which sub-processors process personal data outside the EEA, and which countries they sit in?
For each non-EEA transfer, do you rely on a valid mechanism (adequacy decision, EU SCCs, BCRs, or an Article 49 derogation)?
Have you completed a Transfer Impact Assessment for high-risk transfers (US, UK, third countries with surveillance laws) post-Schrems II?
Are international transfers and their mechanisms disclosed in your privacy notice?
The CookieSentry GDPR pack ships Privacy Policy, Cookie Policy, Data Retention, Breach Procedure, DPA, and ROPA — each one drafted against your company and country, ready for counsel redline. Bilingual EN with DE / PL / LT.
The Readiness Score is a structural check against the obligations the GDPR creates and the artefacts an EU supervisory authority typically asks for during an audit or following a complaint. It is calibrated for small and mid-sized EU businesses processing standard customer and employee data — the same audience the CookieSentry document pack targets.
What the score does well: it surfaces the documents and procedures you have not yet written, weighted by how much an auditor would care. A 41% score does not mean you are 41% non-compliant; it means 41% of the load-bearing documentation and procedure is in place. The remaining 59% is what closes the gap to audit posture.
What the score does not do: it does not assess whether your existing documents apply correctly to your operations, it does not catch sector-specific obligations (health, finance, ad-tech), and it does not replace counsel review. Treat a high score as the necessary baseline, then engage counsel for the scenarios that do not fit a template — high-risk processing, regulated industries, complex cross-border flows.
For an audit-grade artefact, pair the printed report with the actual documents from the CookieSentry GDPR pack — Privacy Policy, Cookie Policy, Data Retention, Breach Procedure, DPA, and ROPA — each generated against your company, country, and processing activities and ready for counsel redline.
Each question maps to one of six CookieSentry documents. Generate them all in one wizard — Privacy Policy, Cookie Policy, Data Retention, Breach Procedure, DPA, ROPA — bilingual EN with DE / PL / LT, Word and PDF export, ready for counsel.
About 8–12 minutes if you know the answers. Each question is a one-line statement you mark Yes / Unsure / No. Answers autosave to your browser as you click, so you can pause and come back later on the same device.
No. The assessment is a structured self-check against the obligations a supervisory authority would expect to see documented on file. It surfaces gaps and points to the right templates to close them, but it does not validate whether your filled-in documents apply correctly to your specific operations — that is what counsel review is for.
Each question is weighted by impact (foundational items like a written privacy notice and a breach procedure carry more weight than peripheral items). The score is the percentage of available points you scored: Yes counts full, Unsure counts half, No counts zero. The bands are: 0–39% significant gaps, 40–69% partial readiness, 70–89% largely ready, 90–100% audit-ready.
No. Everything stays in your browser's local storage. There is no account, no signup, no analytics on your individual answers. The score and the printed report exist only on your device. Clear the browser data and the assessment is gone.
The assessment covers the cross-cutting GDPR obligations that apply to almost every controller. Sector-specific rules — the Patient Rights and Damages law for health, MiFID/PSD2 record-keeping for finance, the Digital Markets Act for ad-tech — are out of scope. Treat a high score as the necessary baseline, not the complete picture for a regulated industry.
Because each gap is, by design, exactly what one of the 6 documents in our pack closes. The recommendations are not a sales mechanic — they are the document or procedure GDPR actually requires for that obligation. You can build the documents yourself, hire counsel to draft them, or generate the pack with CookieSentry; the obligation is the same regardless of source.
The Readiness Score tells you what you're missing. The CookieSentry GDPR pack delivers the missing artefacts — generated against your company, your country, and your actual processing activities. Pay only after you preview every document.
Start the wizardThis self-assessment is a practical tool, not legal advice and not an audit. The application of GDPR obligations to a specific business depends on facts only counsel familiar with your jurisdiction can fully assess. Use the score as a structured starting point and supplement it with formal counsel review before relying on it for procurement, board reporting, or supervisory-authority correspondence.