← Back to GDPR Compliance
📋 GDPR Document Templates
Below are structured outlines for the key documents your organization needs for GDPR compliance. These templates provide the sections and structure — you will need to customize the content for each organization's specific context, processing activities, and risk profile.
Privacy Notice Template
1
1. Who we are — Organization name, address, registration number, and contact details
2
2. Data Protection Officer — DPO name and contact details (or how to reach them)
3
3. What personal data we collect — Categories of data with specific examples
4
4. How we collect your data — Direct collection, automated collection, third-party sources
5
5. Why we process your data and our legal basis — Purpose-by-purpose breakdown with lawful basis for each
6
6. Who we share your data with — Categories of recipients (processors, third parties, public authorities)
7
7. International transfers — Countries data is transferred to and safeguards in place (SCCs, adequacy, etc.)
8
8. How long we keep your data — Retention periods by data category with justification
9
9. Your rights — Plain-language summary of all 8 rights with instructions on how to exercise them
10
10. Automated decision-making — Whether you use automated decisions/profiling and how individuals can challenge them
11
11. Cookies and tracking — Summary with link to full cookie policy
12
12. How to complain — How to contact the DPO and how to lodge a complaint with the supervisory authority
13
13. Changes to this notice — How and when the notice may be updated
14
14. Last updated — Date of the current version
Data Protection Impact Assessment (DPIA) Template
1
1. Project overview — Name, description, owner, date, and DPO involvement
2
2. Need for a DPIA — Why this assessment is being conducted and which criteria triggered it
3
3. Description of the processing — What data, whose data, how processed, by whom, for how long
4
4. Purpose and lawful basis — Why the processing is necessary and which Article 6 basis applies
5
5. Necessity and proportionality assessment — Is the processing necessary and proportionate to the purpose?
6
6. Risks to individuals — Identify risks: unauthorized access, data loss, function creep, discrimination, distress
7
7. Risk assessment matrix — Likelihood x Severity for each risk (Low/Medium/High/Critical)
8
8. Mitigation measures — Controls to reduce each risk with residual risk rating
9
9. Consultation — Input from the DPO, data subjects (where appropriate), and other stakeholders
10
10. Decision — Approve, approve with conditions, or refer to supervisory authority for prior consultation
11
11. Sign-off — Project owner, DPO, and senior management approval with dates
12
12. Review schedule — When the DPIA will be reviewed (at least annually or when processing changes)
DSAR Response Process Template
1
1. Request intake — Channels for receiving requests (email, web form, post, phone) and how to log them
2
2. Acknowledgment — Send acknowledgment within 2 business days confirming receipt and expected timeline
3
3. Identity verification — Steps to verify the requester's identity (proportionate to risk)
4
4. Scope clarification — If the request is unclear, contact the requester to clarify what data they want
5
5. Data search — Systems to search, departments to contact, and process for locating all personal data
6
6. Data compilation — How to compile data from multiple sources into a single response package
7
7. Third-party redaction — Process for identifying and redacting third-party personal data from the response
8
8. Exemption assessment — Checklist of valid exemptions (legal privilege, trade secrets, third-party rights)
9
9. Response preparation — Format (electronic, commonly used), covering letter, and supplementary information
10
10. Quality review — DPO or senior reviewer sign-off before sending
11
11. Response delivery — Secure delivery method (encrypted email, secure portal, registered post)
12
12. Record keeping — Log the request, response, timeline, and any exemptions applied
Consent Form Template
1
1. Organization identity — Who is asking for consent (full legal name and contact details)
2
2. Purpose statement — Clear, specific description of EACH purpose for which consent is sought
3
3. Data description — What personal data will be processed for each purpose
4
4. Third-party sharing — Who the data will be shared with and why
5
5. Retention period — How long the data will be kept for each purpose
6
6. Rights information — Brief summary of rights including the right to withdraw consent at any time
7
7. Withdrawal instructions — Clear, simple instructions for withdrawing consent (must be as easy as giving it)
8
8. Granular consent checkboxes — Separate, unchecked checkbox for EACH distinct purpose
9
9. No bundling statement — Consent is not a condition of service (where applicable)
10
10. Signature/confirmation — Clear affirmative action (checkbox, signature, button click) with timestamp
Data Processing Agreement (DPA) Template
1
1. Parties — Controller and Processor identification and contact details
2
2. Subject matter and duration — Description of processing, duration, nature, and purpose
3
3. Types of personal data and data subjects — Categories of data and individuals affected
4
4. Controller obligations — Controller's responsibilities and instructions to the Processor
5
5. Processor obligations — Process only on documented instructions, ensure staff confidentiality, implement security measures
6
6. Sub-processing — Requirements for engaging sub-processors (prior authorization, equivalent contracts, notification)
7
7. Data subject rights — Processor's obligation to assist Controller in fulfilling data subject rights
8
8. Security measures — Specific technical and organizational measures the Processor must implement (Article 32)
9
9. Breach notification — Processor must notify Controller without undue delay (target: within 24 hours) of any breach
10
10. DPIA and prior consultation — Processor's obligation to assist with DPIAs and regulatory consultations
11
11. Data return and deletion — At end of service, Processor must return or delete all personal data and certify deletion
12
12. Audit rights — Controller's right to conduct or commission audits of the Processor's compliance
13
13. International transfers — Transfer mechanisms (SCCs, adequacy) if Processor is outside EU/EEA
14
14. Liability and indemnification — Allocation of liability for GDPR breaches between parties
Data Breach Notification Template (Supervisory Authority)
1
1. Controller details — Organization name, DPO contact, and reference number
2
2. Date and time — When the breach was discovered, when it occurred (if known), and reporting date
3
3. Nature of the breach — Type (confidentiality, integrity, availability), description of what happened
4
4. Data subjects affected — Categories (customers, employees, patients) and approximate number
5
5. Personal data affected — Categories of data involved and approximate number of records
6
6. Likely consequences — Assessment of likely impact on affected individuals
7
7. Measures taken — Actions already taken to contain the breach and mitigate its effects
8
8. Measures proposed — Additional actions planned to address the breach and prevent recurrence
9
9. Communication to individuals — Whether individuals have been or will be notified (and if not, why not)
10
10. Supporting documentation — Attach relevant evidence, logs, and investigation findings
Data Retention Schedule Template
1
1. Data category — Type of personal data (employee records, customer data, financial records, etc.)
2
2. Description — What specific data is included in this category
3
3. Source — How and where the data is collected
4
4. Storage location — Systems and physical locations where the data is stored
5
5. Lawful basis — Legal basis for processing this data
6
6. Retention period — How long the data is kept (with specific timeframe)
7
7. Retention justification — Legal, regulatory, or business reason for the retention period
8
8. Legal/regulatory requirement — Specific law or regulation mandating retention (if applicable)
9
9. Disposal method — How the data will be securely destroyed (digital deletion, shredding, etc.)
10
10. Review date — When this retention period will next be reviewed
11
11. Owner — Person or role responsible for managing this data category's retention
Privacy Impact Assessment Screening Questionnaire
1
1. Project name and description — Brief overview of the new project, system, or processing activity
2
2. Does it involve personal data? — If no, DPIA is not required. If yes, continue.
3
3. Is it a new type of processing or a change to existing processing?
4
4. Does it involve large-scale processing of personal data?
5
5. Does it involve special category data or criminal offense data?
6
6. Does it involve systematic monitoring of individuals (CCTV, tracking, profiling)?
7
7. Does it involve automated decision-making with legal or significant effects?
8
8. Does it involve new technology that could have privacy implications?
9
9. Does it involve cross-border data transfers to countries without adequacy decisions?
10
10. Does it combine datasets in a way individuals would not reasonably expect?
11
11. Does it involve data about vulnerable individuals (children, patients, employees)?
12
12. Scoring — If two or more questions answered yes, a full DPIA is required. If one, consider a DPIA. If none, document the screening result and proceed.