Do you process special categories of personal data that require the presence of a Data Protection Officer (see Article 37 GDPR)?

Are you a public authority or body (except for Courts)?

Germany only: do you have 20 persons or more in your organization who process personal data on a regular basis?

If a Data Protection has been appointed, has he or she been notified to your competent Data Protection Authority?

Do you have a Data Protection Management System in place?

Do you have a legal basis for all your processing operations on Personal Data?

Do you inform your employees, job applicants, clients and others about processing their Personal Data, and is the information you provide compliant with applicable rules and regulations?

Can you answer this question: „Does your organization store my Personal Data?“

Have you defined and documented proper technical and organizational measures to protect the data you process?

Have your employees signed up to their obligation of confidentiality?

Have you checked whether you are required to perform a Data Protection Impact Analysis of your processing operations?

Do you have a register of data processing operations?

Do you outsource (partially or wholly) processing of Personal Data to subcontractors, and have you concluded Data Processing Agreements with those subcontractors?

Do you have a policy for deleting Personal Data in your organization?

Do you have regular training sessions on Data Protection?