GDPR website checklist — the parts that actually touch your website | Scanthra

Scanthra · 7 min read · Updated May 2026

Who does GDPR apply to?

The General Data Protection Regulation (Regulation (EU) 2016/679) applies whenever you process personal data of people physically in the EU/EEA, even if your business is registered elsewhere. A US shop selling to Germans, a Polish freelancer with French clients, a Swiss consultancy collecting EU leads — all in scope.

"Personal data" is broader than most people assume: name, email, IP address, cookie identifiers, device fingerprints. So nearly every website handles it.

1. Privacy notice (Art. 13)

You must tell people what data you collect, why, on what legal basis, for how long, and what their rights are. Plain language, on a page linked from every other page (footer is the standard place).

Minimum sections to include:

• Controller identity + contact details.
• Purposes of processing and legal basis (consent / contract / legitimate interest / legal obligation).
• Categories of data and recipients (analytics providers, mailer, hosting).
• Retention periods.
• Data-subject rights (access, rectification, erasure, portability, objection) and how to exercise them.
• Whether data goes outside the EU/EEA and which safeguards apply (SCCs, adequacy decision).
• The right to lodge a complaint with a supervisory authority.

2. Cookie banner (ePrivacy + GDPR)

Non-essential cookies (analytics, ads, marketing pixels) require prior, informed, freely-given consent. The 2024–2025 enforcement wave across the EU clarified what that means in practice:

• "Reject all" must be as easy as "Accept all" — same screen, same prominence. No dark patterns.
• No tracking before the user chooses. Don't pre-fire Google Analytics on page load.
• Essential cookies (session, CSRF, language preference) are fine without consent — but be honest about which are truly essential.
• Re-ask after 6–12 months; consent doesn't last forever.

Most consent-management platforms (Cookiebot, Iubenda, free alternatives like Klaro) do this correctly out of the box. The most common audit finding is people deploying GTM before the banner returns "accept".

3. Data-subject request channel

A user must be able to request access to, correction of, or deletion of their data. You have 30 days to respond (Art. 12(3)). For most small websites a simple form or email address is enough — what matters is that the channel exists, is easy to find and is monitored.

Scanthra has its own data-deletion request form as a public example.

4. HTTPS everywhere (Art. 32)

Article 32 requires "appropriate technical measures" to protect personal data. A login form, contact form or checkout transmitted over HTTP is the easiest "appropriate measure" failure to demonstrate. Modern TLS is free (Let's Encrypt) and one-command in most setups. See our TLS guide for the details.

5. Breach reporting plan (Art. 33–34)

If a breach is likely to result in a risk to people's rights and freedoms, you must notify your supervisory authority within 72 hours of becoming aware. If the risk is high, you must also notify affected individuals "without undue delay".

The website-level prerequisites:

• A page or footer link explaining how users can report a security issue (see our security.txt guide).
• An internal runbook that maps "what kind of incident triggers a 72-hour notification" — so you don't waste the first 24 hours debating it.
• A relationship with your supervisory authority's portal (e.g. CNIL, BfDI, UODO, Garante, AEPD) — registered before you need it.

6. Records of processing (Art. 30)

Not visible on the website, but website-driven. You must keep a written record of every way you process personal data: the contact form, the newsletter, the booking system, the analytics, the remarketing pixel, the support chat. Each entry lists the purpose, categories, recipients, retention and security measures.

A simple spreadsheet works. The point is to have one — the €100,000 fines published by various DPAs over the past two years often cite "no Article 30 record provided" as an aggravating factor.

7. International transfers (Chap. V)

If your analytics, mailer or CRM is in the US (Google Analytics, HubSpot, Mailchimp, Klaviyo), you're transferring personal data outside the EU. Since 10 July 2023, the EU–US Data Privacy Framework provides an adequacy decision for participating US companies. Otherwise, you need Standard Contractual Clauses signed with the vendor and ideally a transfer impact assessment.

Most major SaaS vendors have a "GDPR Data Processing Addendum" you can download with one click. Sign it and keep a copy.

The website-level audit, in 30 minutes

1. Open your privacy notice from the footer. Does it cover all seven Art. 13 points?
2. Visit your site in an incognito window. Does the banner show "Reject all" with equal prominence?
3. Open the network tab before clicking the banner. Are any analytics/marketing requests already firing? They shouldn't be.
4. Find the deletion-request channel. Is it within two clicks from the homepage?
5. Visit your site over HTTP (e.g. http://yoursite.com) — does it redirect to HTTPS?
6. Open /.well-known/security.txt. Does it exist?

How Scanthra helps

Scanthra's Compliance map in the PDF report tags each finding with the GDPR article it relates to (most commonly Art. 32). Items that touch GDPR directly — missing HTTPS, missing security headers, exposed credentials, missing security.txt — are flagged with both their technical impact and their compliance angle.

This article is for general information and does not constitute legal advice. For binding GDPR interpretation, consult a qualified lawyer or your national data protection authority.