Legal Compliance Checker

GDPR Compliance Checklist for EU Launch

Note: This is guidance for discussion with your legal team, not legal advice.

Critical Requirements (Must Have Before Launch)

1. Legal Basis for Processing (Art. 6)

• Map every data processing activity to a legal basis (consent, contract, legitimate interest)
• Consent must be freely given, specific, informed, and unambiguous
• No pre-ticked boxes — active opt-in required

2. Privacy Policy (Art. 13-14)

• Must explain: what data you collect, why, how long you keep it, who you share it with
• Must list user rights: access, rectification, erasure, portability, objection
• Must name your Data Protection Officer if applicable
• Must be in plain language, not legalese

3. Data Subject Rights (Art. 15-22)

• Right to access: respond within 30 days
• Right to erasure ('right to be forgotten'): must delete on request unless legal obligation to retain
• Right to data portability: provide data in machine-readable format
• You need a DSAR (Data Subject Access Request) handling process

4. Cross-Border Transfers (Art. 46)

• If data leaves the EU: need Standard Contractual Clauses (SCCs) or adequacy decision
• US-EU Data Privacy Framework if certified

Assessment

| Area | Status | Effort | Priority | |------|--------|--------|----------| | Privacy Policy | Need to create | 3-5 days | CRITICAL | | Consent management | Need to implement | 2 weeks | CRITICAL | | DSAR process | Does not exist | 1 week | CRITICAL | | Data Processing Agreements | Need with all vendors | 2 weeks | HIGH | | Cookie consent banner | Need to add | 2 days | HIGH |

Timeline: Minimum 4-6 weeks before EU launch with focused effort.

Data Erasure Request (GDPR Art. 17) — Response Protocol

Response deadline: 30 calendar days from receipt

Step 1: Verify Identity (Day 1)

Confirm the requester is who they claim to be. Ask for:

• Email verification from the account email
• Last 4 digits of payment method on file
• Do NOT ask for government ID unless necessary — proportionality principle

Step 2: Inventory Data (Day 1-3)

Locate all personal data across systems: | System | Data Types | Can Delete? | |--------|-----------|-------------| | PostgreSQL (profiles) | Name, email, preferences | Yes | | Stripe | Payment history, card info | Stripe retains for compliance | | Server logs | IP addresses, timestamps | Yes (after 90-day retention) | | Backups | All of the above | Overwrite on next rotation | | Email/SendGrid | Email address, templates | Yes |

Step 3: Check Exceptions (Day 3-5)

You may RETAIN data if:

• Legal obligation (tax records: 7 years, financial records per local law)
• Ongoing contractual obligation (active subscription with unpaid balance)
• Legal claims (litigation hold)

Step 4: Execute Deletion (Day 5-14)

1. Delete profile and user data from PostgreSQL
2. Anonymize usage analytics (replace user_id with hash)
3. Request Stripe to delete customer record (they process within 30 days)
4. Remove from email lists (SendGrid suppression list)
5. Mark for backup rotation exclusion

Step 5: Confirm (Day 14-30)

Send written confirmation to the user: 'Your personal data has been deleted from our systems as of [date]. Certain data may be retained in encrypted backups for up to [X] days and in third-party systems per their retention policies.'

Have your attorney review the retention exceptions before responding.