GDPR Website Audit Checklist: 15 Points Every Site Must Cover

Under Regulation (EU) 2016/679 (GDPR), your website is not just a marketing asset — it is a data processing interface with specific legal obligations attached. Every form submission, analytics tracker, contact inquiry, and cookie that loads on a visitor's browser falls within the scope of the regulation. Yet most organizations treat their website's GDPR compliance as a one-time setup task rather than an ongoing audit discipline.

This checklist covers the 15 most commonly deficient areas that EDPB guidance and national supervisory authority enforcement decisions have identified. Work through it systematically. Where you find gaps, the fix is usually straightforward.

1. Privacy Notice Is Present and Accessible

Legal basis: Articles 13-14 GDPR

Your privacy notice must be accessible from every page of your website — typically via a footer link. The link must be labeled clearly ("Privacy Policy," "Privacy Notice," or equivalent) and must not be hidden in a sea of other footer links.

Audit check: Can a first-time visitor find your privacy notice within 2 clicks from any page? Is the link visible without scrolling on desktop?

2. Privacy Notice Contains All Required Information (Article 13)

For data collected directly from individuals visiting your site, Article 13 requires the privacy notice to contain:

• Identity and contact details of the data controller
• Contact details of the Data Protection Officer (if applicable)
• Purposes and legal basis for each processing activity
• Legitimate interests pursued (if legitimate interest is the legal basis)
• Recipients or categories of recipients of personal data
• Transfers to third countries and the safeguards in place
• Retention periods for each category of data
• Data subject rights (access, rectification, erasure, restriction, portability, objection)
• Right to withdraw consent at any time (where consent is the legal basis)
• Right to lodge a complaint with a supervisory authority
• Whether providing data is a statutory or contractual requirement, and consequences of not providing it
• The existence of any automated decision-making, including profiling

Audit check: Map each of these 12+ elements against your current privacy notice. Flag missing items for remediation.

3. Legal Basis Is Identified for Each Processing Activity

Legal basis: Article 6 GDPR

Your privacy notice must identify the legal basis for each category of processing. Vague statements like "we process your data to improve our services" are insufficient.

Common website processing activities and typical legal bases:

| Processing Activity | Common Legal Basis | |---|---| | Contact form submissions | Legitimate interest or contract | | Account registration | Contract | | Newsletter subscription | Consent | | Analytics (GA, Matomo) | Consent or legitimate interest (see cookie section) | | Live chat | Legitimate interest or consent | | Job applications | Pre-contractual measures | | Payment processing | Contract |

Audit check: Does your privacy notice explicitly identify the legal basis for analytics tracking, contact forms, and any marketing processing?

4. Cookie Banner Obtains Valid Consent

Legal basis: Article 5(3) ePrivacy Directive (aligned with GDPR consent requirements)

Your cookie consent mechanism must meet GDPR standard consent requirements:

• Freely given (no pre-ticked boxes, no "consent walls" blocking content unless essential)
• Specific (granular options for different categories — analytics, marketing, functional)
• Informed (clear description of what each category does)
• Unambiguous (affirmative action required — scrolling or continued browsing does NOT constitute consent)
• Easily withdrawable (as easy to withdraw as to give)

Audit check: Can users accept only analytics cookies without also accepting marketing cookies? Is there a clearly visible "Reject All" option? Does the banner record consent with a timestamp?

5. Cookies Are Categorized Correctly

Not all cookies require consent. Categorization determines which cookies can load before consent and which must wait.

| Category | Consent Required? | |---|---| | Strictly necessary (session, login, load balancing) | No | | Functional / Preference (language, currency) | Conditional (may be legitimate interest) | | Analytics / Statistics | Yes (EDPB position) | | Marketing / Advertising | Yes | | Social media pixels | Yes |

Audit check: Scan your site with a cookie scanner. Compare the cookies loaded before consent against your "strictly necessary" list. Any analytics or marketing cookie loading before consent is a GDPR violation.

6. Third-Party Services Are Disclosed and Controlled

Most websites load dozens of third-party scripts — analytics platforms, tag managers, CDNs, chat widgets, social media embeds. Each of these transfers visitor data to a third party and must be:

• Disclosed in your privacy notice (with identity and purpose of each provider)
• Subject to a Data Processing Agreement (DPA) if the provider processes data on your behalf
• Covered by a Transfer Impact Assessment if the provider is based outside the EEA

Audit check: Generate a complete list of third parties that receive data from your website. Verify DPAs are in place. Check whether any providers are headquartered in the US or other third countries and whether Standard Contractual Clauses (SCCs) are in place.

7. Google Analytics / Third-Country Transfers Are Addressed

Following the Schrems II ruling and subsequent enforcement actions across the EU, the use of Google Analytics (and similar US-based tools) has been scrutinized closely by national supervisory authorities in Austria, France, Italy, and others. The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides a legal mechanism for these transfers — but only for companies that have self-certified under the DPF.

Audit check: If you use Google Analytics 4, confirm Google LLC is listed under the DPF. Verify that your privacy notice discloses the transfer mechanism. Consider whether server-side analytics with data anonymization reduces your exposure.

8. Data Subject Rights Are Actionable

Legal basis: Articles 15-22 GDPR

Your privacy notice must inform visitors of their rights. But notification is not sufficient — you must have functioning processes to honor requests within one month (extendable to three months for complex requests).

Rights applicable to website visitors:

• Right of access (Article 15) — obtain a copy of their data
• Right to rectification (Article 16) — correct inaccurate data
• Right to erasure (Article 17) — "right to be forgotten"
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20) — for consent or contract-based processing
• Right to object (Article 21) — particularly to direct marketing and legitimate interest processing

Audit check: Is there a visible mechanism for users to submit rights requests? Is there an internal process to handle them? Have you tested it recently?

9. Contact Form Has Minimal Data Collection

Legal basis: Article 5(1)(c) — data minimisation principle

Contact forms should collect only the information genuinely necessary for the stated purpose. A general inquiry form does not need the user's phone number, company size, or job title.

Audit check: Review every form on your site. Remove fields that are not strictly necessary for the stated purpose. Make optional fields clearly marked as optional.

10. Records of Processing Activities (RoPA) Are Maintained

Legal basis: Article 30 GDPR

Organizations with 250+ employees must maintain a Record of Processing Activities. The exemption for smaller organizations does not apply if processing is "likely to result in a risk to the rights and freedoms of data subjects," is not occasional, or includes special category data.

For most websites, processing is regular and ongoing — meaning the RoPA obligation typically applies.

Audit check: Does your organization maintain an up-to-date RoPA that includes website-based processing activities? Is it updated when you add new tracking tools or change data flows?

11. Processor Agreements Are in Place

Legal basis: Article 28 GDPR

Any third-party vendor that processes personal data on your behalf — your email service provider, analytics platform, CRM, hosting provider, live chat tool — must have a Data Processing Agreement in place.

Audit check: Inventory all software vendors that handle visitor or customer data collected through your website. Verify DPAs are signed and current. Most major providers now offer DPAs through their privacy settings — check they have been properly executed.

12. Special Category Data Is Not Processed Without Explicit Basis

Legal basis: Article 9 GDPR

Special category data (health, religion, political opinions, biometric data, sexual orientation, racial origin) requires explicit consent or another Article 9(2) condition. If your website collects any information that could be inferred as special category — for example, a health service website that logs which health pages a user visits — you need a specific legal basis.

Audit check: Does your site inadvertently collect or infer special category data through its analytics or personalization functions? If yes, what is the legal basis?

13. Children's Data Protections Are Applied Where Relevant

Legal basis: Article 8 GDPR

If your services are directed at or likely to attract children under 16 (or a lower age set by your Member State, with a floor of 13), parental consent mechanisms may be required. Even if your service is not targeted at children, if a child could reasonably access it, you should consider age verification or age-appropriate privacy protections.

Audit check: Is your service potentially used by individuals under 16? If so, what measures are in place to address children's data?

14. Data Breach Response Procedures Are Documented

Legal basis: Articles 33-34 GDPR

Your website is a vector for data breaches — through compromised forms, script injection, or third-party vendor breaches. Article 33 requires notification to your supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to individuals.

Audit check: Does your organization have a documented data breach response procedure? Is there a named person responsible for making the 72-hour notification decision?

15. Privacy Notice Is Reviewed and Updated Regularly

GDPR does not set an explicit review frequency for privacy notices, but the accountability principle (Article 5(2)) requires that processing information remain accurate. Technology stacks change, vendor relationships evolve, and new data flows emerge.

Audit check: When was your privacy notice last reviewed? Does it reflect your current technology stack, including all tracking pixels and third-party integrations currently loaded on your site?

Priority Remediation Order

If you find multiple gaps, address them in this order based on enforcement priority:

1. Cookie consent mechanism (most frequently enforced)
2. Privacy notice completeness (Articles 13-14)
3. Third-country transfer mechanisms (US-based vendors)
4. Data subject rights processes
5. Processor agreements

WarDek scans your website's technical security posture, including identifying exposed endpoints and misconfigurations that create GDPR breach risk — complementing your legal compliance work with continuous technical monitoring.

For more on the intersection of NIS2 and GDPR obligations, see our NIS2 compliance guide for businesses.

This checklist reflects the requirements of Regulation (EU) 2016/679 (GDPR) as interpreted by EDPB guidelines. It is not legal advice. Consult qualified legal counsel for jurisdiction-specific guidance and complex processing scenarios.