The 5-Minute DSGVO Compliance Checklist for Web Projects
DSGVO compliance isn't a legal essay. It's a set of technical and procedural decisions. Here's the checklist we use before any project launch.
Data Collection
- [ ] List all data you collect (name, email, IP, cookies, analytics)
- [ ] For each: why do you need it? (purpose limitation)
- [ ] For each: how long do you keep it? (storage limitation)
- [ ] Can you delete it on user request? (right to erasure)
Technical Measures
- [ ] HTTPS everywhere (TLS 1.3)
- [ ] No third-party trackers (Google Analytics, Facebook Pixel) without consent
- [ ] Cookie banner for non-essential cookies (strict opt-in)
- [ ] Server location in EU (or SCCs for non-EU)
- [ ] Access logs stripped of PII or rotated after 30 days
- [ ] Database encryption at rest
Documentation
- [ ] Privacy policy (German + English, plain language)
- [ ] Data processing agreement (if using third-party services)
- [ ] Incident response plan (72-hour notification requirement)
- [ ] User rights procedure (how to handle access/erasure requests)
Team
- [ ] Data protection officer (required for > 10 employees processing personal data)
- [ ] Employee training (annual, documented)
- [ ] Access controls (role-based, minimal privilege)
Quick Wins
Replace Google Analytics with Plausible (€9/month, EU-hosted, no cookies).
Replace reCAPTCHA with hCaptcha or Friendly Captcha (better privacy posture).
Host in EU (Hetzner, OVH, Scaleway — all cheaper than AWS anyway).
The Honest Truth
Most DSGVO violations aren't malicious. They're careless:
- Forgetting to add a privacy policy
- Logging IPs indefinitely
- Using US-hosted analytics without SCCs
- Not documenting data flows
This checklist fixes the careless mistakes. The hard stuff (legitimate interest assessments, DPIAs) comes later — but only after the basics are solid.
Graham Miranda is the founder of Graham Miranda UG (Berlin, HRB 36794), building DSGVO-compliant automation and privacy tools.
Top comments (0)