Are your Website Integrations Privacy-Compliant?

Review cookie purpose, scope, and lifespan using browser developer tools.

Example: In Chrome DevTools → Application → Cookies, verify that no cookies associated with non-essential functionality are present prior to consent (for example, cookies used for tracking, measurement, personalization, or third-party services).

Any cookies observed should be limited to essential site functionality, scoped to the first-party domain, and have a short or session-based lifespan.

Inspect Session Storage entries during an active browsing session and assess their function.

Example: In DevTools → Application → Session Storage, observe temporary values such as page state or short-lived interaction flags. Refreshing the page or opening a new tab should clear these entries, and no unique identifiers or values that persist across sessions should be present.

Reload the site or start a new session and compare Session Storage values.

Positive result: No values persist across sessions, and no identifiers remain stable between page reloads or new sessions.

Negative result: One or more values persist unchanged across sessions or enable recognition of the same visitor over time.

Inspect Local Storage values and monitor whether identifiers persist across visits.

Positive result: Local Storage is empty or contains only non-identifying configuration values that do not enable visitor recognition across visits.

Negative result: Persistent or unique values remain stored across visits and could be used to recognize or re-identify a returning visitor.

Disable cookies in the browser and observe whether identification or tracking persists.

Positive result: No identifiers or tracking mechanisms persist once cookies are disabled, and no alternative browser storage (for example, Local Storage or Session Storage) is used to recreate cookie-like tracking or visitor recognition.

Negative result: Tracking, visitor recognition, or identifiers continue to persist despite cookies being disabled, indicating the use of browser storage or other mechanisms to bypass cookie restrictions.

Compare observed storage behavior with information provided in privacy documentation.

Positive result: All observed storage behavior matches the documented descriptions, purposes, and limitations, and no undocumented or unexplained storage entries or identifiers are present.

Negative result: Client-side storage behavior is inconsistent with documentation, insufficiently explained, or includes undocumented values, identifiers, or purposes that cannot be clearly justified or verified.

Inspect network requests, browser storage, and request payloads for patterns consistent with fingerprinting techniques, such as stable high-entropy identifiers, cross-session persistence, or identifiers derived from combined device or browser attributes. Verification should be based on observed behavior across sessions and configurations, not a single script snapshot.

Positive result: No stable or high-entropy identifiers are observed, no identifiers persist across sessions, and no combined technical signals are used to derive a consistent visitor identity prior to valid consent.

Negative result: Stable identifiers, cross-session persistence, or identifiers derived from combined technical signals are observed without valid consent, indicating fingerprinting behavior.

Review request payloads, transmitted parameters, and stored values for evidence that multiple technical signals (e.g., device characteristics, browser attributes, timing patterns) are combined or correlated to recognize returning visitors.

Positive result: No combined or correlated technical signals are used to probabilistically recognize or re-identify visitors.

Negative result: Multiple technical signals are combined or correlated in a way that enables probabilistic or derived visitor identification.

Clear browser storage, reload the site, or start a new browsing session, and compare transmitted values or request patterns across sessions to determine whether identifiers are recreated or remain stable.

Positive result: No identifiers are recreated, reused, or remain stable across sessions once storage is cleared.

Negative result: Identifiers are recreated or remain consistent across sessions despite storage being cleared, enabling visitor recognition.

Compare observed identification behavior, request data, and storage usage with the descriptions provided in privacy notices and technical documentation.

Positive result: All observed identification behavior aligns with documented descriptions, purposes, and limitations, and no undocumented identifiers or mechanisms are present.

Negative result: Identification behavior is inconsistent with documentation, insufficiently explained, or includes undocumented identifiers or mechanisms.

Observe identification behavior before consent is given, after consent is granted, and after consent is withdrawn, and compare whether behavior changes consistently with consent status.

Positive result: Identification behavior changes appropriately based on consent status and is applied consistently before consent, after consent is granted, and after consent withdrawal.

Negative result: Identification behavior does not change based on consent status, or continues unchanged after consent is refused or withdrawn.

Refuse or withdraw consent, disable cookies and browser storage, and observe whether visitor identification persists through alternative techniques such as fingerprinting or derived identifiers.

Positive result: No visitor identification persists after consent refusal or withdrawal, and no alternative identification techniques are observed.

Negative result: Visitor identification continues after consent refusal or withdrawal through alternative or substitute identification methods.

Load the site without interacting with the consent interface and monitor network requests and browser storage activity.

Positive result: No consent-dependent tracking, processing, or storage activity occurs before consent is given.

Negative result: Tracking, processing, or storage activity that depends on consent occurs before consent is given.

Review declared lawful basis in documentation and verify that observed data collection and processing behavior matches the stated lawful basis.

Positive result: Observed processing behavior aligns with the declared lawful basis and applicable legal requirements.

Negative result: Processing behavior does not align with the declared lawful basis or lacks a valid lawful basis.

Compare network requests and browser storage usage before consent, after consent is granted, and when consent is not given.

Positive result: Data collection behavior changes appropriately based on the user’s consent choice.

Negative result: Data collection behavior does not change or continues unchanged despite the user’s consent choice.

Review the consent prompt for clear purposes, granular choices where relevant, equal ease of refusal, and access to detailed information, then confirm no consent-based requests occur until consent is obtained.

Positive result: Consent is presented clearly and freely, and no consent-based processing occurs before consent is given.

Negative result: Consent is unclear, coerced, bundled, or consent-based processing occurs before consent is obtained.

Explicitly refuse consent and observe whether consent-dependent tracking, processing, or storage occurs.

Positive result: No consent-based tracking or processing occurs after consent is refused.

Negative result: Consent-based tracking or processing occurs despite consent being refused.

Withdraw consent and verify that consent-based tracking or processing stops and does not resume unless consent is given again.

Positive result: Consent-based processing stops after withdrawal and does not resume without renewed consent.

Negative result: Consent-based processing continues or resumes without renewed consent.

Disable cookies and relevant browser storage, refuse or withdraw consent, and observe whether tracking or identification persists through other mechanisms.

Positive result: No tracking or identification persists after consent refusal or withdrawal.

Negative result: Tracking or identification persists through alternative or substitute mechanisms despite consent refusal or withdrawal.

Review legitimate interest documentation and assess whether the scope of collected data aligns with necessity, proportionality, and the stated purpose.

Positive result: Data collection is limited to what is necessary and proportionate to the stated legitimate interest.

Negative result: Data collection exceeds what is necessary or cannot be reasonably justified under legitimate interest.

Test site behavior from EU and non-EU locations and verify that EU users receive compliant consent handling and lawful-basis processing behavior.

Positive result: EU users are consistently subject to compliant consent handling and lawful-basis behavior.

Negative result: EU users receive non-compliant or inconsistent consent or lawful-basis handling.

Review sub-processor disclosures, data processing agreements (DPAs), and contractual safeguards.

Positive result: Sub-processors are clearly disclosed, roles are defined, and contractual safeguards (including required terms under Art. 28) are documented.

Negative result: Sub-processors are not disclosed, contracts are missing or unclear, or required safeguards for sub-processing are not evidenced.

Inspect network request destinations (domains, IPs, and endpoints), documented processing locations, and data flow descriptions.

Positive result: Where data leaves the EU or EEA, transfers are identified, and a lawful transfer mechanism under Chapter V is documented and applicable.

Negative result: Data appears to leave the EU or EEA without an identified transfer mechanism, or transfer documentation is missing or inconsistent with observed behavior.

Review applicable transfer mechanisms (for example, adequacy decisions or Standard Contractual Clauses) and documented supplementary measures where relevant.

Positive result: A valid transfer mechanism is in place for any third-country transfer, and supplementary measures are documented where needed.

Negative result: Transfers occur without a valid mechanism, or safeguards are not evidenced or do not align with the transfer context.

Inspect request domains, routing, and third-party endpoints in browser developer tools to assess use of first-party or controlled endpoints and identify reliance on third-country infrastructure where avoidable.

Positive result: Delivery is routed through controlled or appropriate endpoints and avoids unnecessary third-country exposure by design.

Negative result: Delivery relies on third-country endpoints or infrastructure unnecessarily, increasing exposure without clear justification or controls.

Identify hosting provider jurisdiction and assess documented transfer risk assessments and mitigation measures where applicable.

Positive result: Hosting arrangements support effective GDPR protections, and documented risk assessments and mitigations address identified risks where relevant.

Negative result: Hosting arrangements introduce unresolved risks, such as access risks, that are not assessed or mitigated, undermining effective protection.

Identify the hosting provider jurisdiction and corporate control, then assess whether data could be subject to third-country access requests even if data is stored in the EU.

Positive result: Jurisdictional and access risks are identified and assessed, and mitigations are documented where relevant.

Negative result: Jurisdictional or access risks are not assessed, or the setup creates unmitigated exposure to third-country access.

Inspect request protocols (HTTPS/TLS), certificates, and transport-level security indicators.

Positive result: Data is transmitted over HTTPS with valid TLS, and no insecure downgrade or mixed-content transmission is observed.

Negative result: Data is transmitted over HTTP, weak or invalid TLS is observed, or mixed-content or insecure transmission occurs.

Compare observed network destinations, data flows, and hosting indicators with published privacy notices and technical documentation.

Positive result: Observed transmission and hosting behavior matches documented descriptions, including locations and relevant parties.

Negative result: Observed behavior conflicts with documentation, or material details such as destinations, providers, or locations are missing or unclear.

Review request payloads and stored values to identify data fields that are not necessary for the declared purpose.

Positive result: Only data fields that are necessary for the stated purpose are collected and transmitted.

Negative result: Superfluous or unrelated data fields are collected or transmitted without clear necessity for the stated purpose.

Compare observed data collection and processing behavior with documented purposes in privacy documentation.

Positive result: Observed collection and processing align with explicit documented purposes.

Negative result: Data is collected or processed in ways that do not align with documented purposes, or purposes are vague or not specific enough to assess.

Install or enable the service with default settings and observe initial data collection behavior.

Positive result: Default behavior is limited to what is necessary for the stated purpose, without optional or expanded collection enabled by default.

Negative result: Default behavior includes optional, expanded, or excessive collection beyond what is necessary for the stated purpose.

Review available configuration options and privacy controls that affect data collection scope and depth.

Positive result: The service provides meaningful controls to reduce or adjust the collection scope in line with different regulatory or organizational requirements.

Negative result: The service lacks practical controls to limit collection, or configuration options do not materially affect collection scope.

Inspect request payloads and storage for optional attributes and assess whether a valid lawful basis is defined and applied for their collection.

Positive result: Optional or non-essential attributes are not collected unless enabled and supported by a valid lawful basis.

Negative result: Optional or non-essential attributes are collected without a defined lawful basis, or are collected by default without a clear justification.

Review whether individual-level identifiers are necessary for the stated purpose or whether aggregated data would meet the stated purpose.

Positive result: Aggregated data is used where it can fulfil the purpose, and individual-level data is limited to what is necessary.

Negative result: Individual-level personal data or identifiers are collected where aggregated reporting would reasonably meet the stated purpose.

Compare data collection behavior across different modules and features to confirm consistent limits on scope and collection depth.

Positive result: Data minimization controls and collection limits are applied consistently across modules and features.

Negative result: Some modules collect materially more data than others without a clear necessity for their stated purpose or without appropriate controls.

Review privacy notices, retention disclosures, and supporting documentation describing retention periods.

Positive result: Retention periods or retention criteria are clearly documented and accessible.

Negative result: Retention periods are missing, unclear, or not documented in a way that allows verification.

Review retention settings, retention policies, and the availability of historical data over time.

Positive result: Data is retained only for as long as necessary to fulfil the stated purpose.

Negative result: Data is retained indefinitely or longer than necessary without documented justification.

Observe whether data older than the defined retention period is deleted, anonymized, or otherwise no longer accessible.

Positive result: Data beyond the defined retention period is no longer available or accessible.

Negative result: Data remains accessible beyond the documented retention period.

Verify whether data can be deleted or excluded in response to erasure requests through documented processes.

Positive result: Erasure or exclusion mechanisms exist and can be executed in response to valid data subject requests.

Negative result: Erasure requests cannot be fulfilled, or deletion mechanisms are undocumented or ineffective.

Change privacy or access settings and assess whether access to retained historical data is appropriately restricted.

Positive result: Access to retained data reflects current privacy and access settings.

Negative result: Retained data remains accessible in ways that conflict with updated privacy or access controls.

Compare observed data availability and deletion behavior with published retention policies and internal documentation.

Positive result: Observed retention and deletion behavior matches documented policies.

Negative result: Observed behavior conflicts with documented retention or deletion commitments.

Review the scope, granularity, and age of retained datasets to assess whether they remain necessary for the stated purpose.

Positive result: Retained data remains proportionate in scope and granularity to the stated purpose.

Negative result: Retained datasets exceed what is necessary in scope, detail, or duration.

Review the approved subprocessors list and data processing agreements to confirm that subprocessors are contractually required to apply deletion and retention obligations in line with documented periods and controller instructions.

Positive result: Subprocessors are contractually bound to retention and deletion obligations aligned with the controller’s instructions.

Negative result: Subprocessors are not subject to equivalent retention and deletion obligations.

Review user roles, permissions, and access levels to confirm appropriate access restrictions.

Positive result: Access to personal data is limited to authorised roles and permissions, with least-privilege controls evident.

Negative result: Personal data is accessible to unauthorised roles, or permissions are overly broad.

Assess whether personal data processed by the service can be identified, retrieved, and provided in an intelligible form upon request.

Positive result: Relevant personal data can be retrieved and provided in an intelligible form, subject to applicable conditions and scope.

Negative result: Personal data cannot be reliably retrieved, is incomplete, or cannot be provided in an intelligible form.

Verify whether personal data can be deleted or excluded in response to an erasure request, subject to applicable exemptions.

Positive result: Erasure or exclusion can be executed through documented processes, and outcomes can be confirmed, subject to applicable exemptions.

Negative result: Erasure requests cannot be fulfilled in practice, or processes are undocumented or ineffective.

Review processing purposes and configuration options to determine whether processing can be limited or ceased following an objection.

Positive result: Processing can be limited or ceased for the relevant purpose following a valid objection, where required.

Negative result: Processing cannot be limited or ceased following an objection where the right applies.

Check whether personal data provided by the data subject can be exported in a structured, commonly used, machine-readable format where processing is based on consent or contract.

Positive result: Export is available in an appropriate format for the relevant personal data, where Art. 20 applies.

Negative result: Export is not possible or not provided in an appropriate format where Art. 20 applies.

Attempt access using accounts with different permission levels to verify enforcement of access controls.

Positive result: Unauthorised accounts cannot access personal data, and access is consistently enforced by role or permission level.

Negative result: Unauthorised accounts can access personal data, or restrictions are inconsistently enforced.

Review available access logs, audit trails, or documented procedures relating to data access.

Positive result: Access is traceable through logs, audit trails, or equivalent documented procedures that support accountability.

Negative result: Access is not traceable, and there is no reliable audit trail or equivalent procedure.

Assess the operational steps required to identify, retrieve, and act upon a data subject request within statutory time limits.

Positive result: The process enables timely identification, retrieval, and action within statutory deadlines.

Negative result: The process is not feasible within statutory deadlines due to missing capability, excessive manual effort, or unclear procedures.

Review documented security measures, organisational controls, and supporting security documentation.

Positive result: Appropriate technical and organisational measures addressing confidentiality, integrity, availability, and resilience are documented and implemented.

Negative result: Measures are missing, insufficiently documented, or do not reasonably address the security requirements of Art. 32.

Review contractual documentation and privacy notices, and compare them with observed processing behavior to confirm role allocation.

Positive result: Controller and processor roles are clearly defined and consistent with observed processing activities.

Negative result: Roles are unclear, contradictory, or inconsistent with observed processing behavior.

Verify the availability, accessibility, and scope of a Data Processing Agreement covering the relevant processing activities.

Positive result: A DPA is available, accessible to the controller, and covers the required scope under Art. 28(3).

Negative result: No DPA is available, access is restricted, or the agreement does not cover the relevant processing activities.

Review documented instructions in the DPA and assess whether observed processing activities align with those instructions.

Positive result: Observed processing aligns with documented instructions and does not exceed the agreed scope.

Negative result: Processing exceeds or conflicts with documented instructions, or scope limitations are unclear.

Review sub-processor lists, authorisation mechanisms, and contractual flow-down obligations.

Positive result: Sub-processors are transparently disclosed, authorisation or notification mechanisms are in place, and equivalent data protection obligations are contractually imposed.

Negative result: Sub-processors are not disclosed, controls are missing, or equivalent contractual safeguards are not in place.

Review DPA clauses relating to assistance with data subject requests and supporting operational procedures.

Positive result: Assistance obligations are documented in the DPA and supported by procedures that enable the controller to fulfil data subject rights.

Negative result: Assistance obligations are missing, unclear, or unsupported by documented procedures.

Compare contractual terms and documented commitments with observable system behavior and processing practices.

Positive result: Observable processing behavior is consistent with contractual commitments and documented representations.

Negative result: Observable behavior conflicts with contractual commitments or documented representations.

Compare documented compliance claims with observable technical and processing behavior.

Positive result: Documented claims are supported by observable behavior and evidence (for example, documentation, technical controls, and configuration behavior).

Negative result: Claims cannot be substantiated through observable behavior, or conflict with observed behavior or evidence.

Inspect network requests and review documented data flow explanations to assess transparency.

Positive result: Data flow documentation explains what data is transmitted, to whom, and for what purposes, in a way that corresponds with observable network behavior.

Negative result: Data flows are unclear, undocumented, or inconsistent with observable network behavior.

Compare privacy and technical documentation with browser-level and network inspection.

Positive result: Observed processing behavior matches documented descriptions, including what is processed and how it is transmitted or handled.

Negative result: Observed processing behavior conflicts with documentation or includes undocumented processing activity.

Attempt verification using standard, non-proprietary tools, such as browser developer tools.

Positive result: Key behaviors can be validated using standard tools without relying solely on vendor assertions.

Negative result: Verification cannot be performed without proprietary tooling or untestable vendor statements.

Test behavior across different modules and configurations to identify inconsistencies, bypasses, or alternative mechanisms that undermine stated safeguards.

Positive result: Safeguards remain effective across modules and configurations, and no bypass behavior is observed.

Negative result: Safeguards can be circumvented through feature differences, configuration changes, or alternative mechanisms.

Modify privacy settings and observe whether processing behavior changes accordingly.

Positive result: Observable processing behavior changes in line with the configuration change.

Negative result: Configuration changes do not produce measurable differences in processing behavior, or changes are inconsistent with the expected effect.

Review the availability of documentation, configuration history, and evidence supporting ongoing compliance.

Positive result: Documentation and evidence, such as configurations and records, exist to support periodic reassessment of compliance over time.

Negative result: Evidence is missing or insufficient to support ongoing assessment and accountability.