GDPR Template | Free Online Resources
In this article you will find descriptions and links to GDPR templates, which you can use for your GDPR compliance.
GDPR requires you to document your compliance, which means you need appropriate documents for this purpose. But how do you create these documents?
In this article, we have gathered some of the best GDPR templates available online - free, publicly accessible, and of high quality. We have described the purpose of each template and grouped them according to their sources.
We recommend that you skim through the article and, based on the headings, find the templates that are most relevant to your GDPR compliance.
The Danish Data Protection Agency’s Templates and Guidelines
In this section, we review the most relevant templates and guidelines provided by the Danish Data Protection Agency, as well as how you can use them for your GDPR compliance. These templates are particularly important because the agency is the supervisory authority for GDPR in Denmark, making it a reliable source for GDPR templates and guidelines.
The following sections are named after the templates available on the Danish Data Protection Agency’s website. Each section includes a description of the templates and guidelines, their relevance, and a reference to the applicable GDPR regulations.
12 Questions to Ask Yourself About the General Data Protection Regulation
This guideline contains 12 practical questions to help you assess whether you handle personal data correctly. Each question provides insight into your current practices and highlights areas that may require additional focus. By answering these questions, you will gain a better overview of the risks associated with your data processing activities and identify where improvements may be needed.
Data Processing Agreement Template (Danish)
When entering into agreements with a data processor, GDPR requires a written contract that meets specific requirements. This template helps ensure that all necessary details are included, such as the purpose, duration, types of data, and security measures. Using this template makes it easier to meet legal requirements and ensures that you remain compliant.
Data Processing Agreement Template (English)
This template is an English version of a data processing agreement, specifically designed for international collaboration. If you work with foreign or English-speaking data processors, having an English version makes it easier to ensure that all parties understand the terms and requirements of the agreement.
Joint Data Responsibility (Danish Template)
When multiple parties jointly determine the purpose and means of processing personal data, they share joint data responsibility. GDPR requires that this shared responsibility be documented in an agreement. This template helps clarify the individual obligations and responsibilities of each party, ensuring transparency about who does what and how the rights of data subjects are safeguarded.
Joint Data Responsibility (English Template)
This joint data responsibility agreement is the English version of the Danish template. By using this agreement, you can facilitate collaboration with international partners, eliminate language barriers, and ensure that all parties understand and fulfill their responsibilities in accordance with GDPR.
Example of a Record of Processing Activities for HR (Data Controller)
GDPR requires both data controllers and data processors to maintain a record of their data processing activities.
The Danish Data Protection Agency has provided an example of how HR-related personal data processing can be documented. The primary purpose of this example is to comply with the record-keeping requirement. However, GDPR imposes additional obligations, making it beneficial to describe processing activities in greater detail. A more detailed record improves practical usability and makes implementation within your organization easier.
You can also create a free record of processing activities using .legal's GDPR software, which includes a built-in feature to help you draft your record template. It is easy to complete and ensures that you start your record-keeping correctly.
Templates for Compliance with the Duty to Inform and the Right of Access
To ensure compliance with data subjects' rights, you must follow the required formal requirements. For instance, when collecting personal data, you must provide clear and comprehensive information to fulfill your duty to inform. Similarly, when handling requests for access, you must adhere to specific procedural requirements.
This template includes two annexes and therefore functions as two separate templates, helping you comply with both obligations.
Template for a Data Protection Impact Assessment (DPIA)
If you determine that a Data Protection Impact Assessment (DPIA) is necessary for a specific personal data processing activity, this template can help save time and create a structured approach. It guides you through identifying risks, describing processing activities, assessing the necessity and proportionality of the processing, and defining measures to mitigate risks for data subjects.
Template for a DPIA in AI Processing
Processing personal data using artificial intelligence (AI) requires special considerations, as the technology is often complex and unpredictable. This DPIA template is specifically designed to assess and manage risks associated with AI usage, ensuring a responsible and GDPR-compliant application of the technology.
Security of Processing and Data Protection by Design and by Default
A fundamental principle of GDPR is that personal data must be processed securely. This requires implementing appropriate security measures to reduce risks to an acceptable level.
GDPR also mandates "privacy by design and by default," meaning that all processes and systems for handling personal data must be designed with data security in mind, and that data protection must always be the default setting.
Context: GDPR article 25 og 32.
Cloud
When using a cloud solution, personal data is typically processed on the provider's servers or those of a third party, which often means that data may be transferred outside the EU/EEA.
This guideline helps ensure that data transfers occur on a lawful basis, that the necessary security measures are in place, and that clear and precise agreements are established with providers to ensure compliance.
Context: GDPR article 28 and 44-50.
Data Controllers and Data Processors
It is important to understand the distinction between a data controller and a data processor. The data controller determines the purpose and means of personal data processing, while the data processor only processes data on behalf of the controller. This guideline helps you identify your role in relation to business partners and suppliers, ensuring that the necessary agreements are in place and that you remain GDPR-compliant.
Context: GDPR article 4, (7 and 8), and article 24 and 28.
Guiding Principles on Data Responsibility for Temporary Staff and Consultants
When employing temporary staff, such as consultants, freelancers, or agency workers, it is crucial to ensure that their handling of personal data under the organization’s responsibility remains GDPR-compliant.
This guideline clarifies how to manage different scenarios, ensuring that personal data is handled correctly and that regulatory requirements are met.
Context: GDPR articles 24, 28 and 29.
Data Protection in Employment Relationships
All organizations with employees process personal data, which is often confidential or sensitive. Employment relationships are also subject to various legal requirements, collective agreements, and employment contracts, all of which impact how an organization is allowed to process this data.
This guideline from the Danish Data Protection Agency helps identify the legal bases for processing and provides an overview of how to ensure that data processing is GDPR-compliant.
Context: GDPR articles 6, 9, 10, 12-22.
Data Protection Officer (DPO)
Some organizations are required to appoint a Data Protection Officer (DPO) to ensure GDPR compliance. This guideline explains when appointing a DPO is mandatory and outlines the competencies and qualifications a DPO must have to effectively monitor and advise on data protection matters.
Direct Marketing
Data subjects have the right to opt out of direct marketing, and your organization is obligated to respect this right. This guideline explains how to manage opt-out requests for direct marketing and the specific obligations your organization must meet to ensure GDPR compliance.
Context: GDPR article 6(1)(f), article 7, article 21.
Record of Processing Activities (ROPAs)
A record of processing activities (ROPA) serves as an internal register that maps out an organization's data processing activities.
This guideline helps you identify the required information that must be included, such as the purpose of processing, categories of data subjects, types of data, and any transfers to third countries. Keeping an up-to-date record is a GDPR requirement, making it easier to document compliance and fulfill your organization's obligations.
Handling Personal Data Breaches
If your data is leaked or stolen, it is crucial to respond quickly and correctly to comply with GDPR regulations.
This guideline explains how to report a data breach to the Danish Data Protection Agency and how to notify affected data subjects. It emphasizes the importance of having a clear procedure for managing data breaches and maintaining an internal record of all incidents to ensure compliance and improve future response strategies.
Context: GDPR articles 33-34, and article 12.
Use of Artificial Intelligence by Public Authorities
Public authorities increasingly use artificial intelligence (AI) for tasks such as case processing and risk assessment.
This guideline is specifically designed for public authorities and focuses on protecting citizens' rights when AI is used. It provides practical guidance on ensuring that AI technologies are applied responsibly and in compliance with GDPR.
Context: GDPR article 5, 22, 24, 25.
Recording of Telephone Conversations
If you record telephone conversations, you must ensure that the purpose of the recording is legitimate and that the person on the other end is clearly informed about it. This is particularly relevant in customer service, where recordings are often used for quality assurance or documentation purposes.
Context: GDPR article 5-6 and 13-14
Transfer of Personal Data to Third Countries
If your data is transferred to countries outside the EU/EEA, there must be a valid legal basis for the transfer, such as Standard Contractual Clauses (SCCs) or an adequacy decision. This guideline helps you navigate the different legal bases for data transfers, ensuring that you do not violate GDPR by transferring data to insecure third countries.
Personal Data
The Danish Data Protection Agency has compiled a basic overview of what constitutes personal data and when it may be processed.
This quick guide can be shared with employees as training material. An even better solution is to use an awareness training platform that provides more user-friendly materials and an integrated IT solution, making it easier to train colleagues effectively.
Context: GDPR article 5, 6, 9, 10.
Rights of Data Subjects
This guideline explains how your organization should handle data subjects' rights, including the development of internal procedures and templates to ensure consistent and correct processing of requests in compliance with GDPR.
Deadlines and Requirements (Specifically for Small Businesses)
This guideline provides a clear overview of key deadlines, such as when to respond to access requests, helping you avoid unintentional GDPR violations in your communications with data subjects. Ensuring compliance with these deadlines helps maintain customer trust and prevents potential complaints.
Right to Erasure (Specifically for Small Businesses)
It is essential to understand the rules on when and how data must be deleted upon request. This guide helps you correctly handle erasure requests, ensuring that your organization complies with GDPR requirements.
Right of Access (Specifically for Small Businesses)
When a data subject requests access to the personal data you process about them, it is crucial to respond in compliance with GDPR. This guide is particularly useful for small businesses, as it helps ensure that deadlines are met and that information requirements are fulfilled correctly.
Context: GDPR articles 12 and 15.
Duty to Inform (Specifically for Small Businesses)
This overview helps small businesses quickly understand the requirements for the duty to inform. It is particularly important to have clarity on the purpose of data collection, data retention periods, and the contact details of the data controller.
Contexy: GDPR articles 12 and 15.
Role Allocation in Research Projects
In research contexts, responsibility for data processing may be shared among multiple parties. This guideline helps define roles, clarifying who is the data controller and who may act as a data processor. Ensuring a clear role allocation prevents misunderstandings and promotes greater transparency.
Context: GDPR articles 24, 26 and 28.
Role Allocation When Private Companies Provide Services to the Public Sector
When public authorities outsource tasks to private entities, there can be uncertainty about who holds data responsibility. This guideline helps both parties clarify who is responsible for what, ensuring that roles and obligations are clearly defined.
Context: GDPR articles 24, 26 and 28.
Consent
Consent is one of the most commonly used legal bases for processing personal data. This guideline explains when and how valid consent should be obtained and documented. It is crucial to process data based on consent only when the data subject has freely and knowingly given permission. Additionally, consent should only be relied upon as a legal basis if no other lawful processing grounds are available
Access Control Management
Access control in IT systems is essential for preventing unauthorized access to personal data. This guideline explains how to assign user access rights, ensuring that only relevant employees have access to specific data. This supports the principle of data minimization while also protecting against internal data leaks.
Supervision of Data Processors
When using data processors, it is important to conduct ongoing supervision to ensure they comply with GDPR regulations.
This may include physical audits or reviewing documentation. Establishing clear supervision procedures ensures that data responsibility is not simply transferred to an external party, but that you continue to monitor whether adequate security measures are in place at the data processor.
Context: GDPR articles 28 and 24.
CCTV Surveillance: Businesses, Public Authorities, and Housing Organizations
The Danish Data Protection Agency has developed three guidelines aimed at businesses, public authorities, and housing organizations regarding the legal use of CCTV surveillance and the balance between security and privacy for those being monitored.
Surveillance must always have a clear purpose, be marked with clear signage, and access to recordings must be restricted. Recordings must be securely stored and retained only as long as necessary to prevent misuse and ensure GDPR compliance.
Context: GDPR article 6, 13-14.
Checklists for Schools on the Use of Images
Schools often use images of students for various purposes, making it crucial to ensure clear policies on how these images are handled. The Danish Data Protection Agency's "checklists for schools on the use of images" provide guidance on ensuring proper processing. For example, a school is the data controller when an external school photographer takes pictures. Similarly, if teaching occurs via online video streaming, the school remains responsible for ensuring that personal data is processed in compliance with GDPR.
Context: GDPR article 2 and article 5-7.
Checklist for Nurseries and Kindergartens on the Use of Images and Videos
Young children are particularly vulnerable, meaning the processing of their images and videos requires extra caution. This checklist helps nurseries and kindergartens manage images and videos correctly, clarifies when parental consent is required, and explains how to comply with the duty to inform to ensure a responsible and lawful approach.
Contexy: GDPR article 2 and articles 5-7.
Processing of Personal Data from Website Visitors
All organizations with a website process personal data, for example, by placing cookies in users' browsers or tracking their behavior on the site. This guideline explains how to lawfully process website visitor data, fulfill the duty to inform, and obtain valid consent for the use of cookies. Following these guidelines ensures compliance with both GDPR and electronic communication regulations.
Context: GDPR article 5-7, and article 13.
GDPR Fines
The Danish Data Protection Agency has prepared two detailed guidelines on how fines are imposed on individuals and businesses. These guidelines outline the criteria used by regulatory authorities when determining fines. By understanding these criteria, organizations can better grasp the importance of GDPR compliance and take the necessary steps to minimize the risk of severe penalties.
- Fine Guidelines – Assessment of Fines for Individuals
- Fine Guidelines – Assessment of Fines for Businesses
Data Protection Rules in Election Campaigns
During election campaigns, data is used to distribute political messages and influence voters' decisions. This guideline ensures that data usage complies with citizens' rights and GDPR. It explains how to establish a lawful purpose for processing and outlines the requirements if a data processor is involved in the campaign.
Context: GDPR article 6, 9, 13-14.
Information Brochure
This short brochure is designed for data subjects, summarizing the most important aspects of data protection from their perspective. It provides an overview of their data protection rights, explains what constitutes personal data, and outlines how they can file a complaint if their rights are violated. The brochure serves as a helpful resource for both employees and customers, making it easier to understand their rights under GDPR.
Context: GDPR article 5, 13-22, .
Two Guidelines on Data Protection Impact Assessments (DPIA)
A Data Protection Impact Assessment (DPIA) is required when a processing activity poses a high risk to data subjects. The Danish Data Protection Agency has developed a guideline explaining when a DPIA is necessary and how to conduct one. Additionally, the agency has created a list of processing activities that always require a DPIA. If your processing activity is included in this list, conducting a DPIA is recommended to ensure that risks are identified and properly managed.
Sikkerdigital
Sikkerdigital.dk is a collaborative initiative between public and private entities aimed at promoting secure digital behavior, particularly in businesses.
They have developed various templates and guidelines that can assist in your GDPR and IT security efforts. Sikkerdigital is a reliable and valuable resource for finding materials related to IT security and related topics.
Below, we highlight some of the most important GDPR templates and guidelines.
IT Security Policy
Sikkerdigital has created a template for an IT security policy, which all businesses should consider implementing. The policy describes how an organization handles IT security in practice, including its purpose, who it applies to, the allocation of responsibilities, and how compliance is monitored and approved.
The IT security policy also includes two annexes: one covering IT guidelines for operations and another outlining guidelines for user behavior and IT usage. These documents should be adapted to align with the company’s specific goals, needs, and operational practices.
Contingency Plan
This IT contingency plan template is an essential tool for businesses that want to ensure operations can continue even when issues arise. It provides guidance on everything from preparation and activation of the contingency plan to handling specific incidents such as fires, data breaches, or system failures. The template is particularly well-suited for small and medium-sized businesses, as it offers a simple and clear approach to creating an effective plan.
In relation to GDPR compliance, the template includes an annex on data breaches, offering a step-by-step guide on how to handle security incidents that may result in the loss of personal data. By following these guidelines, companies can minimize the risk of fines and other GDPR-related consequences.
Guideline and Template for Risk Assessment
Sikkerdigital has developed a guideline that businesses can use to conduct risk assessments, along with a template to help implement the assessments in practice.
The guideline explains the methodology for conducting risk assessments, how to manage the results, and how to address identified risks. The accompanying template, provided in Excel format, allows businesses to organize, describe, and execute evaluations of various risks systematically.
Supplier Dialogue Tool
Most businesses rely on IT suppliers for software and hardware that support operations. When these services are outsourced, it is crucial to ensure that suppliers provide secure solutions. Otherwise, companies risk operational disruptions and security breaches, which could have serious consequences for the business, customers, citizens, or employees.
To support this, Sikkerdigital has developed a detailed guideline and template that businesses can use in their interactions with IT suppliers, ensuring that services meet security requirements and remain compliant.
Board Guide and Checklist
The increasing digital requirements for organizations, including GDPR, NIS2, and ongoing technological advancements, make governance more complex. It is therefore crucial for board members to stay informed to ensure that the organization operates securely and complies with current regulations and technological developments.
Sikkerdigital has developed a checklist specifically for board members to help them ensure that the company effectively manages these challenges and remains compliant.
GDPR.DK
GDPR.DK is a private company offering various guidance articles and free templates available on their website. The following templates can be particularly useful if your organization has not yet implemented them.
Consent Template
When using consent as a legal basis for processing personal data, it must be properly documented. How this is done depends on the specific situation.
If you require ad hoc consent from an individual to process their data, you can use GDPR.DK’s consent template as a starting point. This template ensures that the consent obtained meets GDPR requirements.
Privacy Policy Template
When drafting a privacy policy, it is essential to clearly explain how your company processes personal data. The policy should be easy to understand and include all necessary details to comply with GDPR.
If you need a structured starting point, GDPR.DK’s privacy policy template provides clear guidance to ensure that your policy meets legal requirements while also promoting transparency for data subjects.
.legal A/S
On our website, you can find various templates and guidelines to help you manage your GDPR compliance effectively.
GDPR Checklist (Implementation)
Our website provides a detailed GDPR checklist designed to help you implement GDPR within your organization. This checklist guides you step by step, starting from the moment you decide that GDPR compliance is a priority for your organization.
GDPR Checklist (Ongoing Compliance Maintenance)
Once GDPR has been implemented, it is essential to ensure that your organization continues to comply with the regulations. This requires integrating GDPR as a permanent part of daily operations. To support this, we have created a comprehensive checklist that helps you track and maintain your GDPR compliance over time.
Conclusion
It is easy to get overwhelmed by GDPR templates and documentation when working towards compliance.
To simplify the process, a GDPR system might be the ideal solution. By using a dedicated GDPR system, many of these templates become unnecessary, as the system includes built-in features to handle compliance requirements efficiently.
You can create a free account today to gain access to these features and collaborate with your colleagues on GDPR, something that a simple template cannot provide.
.legal compliance platform Start your compliance journey today
-
No credit card needed
-
Unlimited time on Free plan
-
No commitment
.jpg)
.jpeg)
.jpg)
.jpg)
.jpg)
-1.png)
.jpeg)
.jpg)
.legal A/S
hello@dotlegal.com
+45 7027 0127
VAT-no: DK40888888
Support
support@dotlegal.com
+45 7027 0127
Need help?
