The document outlines the GDPR maturity assessment and compliance checklist focused on entities processing personal data of EU data subjects. Key topics include definitions of personal data, consent requirements, processing principles, and conditions for lawful processing, along with specific guidelines for handling sensitive data types. It emphasizes accountability of data controllers and processors in ensuring compliance with data protection regulations.

1. GDPR Maturity Assessment &
Compliance process
Check-list
Ezzat Fahmy – Munich Germany

2. Entities
Data Subject /
Natural Person
in EU
1. Identifiable directly or indirectly by
name, an identification number, location
data, an online identifier or to one or
more factors specific to the physical,
physiological, genetic, mental, economic,
cultural or social identity.
Personal
Data
Controller
Or
Processor
Or
Recipient
1. Any information relating to data-subject
2. Consent: freely given, specific, informed
and unambiguous indication of the data
subject’s wishes by which he or she, by a
statement or by a clear affirmative
action, signifies agreement to the
processing of personal data relating to
him
3. personal data breach’ security breach
leading to accidental or unlawful
destruction, loss, alteration,
unauthorised disclosure of, or access to,
personal data transmitted, stored or
otherwise processed
4. genetic data’ personal data relating to
the inherited or acquired genetic
characteristics of a natural person which
give unique information about his
physiology or health which result from
an analysis of a biological sample from
him
5. biometric data’ facial image, fingerprint,
palm print
6. data concerning health’
Processing
1. Processing personal data / automated r
unautomated operations performed on
personal data (such as Collecting,
recording, structuring, storage, altering,
retrieval, consultation, use, transmit,
present, make available, …etc)
2. cross-border processing
3. Restriction of processing: marking
personal data to limit processing
4. Profiling: using personal data to
evaluate, analyze, predict personal
aspects or performance or behavior at
work, home, interest, health, economics,
location, movement, ..etc
5. Pseudonymizing: processing of personal
data in such a manner that the personal
data can no longer be attributed to a
specific person
6. Filling systems: accessible structured
personal data centralized or
decentralized or spread geographically
7. binding corporate rules: personal data
protection policies which are adhered to
by a controller or processor
1. A controller: Determines the purposes and
means of the processing of personal data
2. A processor: processes personal data in
behalf of the controller.
3. Recipient: org, person or 3rd party to which
personal data is disclosed
4. Main establishment

3. Check list
Data Subject /
Natural Person
in EU
Personal
Data
Controller
Or
Processor
Or
Recipient
Processing
1. Should be lawful, fair and transparent to the Data-Subject
1. Data-Subject must given consent for processing of his personal data
for one or more specific purposes
2. processing is necessary for contract where Data-Subject is part of,
for compliance, for protecting the interest of data-subject, for
preforming tasks important for public authorities, for interest of
controller except when overridden by interests or fundamental
rights and freedoms of Data-Subject
2. processing for a purpose other than that for which the personal data have
been collected is not based on the data subject’s consent or on a Union or
Member State law
1. any link between the purposes for which the personal data have
been collected and the purposes of the intended further processing
3. Processing of personal data revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, or trade union membership, and
the processing of genetic data, biometric data for the purpose of uniquely
identifying a natural person, data concerning health or data concerning a
natural person’s sex life or sexual orientation shall be prohibited.
1. Except when/if the data subject has given explicit consent to the
processing of those personal data for one or more specified
purposes, except where Union or Member State law provide that
the prohibition referred
2. if necessary for specific rights of the controller or data subject in
field of employment and social security and social protection law
3. If data subject is physically or legally incapable of giving consent
1. (purpose limitation) Should be collected
for and processed in specified, explicit and
legitimate purposes and manners
2. (data minimization) Should be adequate,
relevant and limited to the purpose of
which they are processed
3. (data accuracy) Should be accurate and up
to date which means
4. (data accuracy) inaccurate personal data
should be erased or rectified without
delay
5. (storage limitation) data kept in a form
that permits identification of data subjects
6. (storage limitation) Data kept for no
longer than is necessary for the purposes
for which the personal data are processed
7. (data integrity and confidentiality)
processed in a secured manner protected
against accidental loss, destruction or
damage
1. (Accountability) The controller shall be
responsible for, and be able to demonstrate
compliance with, paragraph 1
2. processing for a purpose other than that for
which the personal data have been
collected is not based on the data subject’s
consent or on a Union or Member State law
processing for a purpose other than that for
which the personal data have been
collected is not based on the data subject’s
consent or on a Union or Member State law
3. controller shall be able to demonstrate that
the data subject has consented to
processing of his or her personal data
4. The controller shall make reasonable efforts
to verify in such cases that consent is given
or authorised by the holder of parental
responsibility over the child, taking into
consideration available technology
1. Data-Subject must given consent for
processing of his personal data for one
or more specific purposes
2. controller shall be able to
demonstrate that the data subject has
consented to processing of his or her
personal data
3. If the data subject’s consent is given in
the context of a written declaration
which also concerns other matters,
the request for consent shall be
presented in a manner which is clearly
distinguishable from the other
matters, in an intelligible and easily
accessible form, using clear and plain
language.
4. The data subject shall have the right to
withdraw his or her consent at any
time
5. Where the child is below the age of 16
years, consent is given or authorised
by the holder of parental responsibility
over the child.