Skip to main content
The GDPR Compliance Pack provides 15 production-ready rules based on the EU General Data Protection Regulation, covering consent management, encryption, DPO requirements, data subject rights, and cross-border data transfers. Each rule includes historical fines, breach examples, and GDPR article references.

Rule Categories

Rules are organized into 14 categories aligned with GDPR principles:
Designation, position, and tasks of the DPO.
  • DPO Designation Check (Article 37)
Opt-out mechanisms and lawfulness of marketing communications.
  • Marketing Opt-Out Mechanism (Article 21)
Security of processing and encryption of personal data.
  • At-Rest Encryption Requirement (Article 32)
  • In-Transit Encryption (TLS) (Article 32)
Definition and processing of personal and special category data.
  • Special Category Data Protection (Article 9)
Data protection by design and by default.
  • Privacy by Design Default (Article 25)
Data protection impact assessments (DPIA) and prior consultation.
  • DPIA Requirement Validation (Article 35)
Principles, lawfulness, and conditions of processing.
  • Lawful Basis Documentation (Article 6)
Maintenance of records of processing activities (ROPA).
  • Records of Processing (ROPA) (Article 30)
Right of access by the data subject and information to be provided.
  • Right to Data Access (DSAR) (Article 15)
Right to erasure and restriction of processing.
  • Data Retention Period Enforcement (Article 5)
  • Right to Be Forgotten (Erasure) (Article 17)
Transparency and information provided to data subjects.
Transfers of personal data to third countries or international organizations.
  • Third Country Transfer Basis (Articles 44-49)

Detailed Rule Reference

Severity: CRITICAL
Threshold: Age < 16
Article: 8 — Child’s ConsentWhat it detects:Flags records where the data subject is under 16 years old (requires parental consent).Conditions:
{ "field": "age", "operator": "less_than", "value": 16 }
Policy Excerpt:
Children’s data requires parental consent.
Historical Context:
  • Average Fine: €345M (TikTok — failing to protect children’s data)
  • Breach Example: Gaming site collecting emails of 12-year-olds without age verification

Encryption

Severity: CRITICAL
Article: 32 — Security of ProcessingWhat it detects:Identifies tables or columns containing personal data that are not encrypted at rest.Conditions:
{ "field": "encrypted", "operator": "equals", "value": false }
Policy Excerpt:
Personal data must be encrypted at rest.
Historical Context:
  • Average Fine: €18M (British Airways breach — lack of security measures)
  • Breach Example: Hospital database leaked patient records because PII was stored in plain text
Severity: HIGH
Article: 32 — Security of ProcessingWhat it detects:Flags data transmission channels where TLS is not enabled (HTTP instead of HTTPS).Conditions:
{ "field": "tls_enabled", "operator": "equals", "value": false }
Policy Excerpt:
Personal data in transit must be encrypted.
Historical Context:
  • Average Fine: €10M (Telecom company — lack of encryption for subscriber data packets)
  • Breach Example: Web form submitting PII via HTTP instead of HTTPS

Personal Data

Severity: CRITICAL
Article: 9 — Processing of Special CategoriesWhat it detects:Flags records containing special category data (health, biometric, political affiliation) that require explicit consent.Conditions:
{ "field": "data_category", "operator": "contains", "value": "special_category" }
Policy Excerpt:
Special category data requires explicit consent.
Historical Context:
  • Average Fine: €35M (H&M case for processing sensitive employee data)
  • Breach Example: Health app sharing biometric data with third parties without specific Art 9 consent

Data Subject Rights

Severity: HIGH
Article: 5(1)(e) — Storage LimitationWhat it detects:Identifies records marked for deletion that have exceeded the retention period.Conditions:
{
  "AND": [
    { "field": "deletion_requested", "operator": "equals", "value": true },
    { "field": "created_at", "operator": "exists", "value": null }
  ]
}
Policy Excerpt:
Personal data must not be retained beyond necessary period.
Historical Context:
  • Average Fine: €14.5M (Average for systemic retention failure)
  • Breach Example: Real estate company fined for storing tenant data indefinitely
Severity: MEDIUM
Article: 15 — Right of AccessWhat it detects:Identifies data that should be retrievable for data subject access requests but is not properly indexed or exportable.Conditions:
{ "field": "is_retrievable", "operator": "equals", "value": false }
Policy Excerpt:
Data subjects have right to access their data.
Historical Context:
  • Average Fine: €1M (Amazon — failing to provide full access to data)
  • Breach Example: SaaS provider unable to export all user data during access request
Severity: HIGH
Article: 17 — Right to ErasureWhat it detects:Checks for records marked for deletion but not yet erased (should be deleted within 30 days).Conditions:
{ "field": "deletion_requested", "operator": "equals", "value": true }
Policy Excerpt:
Check for records marked for deletion but not yet erased.
Historical Context:
  • Average Fine: €600k (Google Spain — “Right to be Forgotten” in search results)
  • Breach Example: Bank failed to delete marketing profile after user closed account

Processing & Documentation

Severity: HIGH
Article: 6 — Lawfulness of ProcessingWhat it detects:Flags data processing operations that do not have a documented lawful basis (Consent, Contract, Legal Obligation, etc.).Conditions:
{ "field": "lawful_basis", "operator": "not_exists", "value": null }
Policy Excerpt:
All processing must have documented lawful basis.
Historical Context:
  • Average Fine: €20M (General fine for lack of Art 6 justification)
  • Breach Example: Company processing payroll data without defining a legal basis in their ROPA
Severity: MEDIUM
Article: 30 — Records of Processing ActivitiesWhat it detects:Flags processing activities that do not have a corresponding ROPA entry.Conditions:
{ "field": "ropa_entry_exists", "operator": "equals", "value": false }
Policy Excerpt:
Maintain a record of processing activities.
Historical Context:
  • Average Fine: €30k (Incomplete or missing ROPA)
  • Breach Example: Logistics firm unable to provide processing logs during audit

Organizational Requirements

Severity: MEDIUM
Article: 37 — Designation of the DPOWhat it detects:Flags organizations processing sensitive data at scale that have not designated a Data Protection Officer.Conditions:
{ "field": "dpo_assigned", "operator": "equals", "value": false }
Policy Excerpt:
Organizations must designate a DPO in specific cases.
Historical Context:
  • Average Fine: €50k (Average for failing to appoint DPO when required)
  • Breach Example: Security firm fined for not appointing DPO despite large-scale monitoring
Severity: HIGH
Article: 35 — Data Protection Impact AssessmentWhat it detects:Flags high-risk processing activities (e.g., facial recognition, large-scale profiling) that lack a completed DPIA.Conditions:
{ "field": "dpia_completed", "operator": "equals", "value": false }
Policy Excerpt:
Impact assessment required for high-risk processing.
Historical Context:
  • Average Fine: €200k (Failing to conduct DPIA for facial recognition)
  • Breach Example: Retailer deploying AI tracking without preliminary impact study

Marketing & Privacy Design

Severity: MEDIUM
Article: 21 — Right to ObjectWhat it detects:Checks that all marketing communications include a one-click unsubscribe mechanism.Conditions:
{ "field": "marketing_consent", "operator": "equals", "value": true }
Policy Excerpt:
Email communications require opt-out mechanism.
Historical Context:
  • Average Fine: €400k (Deliveroo — lack of opt-out in promotional emails)
  • Breach Example: E-commerce site ignoring unsubscribes for its weekly newsletter
Severity: MEDIUM
Article: 25 — Privacy by DesignWhat it detects:Flags systems that do not use maximum privacy settings by default (e.g., profiles set to “public” on registration).Conditions:
{ "field": "privacy_by_default", "operator": "equals", "value": false }
Policy Excerpt:
Implement data protection by design and default.
Historical Context:
  • Average Fine: €100k (Software vendor — settings not private by default)
  • Breach Example: Social app making profiles public automatically upon registration

Cross-Border Transfers

Severity: CRITICAL
Article: 44–49 — Transfers to Third CountriesWhat it detects:Flags data transfers to countries outside the EEA that lack a valid legal basis (Standard Contractual Clauses, Adequacy Decision, etc.).Conditions:
{ "field": "transfer_basis", "operator": "not_exists", "value": null }
Policy Excerpt:
Transfers to third countries require legal basis.
Historical Context:
  • Average Fine: €1.2B (Meta — transferring data to US without valid basis)
  • Breach Example: Cloud provider moving backup data to non-compliant region

Rule Summary Table

Rule IDNameSeverityArticleCategory
GDPR-001Data Retention Period EnforcementHIGH5(1)(e)Right to be Forgotten
GDPR-002Consent Status ValidationCRITICAL6(1)(a)Consent
GDPR-003At-Rest Encryption RequirementCRITICAL32Encryption
GDPR-004Special Category Data ProtectionCRITICAL9Personal Data
GDPR-005Right to Data Access (DSAR)MEDIUM15Right of Access
GDPR-006Right to Be Forgotten (Erasure)HIGH17Right to be Forgotten
GDPR-007Children Data ProtectionsCRITICAL8Consent
GDPR-008Marketing Opt-Out MechanismMEDIUM21Email Marketing
GDPR-009Lawful Basis DocumentationHIGH6Processing
GDPR-010In-Transit Encryption (TLS)HIGH32Encryption
GDPR-011DPO Designation CheckMEDIUM37DPO
GDPR-012DPIA Requirement ValidationHIGH35Privacy Impact Assessment
GDPR-013Records of Processing (ROPA)MEDIUM30ROPA
GDPR-014Privacy by Design DefaultMEDIUM25Privacy by Design
GDPR-015Third Country Transfer BasisCRITICAL44–49Third Countries

Using the GDPR Pack

  1. Select GDPR Framework — Choose “GDPR” when creating a new audit
  2. Review Rules — All 15 rules are loaded and active by default
  3. Toggle Rules — Disable any rules not applicable to your data processing activities
  4. Upload Data — Upload your dataset (must include fields like consent_status, encrypted, age, etc.)
  5. Confirm Mapping — Approve the AI-suggested column mappings
  6. Run Scan — Execute the compliance scan
  7. Review Violations — Violations include GDPR article references, historical fines, and remediation steps
All GDPR rules use deterministic logic — no AI models are used during enforcement. Explanations reference specific GDPR articles and are generated from templates.

Next Steps

AML Compliance Pack

Explore the 11 AML/FinCEN rules for financial transaction monitoring

SOC2 Compliance Pack

Explore the 9 SOC2 rules for trust service criteria

Custom PDF Upload

Upload your own regulatory documents

Explainability

Learn how violation explanations are generated

Build docs developers (and LLMs) love

Get started for freeTalk to us