— Compliance
GDPR Compliance Checklist for SaaS Companies in 2026
A practical, technical GDPR compliance checklist for SaaS founders and CTOs. Covers data storage, third-party processors, consent management, privacy policies, and what regulators actually look for.
GDPR Compliance Checklist for SaaS Companies in 2026
GDPR has been in force since 2018, but enforcement is ramping up. In 2023, Meta was fined €1.2 billion. In 2024, LinkedIn was fined €310 million. Regulators are increasingly targeting smaller businesses, not just tech giants.
This checklist is designed for SaaS founders and CTOs who need practical compliance — not a 200-page legal treatise. It covers what actually gets companies in trouble.
Before We Start: What GDPR Actually Covers
GDPR applies to your SaaS company if:
- You're based in the EU/EEA, or
- You process personal data of people in the EU/EEA (even if you're based elsewhere)
"Personal data" means any information that can identify a person: name, email, IP address, device ID, cookies, behavioral data. If your SaaS collects any of this from EU users, GDPR applies to you.
---
Section 1: Legal Basis for Processing ✅
Before processing any personal data, you need a lawful basis under GDPR Article 6.
1.1 Identify Your Legal Bases
For each type of data you process, document which legal basis applies:
- Contractual necessity: Processing needed to deliver your service (e.g., storing user accounts)
- Legitimate interests: Processing that benefits your business without overriding user rights (e.g., fraud prevention, basic analytics)
- Consent: Freely given, specific, informed, unambiguous opt-in (e.g., marketing emails, non-essential cookies)
- Legal obligation: Processing required by law (e.g., tax records)
- Vital interests: Rare — life-or-death situations
- Public task: For public authorities
Action: Create a data processing inventory (Records of Processing Activities — RoPA) mapping each data type to its legal basis.
1.2 Marketing Email Requires Explicit Consent
If you send marketing emails, you need:
- An explicit opt-in checkbox (not pre-checked)
- A record of when and how consent was given
- An easy unsubscribe mechanism in every email
Sending newsletters to everyone who signed up for your product without separate marketing consent is a common violation.
---
Section 2: Data Minimisation ✅
Article 5(1)(c): Collect only what you need for the specific purpose.
2.1 Audit Your Sign-Up Form
Does your sign-up form ask for data you don't actually need?
Common unnecessary fields:
- Phone number (if you never call users)
- Company size (if not relevant to pricing or onboarding)
- Job title (if not used in product logic)
- Date of birth (if there's no age verification need)
Action: Remove any field where you can't clearly explain why you need it.
2.2 Minimize Data in Logs
Application logs are personal data. Review what you're logging:
```javascript
// Bad: Logs IP address and email in plain text
logger.info('Login attempt', { ip: req.ip, email: user.email, userAgent: req.headers['user-agent'] })
// Better: Log only what's needed for debugging
logger.info('Login attempt', { userId: user.id, success: true, timestamp: Date.now() })
```
Action: Audit your logging configuration. Set log retention to the minimum needed (30-90 days for most SaaS).
---
Section 3: Data Storage and Security ✅
Article 32 requires "appropriate technical and organizational measures."
3.1 Encryption
- [ ] At rest: All databases, backups, and file storage encrypted (AES-256 minimum)
- [ ] In transit: TLS 1.2+ on all connections, including internal service-to-service calls
- [ ] Backups: Encrypted and access-controlled
- [ ] Passwords: Hashed with bcrypt, Argon2, or scrypt (never plain text or MD5)
3.2 Access Controls
- [ ] Role-based access control (RBAC) in your application
- [ ] Principle of least privilege for database access (app user has only SELECT/INSERT/UPDATE, not DROP)
- [ ] Multi-factor authentication for admin accounts and CI/CD systems
- [ ] Access logs for sensitive data (who accessed what, when)
- [ ] Regular access reviews (remove access for departed employees within 24 hours)
3.3 Data Location
- [ ] Personal data of EU users stored in EU data centers
- [ ] Backups also in EU data centers
- [ ] Data Processing Agreement (DPA) with your hosting provider
- [ ] List of your hosting provider's sub-processors reviewed
3.4 Breach Response Plan
GDPR Article 33 requires notifying your supervisory authority within 72 hours of discovering a data breach (if it poses risks to individuals).
- [ ] Incident response plan documented
- [ ] Contact details for your supervisory authority
- [ ] Process for assessing breach severity
- [ ] Template for supervisory authority notification
- [ ] Process for notifying affected users (Article 34)
---
Section 4: Third-Party Processors ✅
Every external service that processes personal data on your behalf is a "data processor" requiring a DPA.
4.1 Common Processors That Need DPAs
Go through your tech stack and check each one:
| Service | Data Processed | DPA Available? |
|---|---|---|
| AWS / GCP / Azure | All user data | Yes |
| Stripe | Payment data | Yes |
| Intercom / Zendesk | User emails, support data | Yes |
| SendGrid / Mailgun | Email addresses | Yes |
| Mixpanel / Amplitude | User behavior | Yes |
| Sentry | Error data (may include PII) | Yes |
| Google Analytics | User behavior, IP | Requires configuration |
| HubSpot / Salesforce | Contact data | Yes |
| Slack | User messages if integrated | Yes |
Action: Go to each provider's website, find their DPA, and sign it (most are click-through agreements). Document that you've done this.
4.2 US-Based Processors (Post-Schrems II)
Transferring data to the US requires either:
- Standard Contractual Clauses (SCCs) — most large providers have these
- The EU-US Data Privacy Framework (providers that self-certify)
- Binding Corporate Rules (for large multinationals)
Critical: Check whether each US processor is registered under the EU-US Data Privacy Framework at dataprivacyframework.gov.
Google Analytics requires you to:
1. Enable IP anonymization
2. Disable data sharing with Google products
3. Use a SCCs-compliant configuration
4. Inform users in your privacy policy
---
Section 5: User Rights ✅
GDPR grants users specific rights you must be able to fulfill.
5.1 Right of Access (Article 15)
Users can request a copy of all personal data you hold about them. You must respond within 30 days.
- [ ] Process documented for handling access requests
- [ ] Ability to export all user data from your systems
- [ ] Way for users to submit requests (email, form, or in-app button)
5.2 Right to Erasure (Article 17)
Users can request deletion of their data (with some exceptions for legal obligations).
- [ ] Ability to hard-delete user accounts (not just soft-delete/deactivate)
- [ ] Deletion cascades to all associated data (including backups after their retention period)
- [ ] Process for responding within 30 days
- [ ] Documented exceptions (e.g., data retained for legal or tax purposes)
5.3 Right to Portability (Article 20)
Users have the right to receive their data in a machine-readable format.
- [ ] Data export functionality (JSON, CSV)
- [ ] All user-generated data included in export
5.4 Right to Rectification (Article 16)
Users can correct inaccurate data.
- [ ] Users can update their profile information
- [ ] Process for correcting data in backend systems
---
Section 6: Cookie Compliance ✅
Cookies are regulated by both GDPR and the ePrivacy Directive (Cookie Law).
6.1 Cookie Audit
Run a cookie scan on your website: tools like Cookiebot, OneTrust, or usercentrics.com can automatically detect all cookies set by your site and classify them.
Cookie categories:
- Strictly necessary: Essential for the website to function (login sessions, shopping cart). No consent needed.
- Functional: Enhanced functionality (language preference, dark mode). Consent needed in most EU countries.
- Analytics: Usage data (Google Analytics, Hotjar). Consent needed.
- Marketing: Advertising and tracking. Explicit consent needed.
6.2 Cookie Banner Requirements
Your cookie banner must:
- [ ] Show before any non-essential cookies are set
- [ ] Not use dark patterns (e.g., making "Accept" prominent and "Reject" hidden)
- [ ] Allow users to accept or reject by category
- [ ] Have an "Accept all" and "Reject all" option at the same level
- [ ] Store consent records
- [ ] Allow users to change their preferences later
Several EU regulators (France's CNIL, Germany's DSK) have published specific guidance — "Accept all" and "Reject all" must be equally accessible.
---
Section 7: Privacy Policy ✅
Your privacy policy must be written in clear, plain language.
7.1 Required Information (Article 13 & 14)
- [ ] Who you are (company name, address, contact details)
- [ ] Data Protection Officer contact (if you have one)
- [ ] What data you collect
- [ ] Why you collect it (and the legal basis for each purpose)
- [ ] How long you keep data (retention periods)
- [ ] Who you share data with (list processors and categories)
- [ ] Whether data is transferred outside the EU and how
- [ ] User rights (access, erasure, portability, objection)
- [ ] Right to complain to supervisory authority
- [ ] How the policy is updated
7.2 Accessibility
- [ ] Linked from your homepage footer
- [ ] Linked from your sign-up form
- [ ] Linked from all email communications
- [ ] Written at a reading level accessible to non-lawyers
---
Section 8: Employee and Team Practices ✅
GDPR compliance is organizational, not just technical.
- [ ] GDPR training for all staff who handle personal data
- [ ] Privacy policies for employee data (separate from customer privacy policy)
- [ ] Confidentiality agreements with contractors and employees
- [ ] Documented process for employee off-boarding (revoking access)
---
Common GDPR Violations That Get Companies Fined
Based on publicly reported enforcement actions:
1. No DPA with processors (very common)
2. Invalid cookie consent (dark patterns, pre-ticked boxes)
3. Google Analytics without proper configuration
4. No response to erasure requests
5. Excessive data retention (keeping data indefinitely)
6. Poor security practices (data breaches)
7. Sending marketing without consent
---
Quick Wins (Do These This Week)
1. Sign DPAs with all third-party processors
2. Add a cookie consent banner if you don't have one
3. Create a process for handling user rights requests
4. Set a log retention policy and enforce it
5. Enable encryption at rest on your database
GDPR compliance is ongoing work, not a one-time project. But starting with these basics puts you ahead of the majority of SaaS companies.
Learn how Obtura's EU hosting helps with GDPR compliance — infrastructure compliance built in from day one.
— Continue Reading
Related Articles
Comparisons
Vercel vs Obtura: Which Deployment Platform is Better for European Teams?
Vercel is great for frontend teams, but European SMEs face GDPR risks, US data residency, and unpredictable bills. Here's a detailed comparison to help you choose.
Product Updates
Obtura Platform: In the Final Stages of MVP Development
We're in the final stages of developing a viable MVP that solves 80% of existing deployment pipeline challenges for European SMEs. Here's what's coming.
Guides
How to Deploy a Next.js App to Germany with GDPR Compliance (Step-by-Step)
A complete guide to deploying your Next.js application to German servers with full GDPR compliance. Learn what GDPR requires for hosting, and how to set it up correctly.
— Get started
Ready to simplify your DevOps?
Join European SMEs shipping code 3x faster with Obtura's zero-DevOps platform.