About the GDPR Templates Kit

The GDPR Templates Kit contains the necessary document templates, tools and instructions for your organisation to achieve GDPR compliance with minimal cost, effort and time.

You can preview all documents in the kit on our product page (https://store.finagon.com/product/gdpr-templates-kit). Just scroll down to the contents list and click on each document for preview.

The GDPR Templates Kit is specifically designed for:

– Companies that need to achieve GDPR compliance with minimal time and cost;

– Consultants who provide GDPR compliance services;

– GDPR professionals who are involved in implementing the regulation in their organisations.


No. The toolkit is generic and can be adapted to any kind of organization, both for-profit and not-for-profit.

To get the most out of implementing GDPR with the help of our toolkit, you will need to spend some time adapting the templates to your own specific organisation, governance, processes, technical infrastructure, IT systems, and applications. We have provided a file in the toolkit with step-by-step instructions how to use the GDPR Templates Kit.

No, we provide a complete toolkit to help your organisation to become GDPR-compliant as quickly and effectively as possible.

Our templates are created in Microsoft Office format. Most templates are MS Word documents but there are also MS Excel spreadsheets. All documents are fully editable.

Once your order is submitted and accepted you will be able to download your product straight from our site. You will also receive an email with a download link if you choose to download the toolkit later. Each GDPR Templates Kit consists of a ZIP file containing the full set of document templates sorted in folders.

We accept payments by PayPal or by the following types of credit cards: VISA, MasterCard, American Express and Discover.

For better security we use PayPal Express Checkout to process payments by both PayPal and credit cards. After clicking on “Continue to payment” you will be prompted to choose your payment method and fill in your billing information.

GDPR highlights

The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law regulating how companies protect EU citizens’ personal data. Companies that are already in compliance with the Directive must ensure that they’re compliant with the new requirements of the GDPR before it becomes effective on May 25, 2018. Companies that fail to achieve GDPR compliance before the deadline will be subject to stiff penalties and fines.

GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations. Some of the key privacy and data protection requirements of the GDPR include:

  • Requiring the consent of subjects for data processing
  • Anonymizing collected data to protect privacy
  • Providing data breach notifications
  • Safely handling the transfer of data across borders
  • Requiring certain companies to appoint a data protection officer to oversee GDPR compliance

Simply put, the GDPR mandates a baseline set of standards for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data.

The GDPR applies more broadly than might be apparent at first glance. Unlike privacy laws in some other jurisdictions, the GDPR is applicable to organisations of all sizes and all industries. Specifically, the GDPR applies to:

  • processing of anyone’s personal data, if the processing is done in the context of the activities of an organisation established in the EU (regardless of where the processing takes place);
  • processing of personal data of individuals who reside in the EU by an organisation established outside the EU, where that processing relates to the offering of goods or services to those individuals or to the monitoring of their behaviour.

The EU is often viewed as a role model on privacy issues internationally, so we also expect to see concepts in the GDPR adopted in other parts of the world over time.

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government, meaning it will be in force May 25, 2018.

Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

A controller determines the purposes and means of processing personal data.

A processor is responsible for processing personal data on behalf of a controller.

If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.

However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.