GDPR Document Compliance Checklist 2025

GDPR compliance isn't just about privacy policies and cookie banners. Your actual document handling practices — how you create, store, share, and destroy PDFs containing personal data — are at the core of compliance.

GDPR Document Compliance Checklist

Before Creating/Receiving Documents

• ☐ Identify personal data categories the document will contain
• ☐ Confirm legal basis for processing (consent, contract, legal obligation, etc.)
• ☐ Define retention period before document is created

Before Sharing Externally

• ☐ Remove metadata that reveals internal information — use our Metadata Remover
• ☐ Redact any personal data not required by the recipient — use our PDF Redaction Tool
• ☐ Encrypt if the document contains sensitive personal data — use our PDF Encryption Tool
• ☐ Confirm recipient has appropriate data protection measures in place

Storage & Retention

• ☐ Store documents containing personal data with access controls
• ☐ Encrypt stored documents containing special category data
• ☐ Document your retention schedule and deletion procedures

Rights Requests

• ☐ Process to identify all documents containing a specific person's data
• ☐ Ability to provide copies (data portability)
• ☐ Ability to redact or delete personal data from specific documents

Common GDPR Document Failures

• Sending CVs or HR documents with unredacted sensitive data
• Sharing contracts with metadata revealing internal negotiations
• Retaining documents containing personal data past their retention period
• Storing PII in unencrypted PDFs on shared drives

FAQ