It is expected that the General Data Protection Regulation will be adopted in 2015. This successor to the Data Protection Act will set new, strict requirements for organizations processing personal data. Non-compliant organizations risk a massive fine. If you want to know the height of the fine you could potentially receive, you can anonymously fill out our fine-o-meter.

The fine-o-meter is based on the official proposal of January 25, 2012. It is possible that this proposal will be revised. As legislation is subject to change, please regularly check this site for any updates.

  • 1General legal requirements
  • 2Rights of the data subject
  • 3Accountability and Documentation

Do you have a privacy policy that uses clear and plain language?

Do you have a legitimate goal for the processing of personal data?

Do you process data for purposes other than the ones for which the data have been originally collected and are these new purposes incompatible with the original ones?

Do you process special categories of personal data (health, criminal records, religion etc.) while you are not an organization specifically tasked with such processing (for instance, a hospital, the police or a church)?

Do you have procedures in place that grant data subjects access to information on the processing of their personal data?

Do you respond to requests of data subjects to obtain information about their personal data being processed?

Do you have procedures in place that enable, upon the data subject’s request, the rectification and alteration of data?

Do you have procedures in place that ensure that, upon the data subject’s request, data are no longer processed and disseminated (the right to be forgotten)?

Do you have procedures in place that allow the data subject to obtain a copy of his data in an accessible, commonly used format (data portability)?

Do you respond within a month’s time to requests concerning the access to information, rectification, erasure or data portability?

Do you charge costs for fulfilling requests concerning the access to information, rectification or erasure?

Do you maintain documentation containing a description of the categories of personal data you process, the purposes of the processing and who is responsible for the data?

If you cooperate with multiple partners, have you specifically determined who is responsible for which part of the processing?

Do you have a clearly defined privacy policy?

Do you have a clearly defined policy for the privacy-friendly development of products and services (privacy by design & privacy by default)?

Do you have a clearly defined information security policy?

Do you document all personal data breaches, comprising the facts surrounding the breach, its effects and the remedial action taken?

Do you communicate data breaches to the supervisory authority and to the data subjects involved?

Do you carry out a privacy impact assessment when implementing new applications or services?