Help make GDPR compliance easy for organisations: what templates would be helpful for you? Provide your feedback

1. Record Management Policy/Procedure ( From creation to disposal)- I am a DPO and has been drafting this policy for many organisations. With this guidance it could help many privacy professionals to come up with a good policy/procedure which could be practical to implement.
2. Data Subject Rights Requests Policy/Procedure - We have seen EDPB guidance on DSAR, having a template for responding to DSAR steps to be followed by an organisation when receiving such request would be helpful. But not only for DSAR, we have other rights under GDPR and other data protection laws, this policy or procedure needs to also have steps how to handle the other rights (rectification, objection, deletion, right not be subjected to automated decision making, right to data portability). What is important, for right of rectification, when should it be logged and considered this right under GDPR. For instance, an employee making update on name after getting married or change of other personal information with employer would that considered as right of rectification. This policy or procedure can shed light on that and what needs to be considered and not.
3. Data Protection Policy: Some organisations tend to mix notices with Data Protection Policy. By providing a template, this will help organization understand that this is an overarching document demonstrating the commitment of the organisation in abiding with the GDPR and relevant data protection laws.
4. Data Breach Response Plan: This would be important particularly for assessing risks. May be providing a methodology on how to assess high risk to rights and freedoms of the data subjects.
5. Others docs could be: Consent Management Policy, DPIA Template, Privacy Risk Assessment Template (organizational wide), Ongoing monitoring checklist, Privacy by Design and Default Policy/Procedure and checklist, template for consent forms for biometric

1. Records of processing
2. Transfer impact assessment

As an active consultant in regulatory field and based on what I see as issues with the implementation of GDPR, I would consider as most useful having templates for the following documents:

1. Record of Operational Processing Activities, along with clear and simple guidance for requirements how to fill in and what is required
2. Data Protection Impact Analysis, along with clear and simple guidance for the requirements how and what is required to fill in
3. Legitimate Interests Assessment, along with clear and simple guidance for the requirements how to fill in and what is required

These documents are complicated especially for small and medium entities that do not have the capacity to maintain sufficient internal knowledge and resources. Formal and strict requirements makes it vital to have clear and simple and easy to understand template and guidance and how exactly to be compliant. 

Thank you for launching this consultation. I would like to emphasise the need to adapt existing and future templates specifically to the processing of employee data. This area has long been overlooked and it has become increasingly urgent to address, particularly in light of the Platform Work Directive, the power imbalance in the employment context and algorithmic management practices affecting workers.

It is also important to ensure that templates are suitable for non-profit organisations, which often do not rely on software-based compliance tools to semi-automate GDPR obligations.

1. Templates for employment-related RoPAs, including workers representatives
2. DPAIs template with a focus on worker data
3. Information to workers on automated decision-making including profiling
4. Guidance or template for Labour Inspectorates on handling worker data protection issues (lawful basis, sensitive data, etc.), as they will increasingly need support from Data Protection Authorities.
5. Template for workers to exercise their data rights effectively, including clarification that consent is generally not a valid legal basis in employment contexts.
6. Template for worker data-sharing disclosures, given the widespread practice of sharing employment data with third parties without worker awareness, which has already led to several DPA sanctions.
7. Template for a balancing test (necessity and proportionality) prior to introducing monitoring tools. The most significant fines across the EU have concerned unlawful surveillance, underscoring the need for clearer differentiation between legitimate monitoring and invasive surveillance practices (see ETUI, Worker monitoring vs worker surveillance: the need for a legal differentiation, 2024). 
   Ref:   https://www.etui.org/sites/default/files/2024-03/Chapter13_Worker%20monitoring%20vs%20worker%20surveillance%20the%20need%20for%20a%20legal%20differentiation.pdf 

Blueprints for art. 28 and art. 29 agreements. This would set buisness standards and reduce the market power of big companies.

Blueprint for cookie banners. Although new legislation is on its way. Clear standards would ease internal and external discussions and set standards for all companies, thus creating a more even playing field.

Many companies do not know how to carry out a risk analysis in relation to data protection. The methodologies published by the supervisory authorities are cumbersome and difficult to understand and apply. An understandable and easy-to-use model would be very helpful.

The same applies to the legitimate interest balancing test.

1. The privacy notice, due to the fact that there are still so many misconceptions around how to present information. I see far too often separate sections listing all data categories, then all purposes, etc without this giving any clue as to what data is used for which purpose. This is also the standard outside of Europe, which makes it harder when working with foreign companies.
2. The assessment of processors - what different levels of risk should companies use (and based on what) and how should they categorise processors accordingly. I am thinking of the Danish DPA guideline on supervision of processors.
3. A tool for documenting DPIAs (like the one CNIL has created).
4. A tool for keeping records of processing, not just a template. 

1. Privacy Notices
2. Records of Processing Activities (ROPA)
   Garante has this one:
   • Controller: https://www.garanteprivacy.it/garante/document?ID=9048342
   • Processor: https://www.garanteprivacy.it/garante/document?ID=9048395
3. Data Processing Agreements (DPA) different from SCCs
4. Data Subject Rights Request Handling
   Garante has this one: https://www.garanteprivacy.it/garante/document?ID=1089924.
5. Legitimate Interest Assessment (LIA)
   ICO has this one: https://ico.org.uk/media2/for-organisations/forms/2258435/gdpr-guidance-legitimate-interests-sample-lia-template.docx
6. Governance and Accountability
   Template Data Protection Officer (DPO) appointment and notification letter 
   (from TermsFeed: https://www.termsfeed.com/blog/gdpr-appointment-dpo-letter/#Download_Gdpr_Appointment_Of_Data_Protection_Officer_Letter_Template)

Several templates documents would be helpful:

• HR data retention compliance documentation for several jurisdictions
• Data retention schedules for several countries
• Assessments
• Policies
  
   

A risk assesment chart including

• scale for various consequence for individuals privacy, including how the consequence changes if the number of individuals change.
• also a scale for probability.

And the matrix should be clear about when risk ( PxC) actually is high.
This should be measured equally for all organizations.

To effectively support organizations in achieving and maintaining compliance with the General Data Protection Regulation (GDPR), it would be highly beneficial to develop a comprehensive package of documentation and tools designed as templates for conducting initial GDPR compliance assessments across major industry sectors — such as banking, insurance, hospitality, and software/cloud service providers.

Such a package should include the following essential documents:

• Record of Processing Activities (RoPA) – required under Article 30, to document all personal data processing operations and their purposes.
• Data Breach Notification Form – required under Article 33, to ensure timely and consistent reporting of personal data breaches to supervisory authorities within the mandated 72-hour timeframe.
• Data Subject Request (DSR) Response Template – to standardize and streamline responses to data subjects’ rights requests, including access, rectification, erasure, and data portability.
• Data Processing Agreement (DPA) – as required under Article 28, to formalize obligations and safeguards between controllers and processors.
• Risk Matrix for Processing Activities – to evaluate the inherent and residual risks associated with data processing operations, enabling prioritization and mitigation.
• Vendor Risk Assessment Matrix and Procedure – to assess and manage data protection risks arising from third-party vendors and service providers.
• Data Protection Impact Assessment (DPIA) – required under Article 35, to identify and minimize high risks to individuals’ rights and freedoms. While the European Commission provides a template, the list of technical and organizational measures remains broad and may require sector-specific adaptation.
• The level of importance and prioritization of these documents may be further classified based on the volume and impact of processing activities within each sector.

Furthermore, alignment with internationally recognized standards such as ISO/IEC 27701 (Privacy Information Management System) would significantly facilitate consistent implementation of privacy controls, provide a framework for continual improvement, and enhance interoperability with existing information security standards such as ISO/IEC 27001

• A much easier data processing agreement standard (the EU Commission SCC DPA is too difficult to fill in for small organisations)
• a data protection impact assessment standard
• a legitimate interest assessment standard
• a website cookie policy standard
• a website cookie banner (<- Users would benefit)

• a checklist with   official templates for  consent, opt-out, work contracts,...
• a checklist of obligations and mandatory elements that a company has to maintain or do with the DPO

Implementation of the NIS2 Directive and changes to cybersecurity regulations:

1. Implementation of mechanisms ensuring business continuity.
2. Security Maturity Assessment.
3. Preparing a risk analysis and compliance checklist.

La donnée, c’est de l’or… et pour la faire briller, le DPO du XXIe siècle ne doit plus être un simple gardien de règlements, mais un véritable chef d’orchestre de la compliance : à la croisée du juridique, de la tech, de la gouvernance et du terrain.

Merci à l’EDPB d’ouvrir le bal des templates : c’est LE moment d’apporter des outils concrets, pédagogiques et transverses ! Pour tous les secteurs : auto, finance, santé, industrie, conseil, un socle intelligent et modulaire serait la clé d’une conformité fluide et inclusive.

Voici les pistes “multi-casquette” que j’attends :

• Des modèles adaptables (taille/risque/process) : un template unique ne peut pas convenir à une TPE industrielle ET à un groupe bancaire. « One size fits all » = mirage réglementaire.
• Des guides visuels et interactifs : checklists, mindmaps, tableaux comparatifs sectoriels, pour naviguer entre enjeux sécurité, IA, cybersécurité, anonymisation, sous-traitance… En bref, des supports qui parlent à la fois au Comex, à l’IT et à l’opérationnel, sans “RGPD panique”.
• Des modules pédagogiques : intégrer dans chaque modèle une section “Explications”, vulgarisation, exemples de bonnes/mauvaises pratiques, et “FAQs by DPO” façon capsule Minute Data. Quitte à embarquer un soupçon d’autodérision !
• Un “kit IA et data” : dès l’élaboration, inclure la gestion du risque IA, DPIA intelligible, registre IA, flows data, points de vigilance sur l’automatisation. On prépare la gouvernance du présent ET du futur.
   
• Des modèles sectoriels et évolutifs : fiche violence en santé, schéma circuit données véhicules connectés, modèles pour logiciels métiers du conseil ou fintech, etc.
• Des gabarits prêts à l’emploi pour la gouvernance multi-sites/multi-pays : de la PME qui rêve d’Europe au géant structuré.

En synthèse : sortons du mode “copier-coller réglementaire”, engageons une compliance qui a du style, parlante, au service du terrain et du citoyen.

La donnée, c’est de l’or… à nous de fabriquer les meilleurs alambics pour la raffiner.

Marie-José, juriste Data & future DPO augmentée, promotrice d’une compliance énergique, accessible et un brin impertinente.

• notification de violations des données
• registre de traitement du RT et sous-traitant
• clausier avec BCR
• charte RH et RGPD
• charte IA et RGPD
• lettre de mission DPO
• plan d'action annuel 

I think that template for DPIA would ve very useful (which should be in preparation which is great). 

Then also template for so called "balance test" required for legal basis "legitimate interest" (art. 6/1 f GDPR) would ve useful as I Believer many controllers do not have enough legal certainty what must be documented on such test to prove lawfulness of processing.

Also template for records of processing activities would help organisations because it is one of basic compliance documents for controllers which is also important in case of audits and controls. 

I would also appreciate template for notices to people regarding specific topics like: 

• fotodocumentation of some event and Its possible publication on website, social media,
• usage of CCTV in building,
• recording of educational seminars and publication od record for educational purposes etc.

Rejestr czynności przetwarzania danych osobowych w placówce oświatowej

Wzór analizy DPIA dla placówek oświatowych

Kalkulator wagi naruszeń ochrony danych osobowych

Contribution to EDPB Public Consultation — GDPR Templates:

• Part 1 (PDF)
• Part 2 (PDF)

To make GDPR compliance more practical and accessible — especially for SMEs and organisations with limited resources — it would be highly valuable for the EDPB to provide a set of standardised, ready-to-use templates.

In addition, it would be very helpful if each template included inline guidance, suggestions and comment boxes to help organisations understand how to adapt the document to their concrete situation.

For example, for a cctv pivacy notice, the template should already suggest the limit of record image maximum to adapt (in relation with the specific EU Member State legislation) with a comment in relation to the eventual exception provided by national Data Protection Authorities and/or national rules; should suggest also the legal basis of the process (like for example the legitimate interest for security measures and the related specific LIA ‘s template).

Therefore, the best way to have templates would be to have not just a theoretical template to fill but a template that has also practical suggestions inside for the adoption in terms of content also.

 

Based on input collected from several Polish banks, the sector respectfully submits the following proposals for model documents that, in our assessment, would provide the greatest benefit to controllers across the EU.

1. Template for a Risk Assessment Sheet for Personal Data Breaches
   Banking institutions conduct breach assessments frequently due to the scale of operations and regulatory obligations. A model risk-assessment sheet would harmonise the methodology used by controllers when evaluating the likelihood and severity of risks for data subjects. It would also support consistent decisions on notification obligations under Articles 33 and 34 GDPR and facilitate supervisory oversight.
2. Template for a General GDPR Risk Assessment Methodology
   Banks emphasise the need for a unified structure for conducting GDPR risk assessments outside of DPIA scenarios. A standardised template would help align practices across the EU, reduce interpretative divergence and make it easier for controllers to demonstrate compliance with the accountability principle. It would also improve the comparability of risk assessments performed by different entities in the financial sector.
3. Model Information Clause (Privacy Notice Template)
   A harmonised model privacy notice would clarify which information components are required and how they should be presented to data subjects. Such a template would significantly reduce discrepancies between controllers’ practices and strengthen transparency, particularly in complex, multilayered processing environments such as banking. It would also support greater uniformity in supervisory assessments.
4. Model Risk Analysis Template under Article 32 GDPR
   Banks consistently indicate that safeguarding personal data under Article 32 requires a structured and predictable risk-assessment process. A model document would guide controllers in assessing technical and organisational measures relative to identified threats. It would also ensure that organisations—especially smaller controllers—apply a minimum, coherent standard when evaluating security risks.
5. Model LIA (Legitimate Interests Assessment – Balancing Test)
   A harmonised LIA template is strongly recommended. Banks frequently rely on legitimate interests for a range of operational processes, yet divergent national interpretations create uncertainty. A model LIA would standardise the balancing methodology, support consistent application of 

I would like to see the following templates:

• Data Transfer Impact Assessments
• Data Processing on behalf agreement
• Inter Group Data Transfer Agreement
• SCCs aligned with cross border transfer requirements from other countries/regions 

• Proposal for GDPR Templates to Prevent Misclassification of B2B Communication and Reduce Burden on Micro-Enterprises (PDF)
• Proposal for a Transparency Predictability Template for Minor GDPR Cases MSME-oriented (PDF)
• Template for Documenting Unsubscribe Requests Under Technical Limitations MSME-friendly (PDF)

• DPIA including relevant AI questions and fields (for the cases: internal development, internal development with open source ai models and third party models in cloud). David rosenthal developed a useful starting point called the GAIRA template (including use of AI itself). A lot of organizations small and big are struggling to perform a proper assessment.
• standard AI clauses for incorporation within contracts. From u public perspective there exist clauses https://public-buyers-community.ec.europa.eu/communities/procurement-ai/news/new-version-procurement-clauses-ai-available-supporting-responsible
• guideline on ai training based on legitimate interest. The omnibus defines the possibility to use this ground. But how? Also a distinction between own versus third party. 

Data Retention Policy 

Records of Processing Activities

Privacy Notice

Pharmaceuticals companies operating in France are largely in favour of making template document available for:

• info note, particularly when using a third party to send communications on behalf of the controller ;
• processing registries ;
• common cookie management policy.

And guidance on :

• identifying the data controller in the context of services that involve the use of the service provider's or a third party's database ;
• technical and organisational measures to ensure data security in standard contractual clauses.

Templates in the following areas would be very useful to have an aligned approach especially for companies working in a global environment. 

Data Breach templates 

• Data Breach assessment
• Severity assessment
• Notification to supervisory authority
• Information to data subject

Data Protection Impact Assessment (DPIA)

Legitimate Interest Assessment/Balancing Test (LIA)

Transfer Impact Assessment (TIA)

Privacy Policy 

• For websites
• for employees
• Contract clause for employment contracts dealing with data protection
• Commitment to Data Protection
• For employees
• For suppliers

Consent declaration for different use cases to understand better the first- and second-layer approach.

Record of processing activities with examples

1. Data Retention & Deletion Policy Template (a general template and one tailored for cloud environments)
   Such a template would offer a clear framework for establishing consistent data retention and deletion practices, ensuring compliance with the GDPR.
2. Vendor Risk Assessment Template (a structured checklist for processors and sub-processors)
   Such a template would provide a structured checklist to evaluate and monitor the security and compliance posture of processors and sub-processors. It would help mitigate third-party risks and ensure contractual and regulatory obligations are met.
3. Data Breach Notification Assessment Template
   Such a template would guide through the decision-making process to determine whether a data breach must be reported. Currently the UK’s ICO and the Italian Garante offer self-assessment tools to help organizations evaluate whether they need to report a personal data breach.
   Such a self-assessment could be built into the single-entry EU portal for reporting data breaches envisioned in the Digital Omnibus Regulation Proposal. 
   Also, the EDPB might expand their planned work on a breach notification template to include an initial evaluation step, i.e., assessing whether a notification is required.
4. AI/Automated Decision-Making Assessment Template
   Such a template would provide clarity and assist in evaluating and documenting compliance with Article 22 GDPR.
5. Privacy by Design Implementation Template 
   Such a template would facilitate embedding GDPR principles into SaaS development processes, promoting proactive privacy measures from the outset of product design and development.

Overall, developing and issuing these templates at the EU level would significantly streamline compliance efforts, reduce risks, save time by offering ready-to-use structures, and enhance legal certainty across organizations.

 

VHG Response to the EDPB Consultation

Royal VHG, the Dutch association for gardeners, landscapers and green space managers, welcomes the EDPB’s initiative to develop practical, directly applicable GDPR templates.

The green sector operates under specific conditions that increase the need for clear and accessible formats. Green service providers work almost entirely on site, often on private or restricted premises, regularly processing address and access information (such as gate or alarm codes) and taking photos for quotations, inspections and reports, where houses, licence plates or individuals may appear. The sector also relies on mobile teams, GPS-tracked vehicles, digital planning tools and temporary workers, all of which create distinct GDPR considerations.

Against this background, VHG sees strong value in templates that support proportional, workable compliance for SMEs. The following would be particularly helpful:

1. Privacy notice for on-site service providers – for processing address details, access codes and visual materials during on-site work.
2. Simplified ROPA template – with familiar data categories such as customer information, images, planning/execution data, GPS tracking and temporary labour.
3. Template for agreements with temporary workers, staffing agencies and subcontractors – a compact, uniform format suited to flexible staffing.
4. Template for processing photos and visual material – practical guidance for use during quotations, inspections, maintenance reports and project handovers.
5. Template for informing employees about GPS and time-registration systems – clear explanations of purpose, retention, rights and system use.
6. Internal incident log for non-reportable data breaches – for events such as lost phones or misdirected photos.
7. Controller/processor role matrix – helping organisations determine roles and select the correct contractual basis.
8. Privacy-by-design checklist for new tools – for GPS apps, planning software or camera applications where a DPIA is not required.
9. Data minimisation and retention decision tree – to determine necessity and proportionate retention periods.

VHG emphasises that clear, accessible templates and sector-neutral examples are essential for SME-friendly implementation. We welcome the EDPB’s work on DPIA and breach-notification templates and, together with ELCA, are ready to contribute practical experience to further development.

The dairy sector operates within a complex chain involving multiple actors: from farmers to processors, data service providers, and regulators. This chain requires GDPR compliance that is not only legally sound but also practically feasible. We propose developing sector-specific templates tailored to this reality.

1. Data Processing Register with Chain Roles A standard template that explicitly records roles (framework setter, coordinator, provider, recipient) and data types (milk production, animal health, sustainability indicators). This facilitates demonstrating responsibilities and legal bases (authorization, agreement).
2. Authorizations and Data-Sharing Agreements Sample contracts that ensure transparency and opt-out options between farmers, processors, and data service providers. This prevents ambiguity regarding consent and data use.
3. Checklist for DPIA in the Agro-Food Context Focused on risks when linking sensor data, IoT, and external platforms. Includes mitigation measures such as encryption and pseudonymization.
    
4. Data Breach Notifications with Sector-Specific Fields For example, impact on food safety and traceability, ensuring reports are relevant for both privacy and chain integrity.
    
5. Guidelines for Audit Trails and Transparency Practical instructions to demonstrate which data was used in sustainability reporting, as required by auditors and regulators.

Why is this important? These templates make GDPR compliance achievable and verifiable without overburdening small businesses. The dairy sector can thus meet privacy requirements while fulfilling societal expectations for sustainability and food safety.