Skip to main content

System description

Describe briefly the system or treatment to be evaluated (optional - will appear in the report).

Evaluation of the 8 dimensions Article 25

0/8 Complete
Minimizzazione dei datiArt. 25(1) + Art. 5(1)(c)
15pt

Il sistema raccoglie solo i dati strettamente necessari alla finalità dichiarata.

Limitazione della finalitàArt. 5(1)(b) + Art. 25(1)
15pt

I dati sono usati esclusivamente per la finalità per cui sono stati raccolti, senza usi secondari non autorizzati.

Limitazione della conservazioneArt. 5(1)(e) + Art. 25(1)
12pt

Esiste una retention policy documentata con termini massimi di conservazione per ogni categoria di dati.

Integrità e riservatezzaArt. 5(1)(f) + Art. 25(1) + Art. 32
15pt

I dati sono cifrati sia a riposo (AES-256) sia in transito (TLS 1.2+). Gli accessi sono tracciati.

Accountability e registro trattamentiArt. 24 + Art. 25(1) + Art. 30
13pt

Il titolare mantiene un Registro dei Trattamenti (RoPA) aggiornato ex Art. 30 GDPR.

Impostazioni predefinite privacy-friendlyArt. 25(2)
15pt

Le impostazioni di default garantiscono il minimo trattamento necessario senza azione dell'utente.

Pseudonimizzazione o anonimizzazioneArt. 25(1) + Considerando 78
8pt

I dati personali sono pseudonimizzati o anonimizzati dove tecnicamente feasible, riducendo il rischio in caso di breach.

Valutazione d'impatto (DPIA)Art. 35 + Art. 25(1)
7pt

È stata condotta una DPIA (Data Protection Impact Assessment) per i trattamenti ad alto rischio.

Answer all questions to enable evaluation.

What is the GDPR Article 25?

Privacy by design (Article 25, paragraph 1)

Requirement to integrate data protection from the system design phase itself and not as an afterthought. Includes proportionate technical and organizational measures for risk management.

Data Protection by Design and Data Minimisation (Article 25, paragraph 1)

Default settings must ensure that only the necessary data is processed for each purpose. The user should not have to take actions to reduce processing.

Applicable sanctions

Violations of Article 25 fall under Level 2 sanctions: up to €10 million or 2% annual global turnover (the higher value between the two).

Come utilizzare GDPR Art. 25 Checker

Describe the system (optional)

Insert a brief description of the system or treatment being evaluated. Not required but will appear in the final report to contextualize the result.

Respond at 8 dimensions

For each dimension (data minimization, limitation of purpose, data retention, encryption, treatment record, default settings, pseudonymization, DPIA), respond Yes or No based on the actual system state.

Assess conformity

Once all questions have been answered, click "Evaluate Conformity (GDPR Article 25)" to get your score of 0-100, level of compliance and priority recommendations.

Download or copy the report

Export result in Markdown (download or copy to notes) to attach to treatment record or share with Data Protection Officer.

Suggerimenti

  • Respond honestly: an optimistic evaluation does not reduce real risk, only the usefulness of recommendations.
  • Use Markdown Report as starting point for RoPA required by Art. 30.
  • If you also manage AI systems, consider the EU AI Act Companion Tool for broader regulatory coverage.

Domande frequenti

How is the score of 0-100 calculated?

Every dimension has a percentage weight (e.g., data minimization 15pt, encryption 15pt, DPIA 7pt) that sums to 100. A "Yes" assigns the full weight of the dimension, "No" assigns 0 points. The final score is the sum of points earned on all 8 dimensions.

What do compliance levels mean (insufficient, partial, adequate, excellent)?

Score ranges: Inadequate below 40 points, partial between 40-64, adequate between 65-84, excellent from 85 to 100. Lower ranges indicate gaps requiring priority intervention, not necessarily formal violations already established.

Does this checker replace a formal legal assessment or DPIA?

No. It's a quick self-assessment tool to navigate the principles of Article 25 (Privacy by Design and Default). For high-risk treatments, formal DPIA under Art. 35 is still required, with DPAs or legal consultants' opinions sought in doubtful cases.

Are data you enter sent to a server?

No, the tool is completely client-side: evaluation, score calculation, and report generation occur in the browser. No data is sent or stored on external servers.

Why do some dimensions weigh more than others in the score?

Weight reflects the centrality of dimension in Art. 25: data minimization, limitation of purpose, encryption and default privacy settings - each worth 15 points as they are the operational pillars of Privacy by Design/Default, while pseudonymization and DPIA (8 and 7 points) are complementary measures often conditioned on treatment type.