GDPR Article 25 - Privacy by Design and by Default Checker
Evaluate your system's compliance with the GDPR Article 25. 8 dimensions checklist, weighted scoring from 0 to 100, top-priority recommendations and downloadable Markdown report. No data sent – pure client-side processing.
What is the GDPR Article 25?
Privacy by design (Article 25, paragraph 1)
Requirement to integrate data protection from the system design phase itself and not as an afterthought. Includes proportionate technical and organizational measures for risk management.
Data Protection by Design and Data Minimisation (Article 25, paragraph 1)
Default settings must ensure that only the necessary data is processed for each purpose. The user should not have to take actions to reduce processing.
Applicable sanctions
Violations of Article 25 fall under Level 2 sanctions: up to €10 million or 2% annual global turnover (the higher value between the two).
Come utilizzare GDPR Art. 25 Checker
Describe the system (optional)
Insert a brief description of the system or treatment being evaluated. Not required but will appear in the final report to contextualize the result.
Respond at 8 dimensions
For each dimension (data minimization, limitation of purpose, data retention, encryption, treatment record, default settings, pseudonymization, DPIA), respond Yes or No based on the actual system state.
Assess conformity
Once all questions have been answered, click "Evaluate Conformity (GDPR Article 25)" to get your score of 0-100, level of compliance and priority recommendations.
Download or copy the report
Export result in Markdown (download or copy to notes) to attach to treatment record or share with Data Protection Officer.
Suggerimenti
- Respond honestly: an optimistic evaluation does not reduce real risk, only the usefulness of recommendations.
- Use Markdown Report as starting point for RoPA required by Art. 30.
- If you also manage AI systems, consider the EU AI Act Companion Tool for broader regulatory coverage.
Domande frequenti
How is the score of 0-100 calculated?
Every dimension has a percentage weight (e.g., data minimization 15pt, encryption 15pt, DPIA 7pt) that sums to 100. A "Yes" assigns the full weight of the dimension, "No" assigns 0 points. The final score is the sum of points earned on all 8 dimensions.
What do compliance levels mean (insufficient, partial, adequate, excellent)?
Score ranges: Inadequate below 40 points, partial between 40-64, adequate between 65-84, excellent from 85 to 100. Lower ranges indicate gaps requiring priority intervention, not necessarily formal violations already established.
Does this checker replace a formal legal assessment or DPIA?
No. It's a quick self-assessment tool to navigate the principles of Article 25 (Privacy by Design and Default). For high-risk treatments, formal DPIA under Art. 35 is still required, with DPAs or legal consultants' opinions sought in doubtful cases.
Are data you enter sent to a server?
No, the tool is completely client-side: evaluation, score calculation, and report generation occur in the browser. No data is sent or stored on external servers.
Why do some dimensions weigh more than others in the score?
Weight reflects the centrality of dimension in Art. 25: data minimization, limitation of purpose, encryption and default privacy settings - each worth 15 points as they are the operational pillars of Privacy by Design/Default, while pseudonymization and DPIA (8 and 7 points) are complementary measures often conditioned on treatment type.