euro-toolhub.eu

Last checked: 12. Juli 2026

Choosing GDPR-compliant software: the practical guide with checklist

What to look for when choosing privacy-friendly software – with a seven-point checklist, the key GDPR terms, DPA, third-country transfer and concrete pointers per tool category.

By the Euro Toolhub editorial team · editorially reviewed

"GDPR-compliant software" is one of the most common search terms when choosing tools – and one of the most misunderstood. Because no tool is "GDPR-compliant" in itself: responsibility for compliance always stays with your organisation, and whether a tool is used lawfully depends largely on how you configure and use it. What a provider can deliver is the foundation – EU data processing, a data processing agreement, documented security measures and support for data subject rights.

This guide shows in practical terms what to look for: with a checklist, the key terms and concrete pointers per tool category. It is editorial guidance, not legal advice; if in doubt, seek a legal review. If you specifically want to replace US tools, our guide Replacing US software complements this article.

The essentials in brief

  • No tool is "GDPR-compliant per se". Your organisation stays responsible; the provider supplies the foundation.
  • The key building blocks: EU data processing, a data processing agreement (DPA), documented TOMs, support for data subject rights.
  • The most common sticking point is third-country transfer (especially to the US) – here headquarters and ownership matter, not just the server location.
  • Use the seven-point checklist to pre-sort providers quickly.
  • Beware "GDPR-compliant" as a pure marketing label without a DPA, sub-processor list and stated server location.

What "GDPR-compliant" really means – and what it does not

The General Data Protection Regulation (GDPR) governs how personal data may be processed in the EU. Crucially, the "controller" is the organisation that decides on the purposes and means of processing – usually your company, not the software provider. That is why "this tool is 100% GDPR-compliant" is misleading. Compliance is not a product feature but the result of a suitable tool, correct configuration and lawful use.

What a good provider contributes are the prerequisites: processing within the EU, a solid data processing agreement, transparent sub-processors, documented security measures and features with which you can fulfil data subject rights. These are exactly the building blocks you can check when selecting – and that is what this guide is about.

Key GDPR terms explained briefly

TermMeaning
ControllerWho decides on the purposes and means of processing – usually your organisation.
ProcessorA service provider that processes data on your behalf (e.g. a SaaS provider).
DPAData processing agreement under Art. 28 GDPR – governs the provider's obligations.
Sub-processorA further service provider the provider engages (e.g. for hosting or email sending).
TOMsTechnical and organisational measures to protect the data (Art. 32).
Legal basisThe ground a processing rests on (consent, contract, legitimate interest …).
Third countryA country outside the EU/EEA without an automatically equivalent level of protection.

Every processing of personal data needs a legal basis under Art. 6 GDPR. Choosing the right basis is your task – but it influences which tool features you need. The most common bases are:

  • Consent – freely given, informed and revocable. Relevant for newsletters (double opt-in) or non-essential tracking. Your tool should obtain and document consent cleanly.
  • Performance of a contract – when processing is necessary to fulfil a contract (e.g. customer data in a CRM for order handling).
  • Legitimate interest – after a balancing test, e.g. for audience measurement with data-minimising means. A tool you can configure to minimise data helps here.

A tool that makes the right basis easier for you (e.g. cookieless analytics or clean consent management) saves a lot of effort day to day.

Do you need a data processing agreement (DPA)?

As soon as a provider processes personal data on your behalf – and most SaaS tools do – you need a data processing agreement (DPA) under Art. 28 GDPR. It defines what the provider may do with the data, which security measures apply, which sub-processors are involved and how deletion and data subject rights are handled.

In practice: a reputable provider makes a DPA available that you can conclude easily – often directly in the account or as a standard document. If there is no DPA or it is hard to obtain, that is a clear warning sign. Also check whether the agreement names the sub-processors actually used and whether changes to the sub-processor list are announced.

Controller, processor or joint controllers?

Not every setup is a classic processing-on-behalf arrangement. Sometimes two parties process data for joint purposes – then joint controllership (Art. 26 GDPR) applies and requires its own agreement. Certain marketing or tracking services are a typical example. Before rolling out, clarify in which role the provider acts – that determines which contracts you need and who bears which obligations.

Third-country transfer: the core problem

The most common stumbling block is transferring personal data to third countries – above all the US. Three terms help with the classification:

  • Schrems II (2020): the Court of Justice ties transfers to the US to strict conditions. Pure EU processing avoids this risk from the outset.
  • US CLOUD Act: US providers can be compelled to hand over data – regardless of whether the servers are in Europe. That is why ownership structure matters, not just location.
  • EU-US Data Privacy Framework (2023) and Standard Contractual Clauses (SCCs): they create transfer mechanisms whose long-term robustness is still debated.

The pragmatic consequence: to minimise transfer risks, choose a provider with headquarters and data processing in the EU/EEA. Why the server location alone is not enough is explored in EU hosting vs. US hosting.

The selection checklist

The following checklist helps to pre-sort providers quickly. The more points are met, the more solid the foundation for a compliant deployment.

GDPR checklist for choosing tools: provider in the EU, EU data processing, DPA, sub-processor list, TOMs, data subject rights, data minimisation.
GDPR checklist for choosing tools: provider in the EU, EU data processing, DPA, sub-processor list, TOMs, data subject rights, data minimisation.
CriterionWhy it mattersWhat to look for
Provider locationDetermines applicable lawEU/EEA, not just server location
Data locationReduces transfer risksprocessing in the EU
DPAMandatory for processing on behalfeasy to conclude, Art. 28-compliant
Sub-processorsData passed on in the backgroundpublic list, ideally EU-based
TOMsProtection against data lossISO/IEC 27001, encryption
Data subject rightsObligation towards usersexport and deletion functions
Data minimisationCore GDPR principleonly necessary data, configurable

Technical and organisational measures (TOMs)

Under Art. 32 GDPR, personal data must be protected by appropriate technical and organisational measures. When selecting a provider, check whether and how these are documented:

  • Encryption in transit (TLS) and at rest; ideally end-to-end where sensible.
  • Access control with roles, permissions and – for teams – single sign-on.
  • Certifications such as ISO/IEC 27001 as evidence of a security management system.
  • Backups and recovery plus a documented approach to data breaches.
  • Deletion concepts and defined retention periods.

A provider that describes its TOMs transparently makes your own documentation duty much easier.

Data subject rights: what a tool should be able to do

The GDPR gives individuals far-reaching rights – and your organisation must be able to fulfil them. A good tool supports you technically:

  • Access and data export – provide a person's data on request (also for data portability).
  • Rectification – correct records.
  • Erasure – remove data completely, including backups after retention expiry.
  • Restriction and objection – stop or limit processing.

Make sure these actions can actually be carried out in the tool and are not only possible "on request by email".

When a data protection impact assessment (DPIA) is needed

For processing likely to result in a high risk to the rights of individuals, Art. 35 GDPR requires a data protection impact assessment – for example extensive profiling, processing of especially sensitive data or systematic monitoring. For tool selection this means: check early whether your planned use falls into this category. A provider with transparent TOMs, a clear sub-processor list and EU data processing makes such an assessment considerably easier.

Your documentation duties

Even with the best tool, obligations remain with you. The most important are:

  • Record of processing activities (RoPA) under Art. 30 GDPR – an overview of all processing with purposes, data categories, recipients and deletion periods. Every new tool belongs here.
  • DPA filing – keep data processing agreements and the current sub-processor list in order.
  • TOM documentation – record your providers' (and your own) technical and organisational measures traceably.
  • Evidence of legal bases and consents – especially for newsletters and tracking.

A provider that transparently supplies RoPA-relevant details (data categories, sub-processors, location) saves you a lot of work and makes audits easier.

Do you need a data protection officer?

Whether a data protection officer (DPO) is mandatory depends on your activity – for example extensive processing of especially sensitive data or systematic monitoring (Art. 37 GDPR); national rules may apply on top. Regardless of the obligation, it pays to build data protection into tool selection early: considering the requirements from the start avoids expensive rework and migrations. The selection criteria in this guide help both with and without a designated DPO.

Five steps to a privacy-friendly choice

1. Clarify purpose and data – which personal data do you process, and on which legal basis? 2. Derive requirements – do you need EU data residency, encryption, specific certifications? 3. Pre-sort providers – with the seven-point checklist and our sovereignty score. 4. Check contracts – conclude the DPA, review sub-processors and transfer mechanisms. 5. Configure cleanly – enable data minimisation, set up data subject rights processes, document.

Category checks: what to look for per tool type

Depending on the software type, the focus differs:

You will find all categories at categories.

Common mistakes when choosing tools

  • Trusting the marketing label. "GDPR-compliant" without a DPA, sub-processor list and server location says little.
  • Only checking the server location. The provider's headquarters and ownership matter just as much.
  • Forgetting the DPA. Without a data processing agreement, the legal basis is missing.
  • Overlooking data subject rights. Export and deletion must be practically feasible.
  • Ignoring data minimisation. Collect and enable only what you really need.

How we rate providers

We assess every provider against fixed criteria – location, data processing, sub-processors, certifications, open source – and summarise them in a sovereignty score with a confidence level. The score does not replace your own data protection review, but it helps to classify providers quickly and compare candidates.

Frequently asked questions

Does the GDPR also apply to small companies and associations?

Yes. The GDPR applies regardless of size as soon as personal data is processed – including sole traders, associations and freelancers. Individual obligations (such as a designated DPO) depend on the scope and nature of processing, but the core principles apply to everyone.

Is there "100% GDPR-compliant" software?

No, at least not as a pure product feature. Compliance results from the interplay of a suitable tool, correct configuration and lawful use. A provider can supply the foundation; responsibility stays with your organisation.

Is a DPA enough for GDPR compliance?

A DPA is necessary but not sufficient. It governs processing on your behalf, but it replaces neither a legal basis for the processing nor appropriate TOMs or the fulfilment of data subject rights.

Is US software generally impermissible?

No. But it comes with additional requirements and risks, especially for third-country transfers. For sensitive data, European providers with EU data processing are the lower-risk choice.

What are TOMs?

Technical and organisational measures under Art. 32 GDPR – such as encryption, access control, backups and deletion concepts. They protect data against loss and unauthorised access.

Do I have to implement data subject rights technically?

Your organisation must be able to fulfil data subject rights. A tool that offers export and deletion functions makes this much easier than manual processes by email.

How often should I review my tools from a data protection perspective?

Regularly and as needed: at least once a year, and whenever a provider changes its sub-processors, server location, ownership structure or feature scope. A short annual review of your record of processing activities keeps the documentation current.

How do I recognise fake solutions?

By contradictions: "European" but a US parent company; "GDPR-compliant" but no DPA; "secure" but no documented TOMs. Check headquarters, ownership, sub-processors and contracts.

Next step

The fastest way forward is our EU Stack Check: select your current tools, get matching European alternatives. For the complete switch, the guide Replacing US software helps.

This article is editorial guidance, not legal advice. In critical cases, a data protection review should be carried out.

The Sovereignty Score is an editorial orientation aid, not legal advice. How we rate.