A business website without a GDPR audit in 2026 carries direct legal and financial risk. In practice, every site with a contact form, Google Analytics, Facebook Pixel, or any cookies at all falls under strict EU requirements. Fines in Poland reach 20 million EUR or 4 percent of global revenue (whichever is higher), and in Germany enforcement is twice as strict as in Poland. This article breaks down a GDPR audit for a business website into concrete checklists for the Polish and German markets.
RODO in PL vs DSGVO in DE: differences in 2026
RODO and DSGVO (Datenschutz-Grundverordnung) are the same EU regulation (GDPR 2016/679). The difference in per-country implementation comes from national implementing acts plus case law from local data protection authorities: UODO (Urząd Ochrony Danych Osobowych) in PL, BfDI (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit) plus 16 LfDI (per Bundesland) in DE.
The practical difference: DE is stricter in three dimensions. First, DE has a separate Telemediengesetz (TTDSG) regulating cookies and tracking technologies in more detail than the Polish Prawo telekomunikacyjne. Second, DE has a separate Impressum obligation (Anbieterkennzeichnung) required under TMG paragraph 5: the full company name, address, DE VAT number, register entry, contact details. Third, the federal structure of DE means that enforcement can come from 17 different data protection authorities in parallel.
Penalty practice: in PL in 2024 UODO issued penalties totalling 3.2 mln EUR (33 decisions), the largest single one 1.2 mln EUR (Morele.net for insufficient security measures). In DE in 2024 federal and state LfDI issued penalties totalling 56 mln EUR (188 decisions), the largest single one 35 mln EUR (H&M Germany for excessive employee surveillance).
Trend 2024-2026: stronger enforcement in the SMB sector, not only enterprise. UODO in Poland recently issues fines of 5 to 50k PLN on firms with 10 to 50 employees for missing cookie consent or insufficient privacy policies. Earlier the practice focused on enterprise (larger fines, more PR value). A pre-emptive audit is cheaper than reactive defence.
Our audit covers compliance against both regimes for clients with DACH and PL operations. For PL-only clients the audit focuses on UODO guidance plus general GDPR. For DE-only clients the audit focuses on BfDI plus relevant LfDI guidance plus TTDSG. A full website audit at our Tier 2 or Tier 3 includes a GDPR compliance section.
Additionally for clients providing services in the B2B EU sector: GDPR art. 26 joint controllership scenarios. If the site uses embedded Google Maps with Driving Directions, Facebook social plugins, or LinkedIn Insight Tag, you automatically enter a joint controllership relationship with the platforms. Our audit identifies joint controllership instances and flags the requirement to sign joint controller agreements.
10 mandatory documents on the site
A business website in the EU must include 10 mandatory GDPR documents or elements. A missing item is a potential finding in a supervisory authority audit and a basis for a fine.
First: privacy policy (Datenschutzerklärung in DE). Required: name of controller, DPO contact details if required, processing purposes, legal bases per purpose, recipient categories, retention periods, user rights (8 rights: access, rectification, erasure, restriction, objection, portability, withdrawal of consent, complaint to the supervisory authority), information about transfers to third countries.
Second: cookie policy plus consent UI. Cookies require consent before loading (NOT pre-checked). The cookie policy contains a list of cookies per category (necessary, functional, analytics, marketing), purpose, duration, third-party origins. The consent UI must allow accept all, reject all, manage preferences per category (NOT only an “accept” button). The Telemediengesetz in DE requires the consent UI to make accept and reject equally prominent.
Third: terms of service. Mandatory for e-commerce (Konsumentenrecht plus Bürgerliches Gesetzbuch in DE, the Civil Code in PL). For a typical business website with a contact form a good practice, not always mandatory.
Fourth: Impressum (mandatory in DE under TMG paragraph 5). Full company name, address, DE VAT number (USt-IdNr), Handelsregister entry (HRB number), contact details (phone, email), responsible content editor (Verantwortlich nach Paragraph 18). Missing Impressum in DE means an instant Abmahnung (cease-and-desist) with legal cost of 500 to 2000 EUR.
Fifth: a form to exercise user rights (access, rectification, erasure). It can be by contact email plus a dedicated form. We recommend a dedicated form with auto-acknowledge and a 30 day response SLA.
The remaining five: processor agreement template (Auftragsverarbeitungsvertrag in DE) for every third party tool processing personal data, GDPR notice in newsletter signup, form fields, checkout, a sub-processor list update notification mechanism (if you update tools), a data breach notification SOP (required within 72 hours), Records of Processing Activities (ROPA) internal documentation.
Critical: ROPA documentation is required even for SMBs (GDPR art. 30), although firms under 250 employees have narrower requirements. We recommend a minimum: a spreadsheet with the list of all processing activities (for example “newsletter signup”, “contact form submission”, “WooCommerce order processing”, “Google Analytics tracking”), per activity: purpose, legal basis, data categories, retention, recipients, transfers, technical measures. Our audit delivers a ROPA template ready for customisation.
Plus DPO designation: GDPR art. 37 requires a Data Protection Officer for: public authorities, core activities involving large scale systematic monitoring, core activities involving large scale processing of special categories. Most SMBs do NOT need a formal DPO, but should designate a responsible contact for GDPR-related queries. The audit verifies that the contact in the privacy policy is current and reachable.
Cookie consent: 4 approaches
The cookie consent UI is the single most visible GDPR compliance element on the site. Four main approaches with different trade-offs.
First: Complianz free plugin (WordPress). Recommended for 95 percent of SMB cases in PL and DE. The free version covers: auto-detection cookie scan, multilingual support, GDPR plus TTDSG plus CCPA compliance modes, integration with Google Consent Mode v2. Setup 30 to 60 minutes. The Pro version (39 EUR per year) adds per-region consent variants and A/B testing on button styles.
Second: CookieYes paid (10 USD per month). Cleaner UX than Complianz, better multilingual handling, daily auto-scan, a cloud-based dashboard with consent analytics. We recommend it for clients with 5+ language versions or high traffic where analytics consent rate matters (DACH B2C 30 to 50 percent consent rate versus B2B 60 to 80 percent).
Third: Cookiebot (Cybot) 7 to 94 USD per month. Enterprise tier, highest compliance certifications (CCPM, IAB TCF, GPC), used by larger organisations (banks, healthcare, public sector). Overkill for a typical business website, justified when a corporate compliance audit is required.
Fourth: custom rolled. NOT recommended unless specific requirements (multi-domain consent sync, custom UX for the brand, special data residency). A custom roll requires compliance maintenance updates (Schrems II, TCF updates, new regulators guidance) every quarter, which eats developer time.
A real example from a legal services client: a cookie consent blocker on the site found in audit. The fix was Complianz free plus a configuration scan, 30 minutes. Lesson: even a legal services firm can have a cookie compliance blocker, do not assume “we have compliance” without a concrete audit.
GDPR-friendly tracking trap: Google Consent Mode v2 (from March 2024) requires explicit boolean signals (granted/denied) for 4 consent categories: ad_storage, analytics_storage, ad_user_data, ad_personalization. Missing a proper Consent Mode v2 setup means Google Analytics 4 loses 20 to 40 percent of traffic data after a cookie banner deny click. Our audit verifies the Consent Mode v2 setup in Google Tag Manager plus per-region configuration (EU vs the rest of the world).
Tracking and analytics
Tracking and analytics is the second-biggest GDPR compliance area on a typical site. Four concrete requirements.
Google Analytics 4 requires consent FIRST (before loading the GA script). Google Consent Mode v2 (from March 2024) requires explicit user consent for ad_storage, ad_user_data, ad_personalization, analytics_storage parameters. Without a Consent Mode setup, GA4 loses 20 to 40 percent of traffic data and violates GDPR. IP anonymisation MUST be on, but in GA4 it is the default.
Server-side GTM as an optimisation: reduces the number of third-party scripts running in the browser from 8 to 15 down to 1 to 2, which both improves performance (INP, LCP) and gives more control over the data sent to Google. We recommend server-side GTM for clients with 50k+ monthly visits, where analytics quality matters.
Plausible Analytics and Fathom as alternatives to GA4: pseudonymous EU compliant analytics without a consent requirement. Price 9 to 19 USD per month. We recommend Plausible for clients who want to avoid cookie consent overhead and accept less granular data than GA4.
The Facebook Pixel (Meta Pixel) is the highest risk. Schrems II implications plus aggressive data collection plus poor Standard Contractual Clauses execution. We recommend: if Meta Pixel is critical to performance marketing, use a server-side approach (Facebook Conversions API) instead of a client-side Pixel, plus explicit consent with the TCF 2.2 framework.
Forms and contact: GDPR checklist
Every form on the site collects personal data and is subject to GDPR. A 5 point checklist for every form.
First: explicit consent checkbox (NOT pre-checked) for every specific purpose. “I consent to data processing” is not enough, it must be per purpose: contact response, marketing newsletter, third-party data sharing. Bundling consents is a GDPR violation (granularity requirement).
Second: pre-submit info about: processing purpose, legal basis (contract, consent, legitimate interest), retention, recipients (a list of third party tools), 8 user rights, link to the full privacy policy. It can be an expandable section under the form.
Third: explicitly stated legal basis. For a typical contact form: art. 6(1)(a) GDPR consent for newsletter, art. 6(1)(b) execution of contract for an offer request, art. 6(1)(f) legitimate interest for follow-up communications. The audit verifies that the basis is documented in the policy.
Fourth: processor agreement with the form provider (Brevo, Mailchimp, ActiveCampaign, HubSpot). All major providers offer a standard DPA template to sign. Without a signed DPA with the provider the firm becomes a joint controller, which raises exposure.
Fifth: auto-acknowledge email after submit with a confirmation of what was collected and a link to exercise rights. Helps demonstrate compliance plus gives the user immediate confirmation that submission went through.
Storage and transfers outside the EU
Data transfers outside the EU are the most complex GDPR area post-Schrems II (Court of Justice 2020). US-based tools require Standard Contractual Clauses (SCC) plus supplementary measures.
Microsoft 365 and Google Workspace: both offer SCC in EU data residency configurations. Our audit verifies that SCC are signed plus that data residency is configured to EU regions (Frankfurt, Dublin, Warsaw instead of US Central).
Brevo (formerly Sendinblue), Mailchimp, ConvertKit: most offer an EU servers option or SCC plus an EU sub-processor list. We default to Brevo for EU clients for full EU data residency without a US transfer.
OpenAI API, Anthropic API, ChatGPT (as tools): if you use them in a business workflow processing customer data, pre-check the legal basis plus a signed DPA. OpenAI Enterprise offers EU data residency plus zero retention plus a signed DPA. For our AI Assistant V0.1 clients: zero retention default, client data not used for training, EU region API endpoints.
The Anthropic Claude API holds a similar standard: zero retention on API calls, data not used for training, EU region support, signed DPA on request. Anthropic plus OpenAI together cover roughly 95 percent of LLM use cases in typical AI Assistant V0.1 deployments. The audit for AI-enabled sites checks whether the DPA with the LLM provider is signed plus whether the configuration uses EU regions.
GDPR audit deliverable
The GDPR audit deliverable is structured the same way as our other audits: a PDF report with findings, prioritisation, fix recommendations.
Findings are categorised: cookie consent (typically 3 to 7 findings), forms (typically 2 to 5), tracking (typically 4 to 8), documents (typically 3 to 5 missing), transfers (typically 2 to 4), processor agreements (typically 5 to 12). Plus priority P0 (legal blocker), P1 (significant exposure), P2 (minor), P3 (best practice).
A list of third party tools with compliance status: per tool, whether SCC is signed, whether EU data residency, whether the last documentation review happened. Helps understand the risk landscape.
Recommended fixes per finding with a concrete implementation plan: plugin to install (Complianz, CookieYes), privacy policy template to customise, processor agreement templates, server-side GTM setup guide.
Plus optionally: 1 hour consulting call with a legal advisor if the client does not have one (we collaborate with 2 legal firms in Szczecin and Warsaw specialised in GDPR). Plus 30 days email support for follow-up questions on specific findings.
A critical practical observation from 30+ GDPR audits we have run: most firms think they have compliance because “a privacy policy template from an online generator landed 3 years ago”. In practice: 80 percent of sites have at least 3 to 5 P1 findings, 50 percent have at least 1 P0 finding (a compliance blocker). A real audit costs 1500 to 3000 PLN, fixing all findings typically takes 2 to 6 extra hours of work. Versus an expert legal opinion plus drafted documents from a law firm at 5000 to 15000 PLN. The audit is the most efficient form of pre-emptive compliance for SMBs.
FAQ
I only have an email contact form, do I need a full policy?
Yes. Email is personal data under GDPR. Every site collecting email (newsletter signup, contact form, lead magnet download) requires: a privacy policy accessible from the footer, an explicit consent checkbox if newsletter, a processor agreement with the form/email provider.
CookieYes vs Complianz, which is better?
Complianz free covers 95 percent of SMB use cases in PL and DE. CookieYes has cleaner UX and better multilingual, but costs 10 USD per month. We default to Complianz for budgets up to 100 EUR per month, CookieYes for high-traffic or multilingual 5+ languages where consent rate optimisation matters.
Is double opt-in mandatory for email marketing?
Yes in PL and DE. Single opt-in (user enters email, automatically subscribed) is a GDPR violation. Double opt-in (user enters email, receives a confirmation email with a link, clicks the link to confirm subscription) is the standard. All major email tools (Brevo, Mailchimp, ConvertKit) support double opt-in by default.
What does a GDPR audit cost?
1500 to 3000 PLN for a typical SMB site in PL. Our Tier 2 (1500 PLN) includes a basic GDPR audit as part of a broader audit. A dedicated GDPR audit (2000 to 2500 PLN) for a deeper dive with a review of all third party tools, processor agreements and Records of Processing Activities.
If you want a GDPR audit for your site, drop us a line with the page URL plus information about the markets (PL only, DACH, EU other). Standard turnaround 5 to 7 business days. For projects with a deadline (a new site launch or a data breach incident), please give early notice. For clients with DACH operations we additionally verify compliance with Telemediengesetz (TTDSG) plus Bundesdatenschutzgesetz (BDSG) as a delta on top of the general GDPR baseline. A standard PL plus DE compliance audit bundle costs 2500 to 3500 PLN depending on scope.