GDPR preparation for working with the EU: data map, privacy documents, contracts with contractors, data transfers, and processes for passing client audits.
GDPR is not "about pieces of paper", but about trust, speed of deals, and business readiness for client requirements. When there are gaps in privacy or data security, a contract can be stopped, complicated with additional requirements, or its terms revised.
We help turn GDPR from a potential obstacle for deals into an understandable system that strengthens trust in the business. You receive documents and processes that help you pass partner checks faster, answer GDPR questionnaires, work more confidently with contractors, and reduce the risk of delays, additional requirements, or revision of contract terms.
We support technological and international businesses for which personal data is a part of the product, sales, or operational model. At the consultation, we will identify critical gaps and form a priority action plan — from basic documents to preparation for due diligence, requirements of banks, PSPs, or investors.
Includes an initial risk assessment, Privacy Policy, Cookie Policy, recommendations for a cookie banner, a DPA template, and a lawyer's consultation. A basic set for launching a website, MVP, or a simple e-commerce project.
Includes a GDPR audit, data map, and RoPA, Privacy Policy, Cookie Policy, DPA, and vendor clauses. Also — DSAR procedures and incident response, retention matrix, risk memo, and a workshop for the team.
Includes an extended audit and a full map of data flows, internal policies, and documents for the team. SCC if necessary, DPIA screening and one DPIA, risk matrix, roadmap for 3–6 months, and two workshops.
small business, landing pages, MVP, simple e-commerce projects
minimum set of documents and basic risk map
GDPR Business
from 2,500 EUR
15-20 w.d.
SaaS, e-commerce, marketplaces, IT companies, agencies
working GDPR package for partners, investors, banks, and PSPs
GDPR Pro / Investor Ready
from 5,000 EUR
25-35 w.d.
FinTech, HealthTech, EdTech, AI/ML, HR-tech, projects with due diligence
full-fledged GDPR system with risk matrix and roadmap
Package 1 — GDPR Start
Price: from 900 EUR | Term: 7–10 working days
For whom: small business, websites, landing pages, simple e-commerce projects, MVP, services without complex processing of personal data and without a significant volume of users from the EU.
More about the package
Block
What we do
Result for the client
Initial checklist
Checking the business model, website or product, and basic data collection points.
Understanding the minimum level of GDPR risk.
Privacy Policy
Preparation of a basic privacy policy for the website or product.
A document for publication on the website or in the application.
Cookie Policy
Basic policy for cookies and tracking technologies.
Clear description of the use of cookies.
Cookie banner
Recommendations on the structure of the cookie banner without technical setup.
Understanding of how the banner should look legally.
DPA template
Data Processing Agreement template for contractors and processors.
A basic contractual tool.
Consultation
One consultation up to 60 minutes.
Analysis of the client’s questions and next steps.
Result: the client receives a minimum set of documents and an understanding of basic risks. The package is suitable for a quick start but does not cover complex data processing operations.
Not included: deep audit of processes, DPIA, TIA, cross-border transfers, negotiations with counterparties, technical setup of a cookie banner.
Package 2 — GDPR Business
Price: from 2,500 EUR | Term: 15–20 working days
For whom: SaaS, e-commerce, marketplaces, IT companies, agencies, companies with clients or users from the EU that need not just a set of documents, but an understandable compliance structure.
More about the package
Block
What we do
Result for the client
GDPR audit
Analysis of the business model, data flows, and main risk points.
A working picture of where and why data is processed.
Roles mapping
Defining the roles of controller / processor / joint controller.
Understanding contractual and regulatory responsibility.
Data map
Map of personal data processing.
The basis for internal processes and negotiations with counterparties.
RoPA
Record of Processing Activities.
Basic register of processing operations.
Core documents
Privacy Policy, Cookie Policy, Data Processing Agreement.
Main set of external documents.
Vendor clauses
Basic contractual clauses for contractors and processors.
Protection in contracts with suppliers.
DSAR procedure
Procedure for processing data subject requests.
Procedure for responding to access / deletion / portability / objection requests.
Data breach procedure
Incident response procedure.
Algorithm of actions in case of a leak or security breach.
Retention matrix
Data retention period matrix.
Control over data storage and deletion.
Risk memo
A brief memorandum on key legal risks.
Clear risk map for management.
Workshop
One internal call or workshop up to 90 minutes.
Transfer of logic to the client’s team.
Result: the client receives a working GDPR package that can be shown to partners, investors, banks, payment providers, and large counterparties.
Not included: DPIA, TIA, EU representative, DPO-as-a-Service, local opinion of a lawyer from a specific EU country.
Package 3 — GDPR Pro / Investor Ready
Price: from 5,000 EUR | Term: 25–35 working days
For whom: companies with active sales in the EU, FinTech, HealthTech, EdTech, AI/ML, HR-tech, marketplaces, services with a large volume of user data or preparation for due diligence.
More about the package
Block
What we do
Result for the client
Extended audit
Extended GDPR audit and interviews with key team members.
A real picture of processes, not “policies for the sake of policies”.
Data flows
Full map of data flows and key systems.
Understanding the data route inside and outside the company.
RoPA
Record of Processing Activities.
Formalized register of processing operations.
Core documents
Privacy Policy, Cookie Policy, Data Processing Agreement.
External compliance set.
Vendor DPA
Vendor Data Protection Addendum.
Control over contractors and processors.
Transfers
SCC template or transfer clauses if necessary.
Base for non-EEA data transfers.
DPIA screening
Assessment of the need for a DPIA.
Understanding high-risk processing.
DPIA
One DPIA for one key process.
Documented risk assessment regarding a critical process.
Policies
Data breach procedure, DSAR procedure, retention policy, internal data protection policy.
Internal procedure for working with data.
Employees
Employee privacy notice.
Document for staff and contractors.
Security checklist
Basic technical and organisational measures checklist.
Basic legal + security bundle.
Risk matrix
GDPR risk matrix.
Prioritization of risks.
Roadmap
Compliance roadmap for 3–6 months.
Step-by-step implementation plan.
Workshops
Two consultations or workshops for the team.
Transfer of the model to the client.
Result: the client receives not just documents, but a full-fledged GDPR system suitable for due diligence, working with large partners, investors, and international counterparties.
Not included: official appointment of a DPO, continuous support, local registrations or communication with the supervisory authority, technical implementation of IT solutions.
Comparison of GDPR Packages
What is included
GDPR Start
GDPR Business
GDPR Pro / Investor Ready
Cost
from 900 €
from 2,500 €
from 5,000 €
Estimated term
7–10 working days
15–20 working days
25–35 working days
Who it suits
Landing pages, MVP, small websites, simple e-commerce projects.
SaaS, e-commerce, marketplaces, IT companies, agencies.
FinTech, HealthTech, EdTech, AI/ML, HR-tech, projects with due diligence.
Business model and risk assessment
Basic checklist
GDPR audit
Extended audit and interview with the team
Data map / data flows
—
✓
Full map of data flows
Privacy Policy and Cookie Policy
✓
✓
✓
Cookie banner
Legal recommendations
Legal recommendations
Legal recommendations
DPA and documents for contractors
DPA template
DPA + vendor clauses
DPA + Vendor DPA
RoPA — register of data processing
—
✓
✓
DSAR procedure
—
✓
✓
Data breach response procedure
—
✓
✓
Retention policy / matrix
—
✓
✓
International data transfers
—
—
SCC / transfer clauses if necessary
DPIA
—
—
DPIA screening + 1 DPIA
Internal policies and documents for staff
—
Basic procedures
Internal policy + Employee Privacy Notice
Risk memo / risk matrix / roadmap
Basic recommendations
Risk memo
Risk matrix + roadmap for 3–6 months
Consultations / workshops
1 consultation up to 60 min.
1 workshop up to 90 min.
2 consultations / workshops
Prices for additional services
DPIA for a specific process
for high-risk processing / sensitive data / profiling
We will check what documents and processes are missing and help prepare for a client request, GDPR questionnaire, DPA, or partner audit — without the chaotic creation of policies right before a deadline.
Specializes in GDPR, personal data protection, and legal support of technological and international projects. Helps businesses prepare privacy documents, DPAs, processes for working with contractors, international data transfers, and materials for due diligence.
When GDPR may apply even if you are not in the EU
GDPR may apply to a business outside the EU if it offers goods or services to people in the EU or monitors their behavior. What matters is not only the country of company registration but the actual operational model with the European audience.
You offer goods or services in the EU: for example, SaaS, a mobile application, e-commerce, a subscription, or an online service.
You track user behavior: through analytics, profiling, cookies, advertising identifiers, SDKs, or other tracking tools.
Quick self-assessment
Do you have clients or users from the EU?
Does the website or application have prices in euros, delivery to the EU, or localization in the languages of EU countries?
Do you use cookies, SDKs, analytics, advertising, or profiling?
If the answer is “yes” to at least one question, this is a reason to conduct an assessment of GDPR applicability. One indicator does not always mean automatic application of the Regulation, but ignoring it is already risky.
What most often stops deals and GDPR checks
In practice, problems arise not because of the absence of a single document, but because of a gap between policies, contracts, and the actual business processes.
No data map: it is unclear what data is collected, why, where it is stored, and to whom it is transferred.
Undefined roles: the company does not understand when it is a controller, processor, or joint controller.
Absence of DPA or other contractual terms: with cloud services, CRM, analytics, support, payment providers, and other contractors.
Unregulated data transfers: personal data is transferred outside the EU/EEA without a proper mechanism or risk assessment.
No DSAR process: the team does not know how to respond to requests regarding access, deletion, portability, or objection to data processing.
No incident scenario: there is no clear course of action in the event of a leak or data security breach.
Roles: controller, processor, and joint controller
A correctly defined role is the basis for contracts, policies, responsibility, and the architecture of GDPR documents.
Controller: determines why and how personal data is processed.
Processor: processes data on behalf of the controller and according to its instructions.
Joint controllers: two or more parties jointly determine the purposes and key means of data processing.
Example for SaaS
If a client uploads the contacts of their users into your service, the client is often the controller, and the SaaS company is the processor.
If you collect user data for your own marketing, analytics, or sales, you usually act as a controller.
Practical framework for GDPR preparation: 10 directions
Data mapping. We determine what data is processed, where it comes from, where it is stored, and to whom it is transferred.
RoPA. If necessary, we prepare or update the register of processing operations: purposes, data categories, retention periods, recipients, transfers, and security measures.
Lawful basis. We define the legal basis for each key process: contract, legal obligation, legitimate interest, consent, etc.
Transparency. We prepare a Privacy Notice, Cookie Notice, and other documents explaining to the user exactly how data processing works.
Cookie and tracking management. We check the banner, consent logic, and the use of analytical or advertising tools.
Vendors and contracts. We prepare DPAs, vendor clauses, and other contractual mechanisms for working with contractors and processors.
Data subject rights. We build a DSAR process and response templates to typical user requests.
Security and incidents. We form basic rules for access, incident response, and internal escalation logic.
DPIA. We assess whether a specific process requires a Data Protection Impact Assessment due to a high risk to the rights and freedoms of users.
Data transfers. We analyze transfers outside the EU/EEA and determine the appropriate mechanism: adequacy decision, SCC, DPF, or other safeguards depending on the situation.
Data transfers: SCC, DPF, and TIA
If personal data is transferred outside the EU/EEA, it is necessary to assess the data route, the recipient, and the legal transfer mechanism.
Adequacy decision: for individual countries or mechanisms recognized by the European Commission as providing an adequate level of protection.
EU–US Data Privacy Framework: can apply to American companies participating in the Framework.
Standard Contractual Clauses: are used when there is no corresponding adequacy mechanism for the transfer.
Transfer Impact Assessment: helps to assess the risks of a specific transfer and the need for additional protection measures.
Documents without a real process do not solve the problem. If data is actually transferred via CRM, cloud, analytics, or support services, this must be reflected in the data map, contracts, and internal procedures.
Fines and commercial risks
For certain GDPR violations, administrative fines of up to 20 million euros or 4% of total worldwide annual turnover of the preceding financial year can be applied — whichever is higher.
For business, the practical risk often arises earlier: a check from a client, bank, PSP, investor, or a large counterparty can delay the deal, increase the volume of legal requests, or change the terms of cooperation.
How Prikhodko & Partners helps
We analyze actual processes of working with personal data and prepare documents and procedures that can be used in work with clients, contractors, and during audits.
Audit and data map: sources, systems, vendors, transfers, and key risks.
Roles and contracts: controller / processor, DPA, and terms for contractors and sub-processors.
Policies and internal processes: Privacy Notice, Cookie Notice, retention, DSAR, and incident response.
Complex cases: SCC / DPF, international transfers, and DPIA — if necessary.
GDPR is like a seat belt: it seems unnecessary exactly until the first sudden braking. It is better to have your own, rather than one imposed by the client’s lawyer right when the deal is “almost signed”.
Frequently asked questions
Does GDPR apply to a Ukrainian company?
GDPR can apply to a business outside the EU if the company offers goods or services to people in the EU or tracks their behavior through analytics, cookies, advertising tools, SDKs, or profiling. The final assessment depends on the actual operational model, the audience, and data processing processes.
What documents are required for basic GDPR preparation?
For a website, MVP, or simple e-commerce project, usually required are a Privacy Policy, Cookie Policy, legally correct cookie banner logic, a basic DPA template for contractors, and an initial risk assessment. For an operational business, the list is supplemented with a data map, RoPA, DSAR procedure, retention policy, and an incident response plan.
How does a DPA differ from SCC?
A DPA regulates the relationship between a company and a contractor processing personal data on its behalf. SCCs are used as one of the mechanisms for transferring personal data outside the EU / EEA. In some projects, both documents may be required.
When does a company need DPIA and TIA?
A DPIA may be required for processes with a high risk to the rights and freedoms of individuals, particularly when working with sensitive data, profiling, or large-scale data processing. A TIA is used to assess the risks of international data transfer, particularly when working with suppliers outside the EU / EEA.
Can you just use ready-made GDPR templates?
Ready-made templates can be a starting point, but in themselves, they do not create GDPR compliance. Documents must match the actual processes of the company, the composition of vendors, the role of the business as a controller or processor, methods of data collection, and international transfers.
We work Monday - Friday from 9:30 to 18:00. If you leave a request after 18:00 on weekdays - we will contact you the next business day starting at 9:30.