EU Regulation 2016/679 (GDPR) + CCPA/CPRA — any US organization processing personal data of EU residents OR California residents is subject to documented compliance obligations.
EU Regulation 2016/679 · GDPR + CCPA/CPRA

GDPR + CCPA/CPRA Documentation Package — Privacy Compliance for US Companies

Build your enforceable privacy compliance dossier in weeks, not months.

  • 118 documents built article by article
  • Full mapping GDPR (EU 2016/679) + CCPA/CPRA + state US privacy laws
  • Registers, policies and procedures — editable
  • Designed for EU DPA inquiries, CCPA enforcement, and enterprise customer audits
Get the GDPR Package — $589
Equivalent to $8,000 — $20,000 of consulting fees
Instant download 30-day guarantee Editable Word format
GDPR + CCPA/CPRA Documentation Package
118
Documents included
15
Privacy domains covered
100%
Articles mapped
$20M
Max GDPR fine avoided
Who this package is for

Designed for any organization that processes personal data.

The GDPR + CCPA/CPRA package is for both data controllers and processors, regardless of size, as soon as they collect, use, or store personal data of EU residents OR California residents (and increasingly residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Florida, Montana, and other US states with active privacy laws).

1

DPOs & Privacy Officers

Data Protection Officers (internal or outsourced), Chief Privacy Officers, in-house counsel, and compliance leads who must build, maintain, and produce the documented privacy dossier required by GDPR Article 30, CCPA/CPRA, and US state privacy laws.

2

SMB & mid-market executives

CEOs, CFOs, and senior management who carry legal responsibility for processing under GDPR Article 24 (and equivalent US state law accountability standards) and must demonstrate compliance to enterprise customers, partners, EU DPAs, and the California Privacy Protection Agency (CPPA).

3

CISOs & IT Directors

CISOs, Heads of Information Security, and IT Directors who must align technical and organizational measures (GDPR Art. 32) with the privacy documentation framework, DPIAs, breach response, and SOC 2 / ISO 27001 controls.

4

Consultants & law firms

Privacy consultants, specialized attorneys, and advisory firms who want a validated documentation foundation to start client engagements quickly (consultant license available on request).

Why this package exists

GDPR cannot be drafted from a blank page.

EU Regulation 2016/679 covers 99 articles, of which around 30 directly require documents, registers, or written procedures. CCPA/CPRA layers in additional disclosure obligations, opt-out mechanisms, and consumer rights handling. Building all this in-house takes 3 to 6 months of writing work and exposes you to regulator action.

01

Free templates aren't enough for a regulator inquiry

Most online templates are simplified registers or standalone privacy notices. They ignore the connected requirements: DPIAs (Art. 35), breach notification (Art. 33-34), processor contracts / DPAs (Art. 28), international transfers including SCCs and DPF (Art. 44-49), data subject rights handling (Art. 15-22), and CCPA-specific notices, opt-out mechanisms, and Service Provider Agreements.

02

Privacy enforcement is escalating in 2025-2026

EU Data Protection Authorities have issued thousands of fines, with amounts ranging from a few thousand to over $1 billion (Meta, Amazon, TikTok). The GDPR cap reaches €20M or 4% of global annual turnover — whichever is higher. CCPA/CPRA fines reach $7,500 per intentional violation, and California's CPPA has begun aggressive enforcement actions against US companies.

03

Enterprise customers require privacy compliance in contracts

Fortune 500 buyers, federal contracts, healthcare partners, and SaaS resellers now systematically require a privacy compliance dossier, a signed DPA (GDPR Art. 28), and increasingly a DPIA in their vendor onboarding. Without a ready dossier, vendor qualification stalls.

04

A consulting engagement costs $8,000 to $20,000

A complete GDPR + CCPA compliance engagement billed by a privacy consulting firm or outsourced DPO/CPO represents 10 to 30 days of intervention. The documentation package gives you the complete written foundation — you keep your budget for field implementation and specific DPIAs.

What is included

118 documents organized by article and privacy domain.

The package covers the 15 GDPR compliance domains (Articles 5 to 49 of EU Regulation 2016/679), the CCPA/CPRA layer with US state law alignment, plus EDPB and CPPA guidelines. Each document is mapped to one or more specific normative articles.

Domain 1 · Art. 37-39

Governance & DPO/CPO

  • General data protection policy
  • DPO/CPO appointment letter (Art. 37)
  • DPO designation procedure & supervisory authority notification (Art. 37.7)
  • DPO job description (Art. 39 — 5 missions)
  • DPO independence charter (Art. 38.3)
  • Annual DPO/CPO activity report
Domain 2 · Art. 30 + CCPA

Records of processing activities (RoPA)

  • Controller RoPA (Art. 30.1 — 7 fields)
  • Processor RoPA (Art. 30.2 — 4 fields)
  • Standard processing record template
  • RoPA creation & update procedure
  • Process mapping by purpose
  • Note on the < 250 employees derogation (Art. 30.5)
  • CCPA/CPRA data inventory and categorization template
Domain 3 · Art. 6, 7, 8, 9, 10

Legal bases, consent & sensitive data

  • Legal basis qualification procedure (Art. 6 — 6 bases)
  • Consent collection procedure (Art. 7)
  • Consent form template
  • Consent withdrawal procedure (Art. 7.3)
  • Children consent procedure (Art. 8 — aligned with COPPA for US)
  • Sensitive data procedure (Art. 9 — 10 derogations)
  • Criminal data procedure (Art. 10)
  • CCPA/CPRA Sensitive Personal Information (SPI) handling procedure
Domain 4 · Art. 12, 13, 14 + CCPA

Privacy notices & transparency

  • Direct collection privacy notice (Art. 13)
  • Indirect collection privacy notice (Art. 14)
  • Website privacy policy (GDPR + CCPA/CPRA combined)
  • Cookie & tracker policy (ePrivacy Directive 2002/58/EC + CCPA opt-out)
  • HR privacy notices (candidates & employees)
  • Standard icons template (Art. 12.7)
  • "Do Not Sell or Share My Personal Information" notice (CCPA/CPRA)
  • "Notice at Collection" template (CCPA)
Domain 5 · Art. 15-22 + CCPA rights

Data subject & consumer rights

  • Global rights handling procedure (Art. 12 — 1 month + 2 month extension)
  • Right of access response template (Art. 15 / CCPA right to know)
  • Right to rectification response template (Art. 16 / CCPA right to correct)
  • Right to erasure response template (Art. 17 / CCPA right to delete)
  • Right to restriction response template (Art. 18)
  • Right to portability response template (Art. 20 / CCPA right to portability)
  • Right to object response template (Art. 21 / CCPA right to opt-out of sale)
  • Identity verification procedure (Art. 12.6 / CCPA verifiable consumer request)
  • Recipient notification procedure (Art. 19)
  • Rights request register
  • "Right to limit use of SPI" handling procedure (CPRA)
Domain 6 · Art. 22

Automated decision-making & profiling

  • Automated decision & profiling procedure (Art. 22)
  • Matrix of processing with significant legal effect
  • Human intervention & contestation procedure
  • Specific data subject information (Art. 13.2.f, 14.2.g, 15.1.h)
  • CCPA/CPRA automated decision-making opt-out procedure
Domain 7 · Art. 35, 36 + CPRA Risk Assessment

Data Protection Impact Assessment (DPIA)

  • DPIA procedure (Art. 35 — 4 mandatory elements §7)
  • DPIA triggering matrix (3 cases Art. 35.3 + EDPB list)
  • Complete DPIA template (CNIL PIA methodology, EDPB-aligned)
  • Risk assessment grid (Recital 75)
  • Prior consultation procedure with supervisory authority (Art. 36)
  • DPIA review procedure (Art. 35.11)
  • CPRA Risk Assessment template (annual cybersecurity audit and risk assessment)
Domain 8 · Art. 32

Security of processing

  • Information Security Policy (ISP)
  • Access management policy (RBAC)
  • Encryption & pseudonymization procedure (Art. 32.1.a)
  • Backup & resilience procedure (Art. 32.1.c)
  • Regular testing of TOMs procedure (Art. 32.1.d)
  • Acceptable use policy (employees)
  • Technical and organizational measures (TOM) matrix — SOC 2 / ISO 27001 aligned
Domain 9 · Art. 33, 34 + state breach laws

Data breach response

  • Breach management procedure (Art. 33, 34)
  • Internal breach register (Art. 33.5)
  • Supervisory authority notification template — 72h (Art. 33.3)
  • Communication template to data subjects (Art. 34.2)
  • Risk assessment grid for individual rights
  • State-by-state breach notification matrix (all 50 US states + DC + territories)
  • HHS / OCR notification template (HIPAA Breach Notification Rule, if applicable)
Domain 10 · Art. 26, 28 + CCPA SPA

Processors & joint controllership

  • Standard contractual clauses Art. 28 — 10 obligations (DPA)
  • Processor selection & audit procedure
  • Processor GDPR evaluation grid
  • Processor register
  • Joint controller agreement (Art. 26)
  • Sub-processor procedure (Art. 28.2 and 28.4)
  • Annual processor audit procedure
  • CCPA/CPRA Service Provider Agreement template
  • CCPA Third-Party / Contractor Agreement template
Domain 11 · Art. 27, 44-49

International data transfers & EU representative

  • Transfer qualification procedure (Art. 44-49)
  • Mapping of transfers outside the EEA
  • Standard Contractual Clauses (SCCs) 2021 — modules 1 to 4 (Art. 46.2.c)
  • Transfer Impact Assessment (TIA) procedure post-Schrems II
  • EU-US Data Privacy Framework (DPF) self-certification readiness checklist
  • International transfer register
  • BCR policy (Art. 47 — 14 elements) for international groups
  • Foreign authority requests procedure (Art. 48 — CLOUD Act, FISA 702 considerations)
  • EU representative designation procedure (Art. 27)
Domain 12 · Art. 25

Privacy by Design & data retention

  • Privacy by Design & by Default procedure (Art. 25)
  • Data retention matrix (principle Art. 5.1.e)
  • Intermediate & final archiving procedure
  • Data purge & anonymization procedure
  • Privacy by Design project checklist
  • Note on processing not requiring identification (Art. 11)
Domain 13 · Art. 88

HR processing & employment relations

  • HR processing procedure (Art. 88)
  • Dedicated HR register (candidates, employees, former employees)
  • Workplace surveillance procedure (aligned with state employee monitoring laws)
  • Remote work & collaborative tools procedure
  • Intra-group employee data transfer procedure
  • Note on collective agreements and works council requirements (where applicable)
  • CCPA HR notice (effective for California employees)
Domain 14 · Art. 89

Archives, research & statistics

  • Archiving processing procedure (Art. 89.1)
  • Scientific research processing procedure
  • Statistical processing procedure
  • Derogations matrix Art. 89.2 and 89.3 (rights Art. 15, 16, 18, 19, 20, 21)
  • Pseudonymization procedure for compatible purposes
  • De-identification methodology (HIPAA Safe Harbor / Expert Determination)
Domain 15 · Art. 5.2, 24, 31 + CPPA cooperation

Documentation, accountability & regulator cooperation

  • GDPR + CCPA compliance manual (Art. 5.2, 24)
  • Privacy documentation control procedure
  • Privacy training & awareness plan
  • Internal privacy audit procedure (15 domains)
  • Privacy audit checklist
  • Privacy compliance dashboard (KPIs)
  • Supervisory authority cooperation procedure (Art. 31)
  • Regulator inquiry response procedure (EU DPA, CPPA, state AG)
US state laws & sectoral

CCPA/CPRA + multi-state US compliance

  • CCPA/CPRA (California) full alignment procedure
  • VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah) mapping
  • Multi-state US privacy compliance matrix (TX, OR, MT, FL, IA, IN, TN, etc.)
  • HIPAA / HITECH alignment procedure (if processing PHI)
  • GLBA compliance procedure (if processing financial data)
  • FERPA compliance procedure (if processing student data)
  • COPPA compliance procedure (if processing children data <13)
  • Mapping matrix GDPR ↔ CCPA/CPRA ↔ US state laws
Delivery format: all documents are delivered as fully editable Microsoft Word (.docx) files, with a neutral graphic charter ready to receive your logo. No locked PDFs, no proprietary software dependency. Registers, mapping matrices, and the multi-state compliance matrix are delivered in Excel.
Article-by-article mapping

Every GDPR article → one document in the package.

GDPR is an accountability-based regulation (Art. 5.2 and 24). When facing a regulator inquiry or an enterprise customer audit, the first question is always the same: "show me your documentation." Below is the article-by-article mapping between the regulatory text and the documents provided.

GDPR Article Regulatory requirement Documents provided in the package
Art. 5 Principles relating to processing: lawfulness, purpose, minimization, accuracy, storage limitation, security, accountability General privacy policy Compliance manual Retention matrix Minimization procedure
Art. 6 Lawfulness of processing — 6 legal bases (consent, contract, legal obligation, vital interest, public interest, legitimate interest) + compatibility test (Art. 6.4) Legal basis qualification procedure Legitimate interest balancing test (LIA) Compatibility test for further purposes
Art. 7 Conditions applicable to consent: proof, distinguishability, withdrawal as easy as collection Consent procedure Consent form Withdrawal procedure
Art. 8 Children's consent for information society services (16 EU default; lower in some Member States) Children consent procedure (GDPR Art. 8 + COPPA US alignment) Parental verification mechanism
Art. 9 Special categories (origin, opinions, health, biometric, genetic, sexual orientation) — 10 derogations Sensitive data procedure Art. 9.2 derogations matrix CCPA Sensitive PI handling procedure
Art. 10 Personal data relating to criminal convictions and offenses Criminal data procedure Authorization matrix under public authority
Art. 11 Processing not requiring identification — partial exemption from Art. 15-20 Note on processing without identification
Art. 12 — 14 Transparent information of data subjects, direct collection (Art. 13) and indirect (Art. 14) + rights exercise modalities (Art. 12, 1 month + 2 month extension) Direct collection notice (Art. 13) Indirect collection notice (Art. 14) Privacy policy Cookie policy + CCPA opt-out HR notices Standardized icons template
Art. 15 — 21 Data subject rights: access (15), rectification (16), erasure / right to be forgotten (17), restriction (18), portability (20), objection (21) Global rights handling procedure Access response template (CCPA right to know aligned) Rectification response template (CCPA right to correct) Erasure response template (CCPA right to delete) Restriction response template Portability response template (CCPA aligned) Objection response template (CCPA right to opt-out) Identity verification (Art. 12.6 / CCPA verifiable consumer request) Rights request register
Art. 19 Notification obligation to recipients of any rectification, erasure, or restriction Recipient notification procedure Recipient register per processing
Art. 22 Automated individual decision-making and profiling producing legal effects or significantly affecting the person Automated decision & profiling procedure Matrix of processing with legal effect Human intervention & contestation procedure CPRA automated decision-making opt-out
Art. 24 — 25 Controller responsibility, Privacy by Design & by Default Compliance manual Privacy by Design procedure PbD project checklist
Art. 26 Joint controllership between controllers — written agreement defining respective obligations Joint controllership agreement Joint controller qualification procedure
Art. 27 Designation of an EU representative by controllers or processors not established in the EU but targeting EU residents (Art. 3.2) EU representative designation procedure Standard written mandate
Art. 28 Processor obligations and written processing contract — 10 mandatory clauses (§3 a to h) Standard contractual clauses Art. 28 (DPA) Processor selection procedure Evaluation grid Processor register Sub-processor procedure (Art. 28.2, 28.4) Annual audit procedure CCPA Service Provider Agreement template
Art. 30 Records of processing activities (controller 30.1 + processor 30.2) — < 250 employees derogation under conditions Controller RoPA (Art. 30.1) Processor RoPA (Art. 30.2) Standard processing record template Update procedure Note on < 250 employees derogation
Art. 31 Cooperation with the supervisory authority — obligation to make registers available and assist the authority Supervisory authority cooperation procedure Inquiry response procedure (EU DPA, CPPA, state AG)
Art. 32 Security of processing: pseudonymization, encryption, confidentiality, integrity, availability, resilience + regular testing of TOMs Information Security Policy Access management policy Encryption & pseudonymization Backup & resilience Regular TOM testing procedure TOM matrix (SOC 2 / ISO 27001 aligned) Acceptable use policy
Art. 33 — 34 Notification to supervisory authority within 72h (Art. 33) and communication to data subjects in case of high risk (Art. 34) Breach management procedure Internal breach register (Art. 33.5) Supervisory authority notification 72h Communication to data subjects Risk assessment grid US state-by-state breach notification matrix
Art. 35 — 36 Data Protection Impact Assessment (DPIA) mandatory in 3 cases (Art. 35.3) + prior consultation if high residual risk (Art. 36) DPIA procedure (4 elements Art. 35.7) Triggering matrix Complete DPIA template Risk assessment grid DPIA review procedure (Art. 35.11) Prior consultation procedure CPRA Risk Assessment template
Art. 37 — 39 DPO designation, function, and missions — 3 mandatory cases (Art. 37.1), independence (Art. 38.3), 5 minimum missions (Art. 39) DPO/CPO appointment letter Designation procedure Job description (5 missions Art. 39) Independence charter (Art. 38.3) Annual report
Art. 44 — 49 Transfers to third countries: adequacy decision (45), appropriate safeguards (46), derogations (49) Transfer qualification procedure Transfers mapping Standard Contractual Clauses 2021 (Art. 46.2.c) TIA procedure post-Schrems II EU-US Data Privacy Framework checklist Derogations procedure (Art. 49) Transfers register
Art. 47 Binding Corporate Rules (BCRs) for groups — 14 mandatory elements (§2 a to n) BCR policy BCR approval procedure with lead authority
Art. 48 Transfers or disclosures not authorized by Union law — framework for foreign court/authority requests (CLOUD Act, FISA 702 type) Foreign authority requests procedure Applicable international agreement assessment grid
Art. 88 Processing of data in employment relations — specific national provisions (collective agreements, works councils) HR processing procedure HR register (candidates, employees, former employees) Workplace surveillance procedure Remote work procedure CCPA HR notice for California employees
Art. 89 Safeguards and derogations for processing for archiving in the public interest, scientific or historical research, or statistics Archiving purposes procedure Scientific research procedure Statistical purposes procedure Derogations matrix Art. 89.2 and 89.3 HIPAA de-identification methodology (if PHI)
US state laws + sectoral US compliance layer: CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), TX/OR/MT/FL/IA/IN/TN privacy acts, HIPAA (PHI), GLBA (financial), FERPA (education), COPPA (children) CCPA/CPRA compliance procedure Multi-state US privacy matrix HIPAA / HITECH procedure GLBA compliance procedure Mapping matrix GDPR ↔ CCPA ↔ US state laws
Not included Deliverables specific to each processing and each organization — which must be produced case by case by your DPO/CPO, CISO, or compliance team Filled-in RoPA (your processing activities) Complete DPIAs (per high-risk processing) Signed DPAs (per processor) Filled-in TIAs (per transfer) Authority-approved BCRs (dedicated procedure) Actual breach notifications Technical security audits (pentest, ISO 27001 certification) Customized team training
Why these deliverables can't be pre-filled — from any supplier.

The filled-in RoPA, complete DPIAs, signed processor contracts, completed TIAs, and actual breach notifications are by nature specific to each organization and each processing activity. They depend on your exact purposes, the data you process, your recipients, your legal bases, your processors, transfer countries, and the real risks to data subjects.

A package claiming to provide these deliverables pre-filled would mechanically produce a nonconformity: a generic RoPA isn't enforceable, a non-customized DPIA exposes the DPO who would sign it to liability, a copy-pasted TIA doesn't cover the actual legal risk. These deliverables must be drafted organization by organization, by qualified people (DPO/CPO, CISO, in-house counsel, business owner).

The QSE Academy package, however, provides all the procedures, matrices, and templates that frame the production of these specific deliverables: complete DPIA procedure, triggering matrix, evaluation grid, RoPA template, standard contractual clauses — the full documentation framework within which your privacy dossier takes shape.
This mapping is delivered as an Excel matrix in the package. It can be presented as-is to a regulator inspector, an enterprise customer, or an auditor as proof of complete regulatory coverage.
For experienced privacy professionals

Technical conformance — the points an experienced regulator inspector checks first.

Beyond the article-by-article mapping, here are the rigor points that experienced DPOs/CPOs, regulator inspectors, and privacy auditors verify first.

  • Legal basis qualification (Art. 6) — documented per processing, not a generic "legitimate interest." Balancing test (LIA) for Art. 6.1.f, justification of consent for non-essential cookies and CCPA "Sale" / "Share" determinations
  • Children's consent (Art. 8 + COPPA) — documented parental verification mechanism for information society services. COPPA Verifiable Parental Consent for under-13 in the US
  • Criminal data (Art. 10) — processing authorized only under control of public authority or specific provision of EU/national law, distinct from sensitive data Art. 9
  • Retention periods (Art. 5.1.e) — defined per purpose, with distinction active database / intermediate archive / final archive, aligned with sectoral guidance and CPRA retention disclosure obligations
  • Enforceable RoPA (Art. 30) — granularity at the "processing activity" level, not "software" or "service" level, 7 mandatory fields on controller side, 4 on processor side, dated maintenance
  • DPIA: triggering (Art. 35.3) — 3 mandatory cases (profiling with legal effect, large-scale processing of sensitive/criminal data, systematic monitoring of public area) + EDPB list. CPRA annual Risk Assessment for high-risk processing
  • Breach notification within 72h (Art. 33) — clock starts at awareness, not at qualification. Formal evaluation procedure before notification decision. State breach laws layer additional timing requirements (most states require notification "without unreasonable delay")
  • Data subject communication (Art. 34) — triggered by "high risk" to rights and freedoms, distinct from supervisory authority notification. Well-framed exceptions (Art. 34.3)
  • Automated decision & profiling (Art. 22) — right not to be subject to a solely automated decision producing legal or significant effects. Documented human intervention, contestation right. CPRA: similar opt-out rights
  • Processor contracts Art. 28 — complete 10 obligations of §3 (instructions, confidentiality, security, sub-processing, rights, assistance Art. 32-36, deletion, effective audit). CCPA Service Provider Agreement: written contract with specific limitations on use
  • International transfers post-Schrems II — systematic TIA, identification of supplementary measures, specific treatment for the United States (Data Privacy Framework self-certification through DOC)
  • Foreign authority requests (Art. 48) — disclosure recognized only on the basis of an international agreement in force (mutual legal assistance treaty, e-evidence regulation), otherwise documented refusal. Particularly critical for US CLOUD Act, FISA 702, and National Security Letter requests
  • EU representative (Art. 27) — obligation for controllers or processors not established in the EU but processing EU residents' data, except derogations. US companies offering goods/services to EU residents are squarely in scope
  • DPO / CISO / Top Management articulation — documented DPO independence (Art. 38.3), direct reporting to highest level, no conflict of interest, sufficient resources. CPRA: Chief Privacy Officer designation increasingly expected
  • HR processing (Art. 88) — specific provisions allowed by national law / collective agreements (recruitment, workplace surveillance, remote work, intra-group employee data). US: state-by-state employee monitoring laws (e.g., NY S2628, CT employee monitoring law)
  • Archives / research / statistics (Art. 89) — derogations from rights Art. 15, 16, 18, 19, 20, 21 possible subject to technical and organizational guarantees (pseudonymization first). HIPAA de-identification (Safe Harbor / Expert Determination) for PHI
  • Demonstrable accountability (Art. 5.2 + 24) — not a slogan but a chain of evidence: policy → procedure → record → audit → management review. That's what regulators look at first in any inquiry
  • US state-by-state alignment — CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah), TX/OR/MT/FL/IA/IN/TN privacy acts. Sector-specific: HIPAA (PHI), GLBA (financial), FERPA (education), COPPA (children)
G

GDPR + CCPA: extraterritorial reach + US compliance

GDPR applies beyond the European Union as soon as an organization targets EU residents or monitors their behavior (Art. 3.2). CCPA/CPRA applies to any business that does business in California and meets thresholds (revenue, data volumes, or data sale). Being compliant with both positions you for the global "GDPR-like" regulatory landscape and US state privacy laws.

European Union (27) United Kingdom (UK GDPR) Switzerland (revFADP) California (CCPA/CPRA) Virginia (VCDPA) Colorado (CPA) Connecticut (CTDPA) Utah, Texas, Oregon, Florida, Montana Brazil (LGPD) Canada (PIPEDA) Japan (APPI) South Korea (PIPA)
Comparison

Why the QSE Academy package over the alternatives.

Criterion QSE Academy GDPR + CCPA
$589 		Free templates
$0		 Outsourced DPO / privacy firm
$8,000 — $20,000
Coverage of the 15 GDPR domains ✓ 100% Partial ✓ 100%
Article-by-article GDPR mapping ✓ Excel matrix Per engagement
CCPA/CPRA + US state law layer ✓ Included Per engagement
Processor contracts Art. 28 (DPA) + CCPA SPA Rare
DPIA procedure + complete template Rarely
State-by-state breach notification matrix ✓ Included Per engagement
Editable Word format, neutral charter Variable
Delivery time Instant Instant 3 to 6 months
Money-back guarantee ✓ 30 days
Filled-in RoPA & customized DPIAs On you On you Included
Implementation & team training On you On you Included
The package doesn't replace the DPO/CPO function nor a technical security audit — it gives you the complete written foundation of your privacy compliance dossier. That's precisely the part where consulting firms and outsourced DPOs charge the most. For implementation support or outsourced DPO/CPO engagements, we also offer custom services.
Privacy flash audit

Where do you stand today?

Answer the 15 article-by-article questions to get your GDPR + CCPA/CPRA maturity score. Instant result, free, no personal information required.

Question 1 / 15
Domain 1 — Governance & DPO/CPO
0
/ 100

Get the GDPR Package — $589
Deployment process

From order to compliance dossier, here is the path.

The package isn't just delivered. Here is the concrete path to bring it into production in your organization, step by step.

1
Day 1

Download

Secure payment, immediate access to the full package as a ZIP. Within minutes you have the 118 Word documents, the Excel matrices, and the user manual.

2
Weeks 1 — 4

Customization

Adapting the documents to your organization: logo, organizational chart, processing inventory, processors, transfers, applicable scope (GDPR + CCPA + state laws). Plan 2 to 4 weeks for thorough customization including data mapping work.

3
Weeks 5 — 10

Implementation

Team training, RoPA filling, DPIA on high-risk processing, processor contracts review, breach response drill, privacy notices update. Records start feeding real privacy traceability.

4
Weeks 10 — 12

Internal audit

Internal privacy audit using the checklist provided in the package. Identification of remaining gaps, corrective action plan, preparation for enterprise customer audits, regulator inquiries, or vendor onboarding requests.

Typical timeline: 10 to 12 weeks between order and a "ready for audit / inquiry response" state. The most structured organizations reach this state in 8 weeks; those starting from scratch may take up to 16 weeks. Your internal resources make the difference, not the package.
Used by privacy teams worldwide

What organizations that adopted it say.

★★★★★

A massive time-saver. The procedures were clear, complete, and directly usable. Our enterprise customer privacy audits were validated on the first attempt, and the article-by-article mapping made vendor onboarding seamless.

M
Megan
Chief Privacy Officer · SaaS company, USA
★★★★★

Written by professionals who really know privacy. The DPIA template, the standard contractual clauses, and the CCPA/CPRA layer were exactly what I needed to structure our compliance program across multiple jurisdictions.

R
Robert
Privacy Counsel · Healthcare provider, USA
★★★★☆

Unbeatable value. We rolled out our GDPR + CCPA program in 7 weeks instead of the 4 months we expected with an external privacy consultant. The state-by-state breach notification matrix was particularly well thought out.

D
David
General Counsel · Mid-market firm, Canada
★★★★★

Fully customizable Word documents, neutral charter, accurate privacy terminology, GDPR and CCPA aligned. The DPA templates are well designed, the breach response procedure is operational. Solid work.

A
Amanda
DPO · FinTech, UK
Risk-free

30-day guarantee, no questions asked.

30-day money-back guarantee

You test the package. If you change your mind, we refund you.

You have 30 days to download the package, review its content, open the documents, and verify that the writing quality matches your expectations. If something is off, you write us an email — no justification needed — and the refund is processed within 5 business days. That simple.

The package evolves with you

Updates included for 12 months.

The privacy regulatory landscape evolves rapidly. The package you buy today shouldn't become obsolete in 6 months. That's why updates are included.

12 months of regulatory and normative updates

The package already integrates GDPR, CCPA/CPRA, the latest US state privacy laws, the EU-US Data Privacy Framework, and post-Schrems II SCCs. In case of new EDPB guidelines, CPPA enforcement guidance, new US state privacy laws (over a dozen states have active legislation in 2026), or significant case law, you receive relevant package updates free of charge for 12 months after your purchase.

  • EDPB guidelines updates
  • CPPA regulations and enforcement actions
  • New US state privacy laws (TX, OR, MT, FL, IA, IN, TN, etc.)
  • SCC and adequacy decision updates
  • HIPAA / HITECH evolutions (if applicable)
  • Email notifications upon publication
Frequently asked questions

Answers to your most common questions.

Is the package enough to pass an enterprise customer audit or a regulator inquiry?

The package gives you the complete documentation foundation required by GDPR, CCPA/CPRA, and other US state privacy laws. To pass an enterprise audit or respond to a regulator inquiry, you also need to fill in the documents with your real processing activities (RoPA, DPIAs, signed DPAs) and demonstrate operational implementation. The package saves you the 3 to 6 months of writing work. Operational implementation remains your work (typically 4 to 12 weeks depending on company size).

Does the package cover both GDPR and US privacy laws?

Yes. The package fully covers GDPR (EU Regulation 2016/679) with article-by-article mapping, plus the CCPA/CPRA layer with all California-specific obligations (Notice at Collection, Do Not Sell or Share, opt-outs, Service Provider Agreements, Risk Assessments, etc.). It also includes a multi-state US privacy compliance matrix covering Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas, Oregon, Montana, Florida, Iowa, Indiana, Tennessee, and other states with active privacy laws. Sectoral compliance procedures (HIPAA, GLBA, FERPA, COPPA) are included where applicable.

What's the difference between this and free templates downloaded online?

Most free templates are simplified registers or standalone privacy notices. They ignore the connected requirements: DPIAs (Art. 35), breach notification (Art. 33-34), processor contracts / DPAs (Art. 28), international transfers including SCCs and DPF (Art. 44-49), data subject rights handling (Art. 15-22), and CCPA-specific notices, opt-out mechanisms, and Service Provider Agreements. The QSE Academy package is written specifically for GDPR + CCPA/CPRA and includes the verifiable article-by-article mapping, the state-by-state breach notification matrix, and the latest 2026 regulatory updates.

Who actually enforces GDPR in the US, and what are the real risks?

GDPR is enforced by EU Data Protection Authorities (DPAs) such as the Irish DPC, French CNIL, German DPAs, and others. They have jurisdiction over US companies offering goods/services to EU residents (Art. 3.2). CCPA/CPRA is enforced by the California Privacy Protection Agency (CPPA) and the California AG. Other US state privacy laws are enforced by state Attorneys General. Real risks include: GDPR fines up to €20M or 4% of global turnover; CCPA fines up to $7,500 per intentional violation; class action lawsuits; enterprise customer contract breaches; reputational damage; and increasingly, exclusion from federal contracts and SaaS marketplaces.

How long does it take to adapt the package to my organization?

Plan 2 to 4 weeks to customize the documents: logo, organizational chart, processing inventory, processors, transfers, applicable jurisdictions (which US state laws apply, whether GDPR Art. 3.2 applies). Then plan implementation time: data mapping, RoPA filling, DPIA on high-risk processing, signed DPAs, privacy notices update, breach response drill — 4 to 12 additional weeks depending on company size and starting maturity.

Is the package delivered in Word or PDF format?

All policies, procedures, and templates are delivered in fully editable Microsoft Word (.docx) format. Registers, mapping matrices, and the multi-state compliance matrix are delivered in Excel format. No locked PDFs, no proprietary software dependency. The graphic charter is neutral, ready to receive your logo and colors.

Do I need to appoint a DPO or a CPO?

Under GDPR Art. 37.1, a DPO is mandatory in 3 cases: public authority/body, core activities requiring large-scale systematic monitoring, or core activities of large-scale processing of special categories. Many US companies don't fall into these mandatory cases but voluntarily appoint a Chief Privacy Officer (CPO) or Privacy Lead because enterprise customers, investors, and regulators increasingly expect it. CPRA doesn't mandate a CPO but expects equivalent accountability. The package includes the DPO/CPO appointment letter, job description, independence charter, and annual report templates.

Does the package handle international data transfers (US ↔ EU)?

Yes. The package includes the full transfer framework: transfer qualification procedure, mapping of transfers outside the EEA, Standard Contractual Clauses (SCCs) 2021 with all 4 modules, Transfer Impact Assessment (TIA) procedure post-Schrems II, EU-US Data Privacy Framework (DPF) self-certification readiness checklist, BCR policy for international groups, foreign authority requests procedure (CLOUD Act, FISA 702 considerations), and the EU representative designation procedure (Art. 27) for US companies needing one.

How many users / sites does the license cover?

The $589 license covers a single legal entity, with unlimited internal use (all your employees can use the package). For multi-site rollout, a group with multiple subsidiaries, or consulting use across multiple clients, contact us for an adapted license.

Do I receive updates if the regulations evolve?

Yes. The package already integrates the latest 2026 regulatory landscape (GDPR, CCPA/CPRA, all major US state privacy laws, DPF, post-Schrems II SCCs). In case of new EDPB guidelines, CPPA enforcement actions, new US state privacy laws (the landscape is still evolving rapidly), or significant case law, you receive package updates free of charge for 12 months after your purchase.

What happens if I'm not satisfied?

You're covered by a 30-day money-back guarantee, no conditions. You write us a simple email — no justification required — and the refund is processed within 5 business days.

Take action

Your GDPR + CCPA compliance dossier. Ready today.

118 documents, 15 GDPR domains covered + CCPA/CPRA + multi-state US privacy compliance, article-by-article mapping included. Instant download after payment.

Equivalent to $8,000 — $20,000 of consulting fees
$589 Single-organization license · Secure payment · Instant download
Get the GDPR Package — $589
30-day money-back guarantee Instant download 12 months of updates Editable Word format