For informational and educational purposes only. Not legal advice. Laws change; always verify against current primary texts. Consult a qualified lawyer for your specific situation.
Select Jurisdictions
🇪🇺 GDPR (EU)
🇮🇳 DPDPA (India)
🇺🇸 CCPA / CPRA (California)
🇧🇷 LGPD (Brazil)
🇹🇭 PDPA (Thailand)
🇸🇬 PDPA (Singapore)
🇨🇳 PIPL (China)
🇿🇦 POPIA (South Africa)
🇦🇺 Privacy Act (Australia)
Session only. Data is not transmitted or persisted beyond your current browser tab. Export before closing.
0 Processing Activities
🗂️

No activities yet

Add your first processing activity to start building your RoPA.


Regulatory Reference
GDPR Art. 30

Controllers with 250+ employees must maintain a full RoPA. Smaller organisations must maintain records where processing is not occasional, involves special categories, or could risk individuals' rights.

DPDPA S. 8

India's DPDPA places broad accuracy and security obligations on data fiduciaries. A RoPA supports demonstrating accountability, especially for Significant Data Fiduciaries subject to audit obligations under S. 10.

LGPD Art. 37

Brazilian law requires controllers and operators to keep records of processing operations, particularly where legitimate interest is relied upon as the legal basis.

Best Practice

Even where not legally mandated, a RoPA is the foundation of any accountability framework. It is typically the first document a supervisory authority requests during an investigation.

A TIA is a legal analysis, not a checkbox exercise. This tool structures the assessment to support. not replace. qualified legal review. Under GDPR, a TIA is required before relying on SCCs or BCRs (EDPB Recommendations 01/2020, updated Jan 2022).
Transfer Details
Destination Country Assessment

Answer honestly based on your knowledge of the destination country's legal framework.

Transfer Risk Rating
Required / Recommended Measures
    Risk Framework
    Low Risk
    Adequate mechanism; no significant legal obstacles. Standard measures sufficient.
    Medium Risk
    Mechanism exists but gaps identified. Supplementary measures required.
    High Risk
    Significant legal or practical obstacles. Transfer should be suspended or restructured.

    Based on EDPB Recommendations 01/2020 on measures supplementing transfer tools (updated January 2022).

    Key Legal References
    GDPR Chapter V (Arts. 44–49)
    International transfers from the EEA require an adequacy decision, appropriate safeguards (SCCs, BCRs), or a derogation. SCCs (Commission Decision 2021/914) are the most commonly used mechanism. A TIA is required before relying on SCCs. Schrems II, C-311/18.
    DPDPA S. 16(1)(b)
    Transfers permitted to all countries except those specifically restricted by Central Government notification. A blacklist approach. the inverse of GDPR. No countries have been restricted as of April 2025; monitor government notifications as rules are finalised.
    PIPL Arts. 38–43
    Three mechanisms: CAC security assessment (mandatory for critical infrastructure operators; processors handling >1M persons; transfers of >100K persons' data annually; or >10K persons' sensitive PI); standard contract; or certification. CAC assessment approval typically required before first transfer.
    POPIA S. 72
    Transfers permitted if recipient country or organisation provides adequate protection substantially similar to POPIA's conditions, the data subject consents, or another listed ground applies.
    Under GDPR Art. 35, a DPIA is mandatory for processing likely to result in high risk to individuals. Under DPDPA S. 10, Significant Data Fiduciaries must conduct periodic DPIAs. This tool generates a structured draft for review by a qualified legal professional before approval.

    Step 1: Project Context

    Step 2: Screening. Is a DPIA Mandatory?

    A DPIA is mandatory under GDPR Art. 35 if any of the following apply. It is also best practice for any processing that may pose significant risks.

    Step 3: Data Flows & Processing Details

    Step 4: Necessity & Proportionality

    Assess whether the processing is the minimum required to achieve the stated purpose.

    Step 5: Risk Identification & Mitigation

    Identify key privacy risks, their likelihood and severity, and the controls in place to mitigate them.

    Risk DescriptionLikelihoodSeverityInherent RiskMitigation MeasureResidual Risk

    Step 6: Outcome & Approval

    15 / 17 · Information

    About Privacipher

    A free privacy compliance platform built for lawyers, compliance officers, and in-house counsel working across jurisdictions. Seventeen modules. Zero backend. Open source.

    What is Privacipher?

    Privacipher is a free, zero-backend privacy compliance suite designed for legal professionals, compliance teams, and businesses navigating multi-jurisdictional data protection obligations. Everything runs in your browser. No data leaves your device.

    The tool gives practitioners a structured starting point, not a shortcut. Every question is mapped to a specific statutory provision. Every recommendation is grounded in the primary text of the applicable law.

    Privacipher covers nine jurisdictions: GDPR (EU), DPDPA 2023 (India), CCPA/CPRA (California), LGPD (Brazil), PDPA (Thailand), PDPA (Singapore), PIPL (China), POPIA (South Africa), and the Privacy Act 1988 (Australia).

    Seventeen Modules, Four Categories
    Assessments · 05 modules
    01 · Compliance Checker
    Diagnostic questionnaires for 9 jurisdictions with weighted scoring, statutory references, and exportable gap reports.
    02 · PIA / DPIA
    Six-step Privacy and Data Protection Impact Assessment with mandatory trigger screening and risk matrix.
    03 · Transfer Impact (TIA)
    Structured cross-border transfer risk assessment based on EDPB Recommendations 01/2020.
    04 · LIA Builder
    Documented three-part Legitimate Interest Assessment under Art. 6(1)(f) GDPR.
    05 · Consent Flow Auditor
    Heuristic audit of consent notices against GDPR, DPDPA, LGPD, and PIPL validity criteria.
    Builders & Templates · 04 modules
    06 · RoPA Builder
    In-browser Record of Processing Activities with full Art. 30 GDPR fields. Export to CSV and JSON.
    07 · DSAR Tracker
    Log and track Data Subject Access Requests with auto-calculated deadlines per jurisdiction.
    08 · Privacy Notice Generator
    Generates a GDPR and DPDPA ready privacy notice draft from structured form input.
    09 · DPA Checklist
    Assess a Data Processing Agreement against Art. 28 GDPR, DPDPA, and LGPD mandatory clauses.
    Reference · 05 modules
    10 · Transfer Mechanism Selector
    Decision tree for identifying the correct lawful mechanism for international transfers.
    11 · Regulatory Authority Directory
    DPAs, complaint portals, and breach notification URLs across all 9 jurisdictions.
    12 · Enforcement Calendar
    Upcoming regulatory deadlines and enforcement milestones through April 2028.
    13 · Breach Playbook
    Step-by-step breach response guides with notification timelines for all 9 jurisdictions.
    14 · Quick Tools
    DPO necessity checker, penalty reference, and GDPR adequacy decision status.
    Information · 03 modules
    15 · About
    You are here.
    16 · Changelog
    Full version history and release notes.
    17 · Terms of Use
    Eleven-section legal disclaimer, permitted use, and governing terms.
    Regulatory Accuracy

    All questions and recommendations are derived from primary legal texts: the actual statutes and regulations, not secondary summaries. Each question references the specific provision so you can verify the source directly.

    Regulatory requirements change. The tool carries version numbers and a changelog. If you identify an error or an update not yet reflected, open a GitHub issue or submit a pull request.

    Legal Disclaimer

    Privacipher is an educational and informational tool only. It does not constitute legal advice, create a lawyer-client relationship, or substitute for qualified legal counsel. Results generated are starting points for internal review, not definitive compliance determinations. Laws change; always verify against current primary texts. Adv. Sanket Shah and the contributors to this project accept no liability for reliance on outputs generated by this tool.

    Adv. Sanket Shah
    Technology Lawyer · Indore, India
    Qualification
    LL.M. in IPR & Technology Law, Jindal Global Law School. Gold Medalist in Data Privacy. Enrolled at the Bar Council of India. Jean Monnet EU-ERASMUS+ researcher.
    Practice Areas
    DPDPA · GDPR · CCPA · Commercial contracts · SaaS agreements · AI governance · Contract lifecycle management · Legal automation
    Published Books
    Lawyer's Guide to DPDPA · The Privacy Lawyer's Starter Guide (GDPR & DPDPA) · The Weight of Sunday Afternoons (literary fiction)
    Certifications
    AI for Business (UPenn)Claude AI (Anthropic ×3)DPDPA (DPDPA.com)Preparing CIPP/E
    Open Source

    Privacipher is open source and free to use. If you spot an error, a legal update not yet incorporated, or want to contribute, raise an issue or PR on GitHub.

    GitHub Repository
    • v4.2
      April 2025
      Current
      • new Seven additional practitioner modules, bringing total module count to 17: DSAR Tracker (deadline-aware request log with CSV export); Legitimate Interest Assessment Builder (three-part test, exportable LIA); Privacy Notice Generator (GDPR and DPDPA notice draft from structured input); DPA Checklist (Art. 28 GDPR and DPDPA clause audit with gap list); Consent Flow Auditor (heuristic validity check against jurisdictional criteria); Cross-Border Transfer Mechanism Selector (decision tree across GDPR, DPDPA, PIPL, POPIA, LGPD, CCPA); Regulatory Authority Directory (DPAs, breach portals, official URLs for 9 jurisdictions).
      • new Complete design system overhaul inspired by editorial design principles: paper and ink colour palette (#FAFAF7 and #0F1114), monospace eyebrows with leader lines, numbered modules (01 / 17 format), italicised editorial accent headers, refined typography hierarchy.
      • new Full-screen module menu overlay replaces the horizontal tab bar and mobile bottom bar. All 17 modules grouped into four categories (Assessments, Builders, Reference, Information) in a clean numbered grid. The same interface works identically across desktop, tablet, and mobile with responsive column layouts.
      • new Current-module breadcrumb in the header shows module number and category at all times ("04 / 17 · Assessments · LIA Builder").
      • improved Smooth panel transitions: staggered fade-in animation on every tab switch with cubic-bezier easing; module menu uses coordinated opacity and transform transitions.
      • improved Global typography removal of em dashes throughout the entire tool, replaced with periods, commas, or parenthetical structure for improved readability in the practitioner writing register.
      • improved About section restructured to show all 17 modules grouped by category with numbered descriptions.
      • improved DSAR Tracker auto-calculates response deadlines per jurisdiction: GDPR 30 days, DPDPA 90 days, CCPA 45 days, LGPD 15 days, PDPA Thailand 30, PDPA Singapore 30, PIPL 15 working days, POPIA reasonable, APA 30 best practice. Colour-coded days-left warnings (green, amber, red, overdue).
      • improved Consent Flow Auditor includes contextual adjustments for sensitive data, children's data, and cookie consent with separate validity thresholds.
      • improved Transfer Mechanism Selector accounts for adequacy decisions (including the December 2025 EU-UK renewal), volume thresholds for PIPL CAC security assessment (1M / 100K / 10K), and context-specific derogations under Art. 49 GDPR.
      • improved DPA Checklist uses weighted scoring across 19 mandatory clauses with Yes / Partial / No / N/A granularity, producing a prioritised negotiation gap list.
      • fix Keyboard shortcut: Escape now closes the module menu on all platforms.
      • fix Body scroll locked when module menu is open; unlocks on close.
      • fix Active-module state correctly reflected in both header breadcrumb and menu grid on every tab switch.
    • v4.1
      April 2025
      • new Privacy Law Enforcement Calendar. 11 verified regulatory milestones from February 2025 through April 2028, filterable by jurisdiction, covering EU AI Act, DPDPA, CCPA/CPRA, LGPD, and China. Breach notification timelines reference table for all 9 jurisdictions in one view.
      • new Breach Response Playbook. jurisdiction-specific, step-by-step incident response guides for all 9 frameworks. Each playbook shows authority deadline, individual notification deadline, and primary statutory references. Covers PIPL's 1-hour CAC window (CAC Cybersecurity Incident Reporting Measures, eff. 1 Nov 2025), Australia's new 2024 statutory tort, DPDPA's CERT-In parallel obligation, and LGPD's ANPD Regulation CD/ANPD 15/2024.
      • new Quick Tools tab. DPO Necessity Checker (GDPR, DPDPA, LGPD, PDPA Thailand, PDPA Singapore with statutory references); Penalty Structures table covering all 9 jurisdictions with administrative fines, criminal penalties, and enforcement authority; GDPR Adequacy Decisions status including EU-UK renewal (December 2025) and EU-US DPF.
      • new Terms of Use & Legal Disclaimer. standalone tab with comprehensive ten-section legal disclaimer covering nature of the tool, no-legal-advice clause, no warranty, limitation of liability, force majeure, governing law, privacy statement, permitted use, open source licensing, and contact information.
      • improved Tab navigation expanded from 6 to 10 modules; mobile bottom bar updated accordingly.
      • improved DPDPA enforcement timeline updated to reflect DPDP Rules 2025 (G.S.R. 843(E), notified 13 November 2025): Board established; full enforcement from 13 May 2027; 72-hour breach notification confirmed in Rule 7.
      • improved China section updated to reflect CAC Cybersecurity Incident Reporting Measures (effective 1 November 2025) and Measures for Certification of Outbound Transfer of Personal Information (effective 1 January 2026).
      • improved CCPA/CPRA section updated to reflect CPPA final regulations (effective 1 January 2026): mandatory Privacy Risk Assessments, independent cybersecurity audits, and ADMT rules.
      • improved Footer now includes a Terms of Use link pointing to the dedicated tab.
      • improved Calendar filter bar allows one-click jurisdiction filtering of all enforcement milestone cards.
    • v4.0
      April 2025
      • new RoPA Builder. in-browser Record of Processing Activities builder with full Art. 30 GDPR field set. Add, edit, delete processing activities. Export to CSV and JSON. Session-only with clear disclaimer.
      • new Transfer Impact Assessment (TIA). structured seven-question destination-country assessment; risk scoring matrix across mechanism type, volume, data sensitivity, and legal framework; rated Low / Medium / High output with supplementary measures mapped to EDPB Recommendations 01/2020 (updated January 2022).
      • new PIA / DPIA. six-step Privacy and Data Protection Impact Assessment. Step 2 screening covers nine mandatory and recommended triggers including GDPR Art. 35(3)(a–c), DPDPA S. 10, and PIPL Art. 55. Interactive risk matrix with likelihood × severity inherent risk calculation. Generates exportable .txt assessment report.
      • new Privacipher logo. geometric shield mark with "P" letterform and cipher data-stream accent dots. Uses inline SVG with gradient fills.
      • improved Complete design overhaul. portfolio-matched colour system (bg-base #F8FAFC, accent #2563EB, text-primary #0F172A); Outfit + Inter + JetBrains Mono typography stack; radius-lg cards; subtle layered shadows.
      • improved Compliance Checker fully rewritten. weighted scoring (question-level weights 2–3); animated SVG score ring with colour-coded readiness; live gap panel updating on each answer; per-jurisdiction progress bars; exportable .txt gap report with statutory references and remediation actions.
      • improved All 92 questions across 9 jurisdictions reviewed and updated against primary statutory texts. GDPR (15q), DPDPA (14q), CCPA/CPRA (10q), LGPD (9q), PDPA Thailand (8q), PDPA Singapore (8q), PIPL (10q), POPIA (8q), Privacy Act Australia (10q).
      • improved DPDPA updated to reflect the Digital Personal Data Protection Act, 2023 as enacted (Presidential assent: 11 August 2023). replacing all references to earlier Bill drafts.
      • improved Australia section updated to reflect Privacy and Other Legislation Amendment Act 2024 (Royal Assent: November 2024), including new statutory tort for serious privacy invasion.
      • improved PIPL section expanded with CAC security assessment thresholds (>1M persons; >100K cross-border annually; >10K sensitive PI cross-border annually); PIPIA requirements under Art. 55; and three-tier cross-border transfer mechanism structure.
      • improved About section updated with current credentials, publications, and professional links from live portfolio.
      • improved Sticky desktop tab bar and scrollable mobile bottom tab bar across six modules.
      • fix Accordion headers now correctly toggle without layout shifts on repeated open/close.
      • fix Score ring animates correctly on first load and after re-running the checker with a different jurisdiction set.
      • fix Mobile bottom tab bar scrolls horizontally without clipping on narrow viewports.
      • fix Jurisdiction chip deselection correctly removes that jurisdiction's questions from the active assessment and recalculates the score ring.
      • fix RoPA modal forms reset cleanly on close. no stale data carryover between add and edit cycles.
    • v3.0
      2024
      • new Expanded to 9 jurisdictions. added PIPL (China) and Privacy Act 1988 (Australia)
      • new Mobile bottom tab bar navigation
      • improved Scoring system with per-jurisdiction progress bars
      • fix Various layout and rendering glitches on mobile viewports
    • v2.0
      2023
      • new Multi-jurisdiction selector with accordion-style question panels
      • new Gap analysis output panel with remediation recommendations
      • improved Question flow redesigned with Yes / No / N/A answer options
    • v1.0
      2022
      • new Initial launch with GDPR and DPDPA compliance checkers
      • new Basic compliance scoring output
    Regulatory timelines change. Always verify against the official gazette or regulatory authority website before acting. This calendar is for planning guidance only. not legal advice.
    Filter by Jurisdiction
    In Force
    EU AI Act. Prohibited AI Practices
    2 February 2025
    Passed

    Eight categories of AI practice are now permanently banned across the EU. These include: social scoring by public or private actors; real-time remote biometric identification in public spaces (limited exceptions for law enforcement); subliminal manipulation; exploitation of vulnerabilities of specific groups; untargeted scraping of facial images from the internet; emotion recognition in workplace and educational settings; and AI-based profiling to predict criminal offences.

    Penalty: up to €35M or 7% global turnover Regulation (EU) 2024/1689. Art. 5 AI Office enforces
    In Force
    EU AI Act. General Purpose AI (GPAI) Model Obligations
    2 August 2025
    Passed

    GPAI model providers must maintain technical documentation and a publicly available summary of training content (using the Commission template). Copyright compliance measures are required. Providers of GPAI models with systemic risk face additional obligations including adversarial testing. 26 major AI providers (Microsoft, Google, Amazon, OpenAI, Anthropic) signed the GPAI Code of Practice. Meta declined.

    Regulation (EU) 2024/1689. Art. 53 EU AI Office enforces
    In Force
    DPDP Rules 2025 Notified. DPBI Established
    13 November 2025
    Passed

    The Digital Personal Data Protection Rules 2025 were officially notified via Gazette (G.S.R. 843(E) and 846(E)). The Data Protection Board of India (DPBI) is now established and operational. Board-constitution provisions, sections 18–26, and the penalty framework under sections 35 and 38–44 are in force. Substantive compliance obligations (consent, breach notification, rights) come into force 18 months from this date. May 13, 2027.

    18-month countdown began G.S.R. 843(E). Official Gazette DPDPA 2023 + DPDP Rules 2025
    In Force
    China. Cybersecurity Incident Reporting Measures
    1 November 2025
    Passed

    CAC issued final Measures for the Administration of the Reporting of Cybersecurity Incidents (effective 1 November 2025). Major incidents involving large-scale personal data or important data must be reported to the CAC within 1 hour. General cybersecurity incidents face tiered reporting windows of 4–24 hours depending on severity and scope. Applies to domestic and foreign companies providing network services or online products in China.

    1-hour notification for major incidents CAC Cybersecurity Incident Reporting Measures 2025
    In Force
    CCPA/CPRA. CPPA Final Regulations Effective
    1 January 2026
    Passed

    California Privacy Protection Agency regulations effective: mandatory Privacy Risk Assessments (PRAs) required before initiating processing that presents a "significant risk" to consumer privacy; annual independent cybersecurity audits for qualifying businesses; updated rules on ADMT (automated decision-making technology), profiling in HR and education contexts, and AI training using biometric data. Data brokers must now disclose foreign government data sharing.

    PRAs required for new processing Cal. Civ. Code §1798.185(a)(15) California Privacy Protection Agency
    In Force
    China. Measures for Certification of Outbound Transfer of Personal Information
    1 January 2026
    Passed

    Third mechanism for cross-border transfers under PIPL now operational. Certification by a CAC-accredited body is an alternative to the CAC security assessment and the standard contract for qualifying organisations. Provides a more flexible compliance pathway for regular commercial data transfers not meeting security assessment thresholds.

    PIPL Art. 38(1)(iii) CAC Certification Measures 2026
    Upcoming
    EU AI Act. High-Risk AI System Obligations Apply
    2 August 2026
    ~3.5 months

    Full obligations for Annex III high-risk AI systems become enforceable. High-risk categories include: AI used in critical infrastructure; education and vocational training; employment and worker management; access to essential private and public services; law enforcement; migration and border control; and administration of justice. All deployers and providers must complete conformity assessments, maintain technical documentation, and register systems in the EU database before this date.

    Penalty: up to €15M or 3% global turnover Action required now. conformity assessments take 6–12 months Regulation (EU) 2024/1689. Arts. 6, 9–15, 17, Annex III
    Upcoming
    DPDPA India. Consent Manager Registration Deadline
    13 November 2026
    ~7 months

    Entities seeking to operate as Consent Managers under DPDPA must complete registration by this date. Eligibility: India-incorporated entities only; minimum net worth of ₹2 crore; must operate an independent, interoperable consent management platform. Foreign platforms (including OneTrust, TrustArc) are not eligible to register as Consent Managers. Organisations relying on consent as a legal basis must integrate with a registered Consent Manager.

    12 months from Gazette notification DPDP Rules 2025. Schedule 1 G.S.R. 843(E), November 2025
    Upcoming
    CCPA/CPRA. First PRAs Due for Pre-2026 Processing
    31 December 2027
    ~20 months

    Businesses must have completed Privacy Risk Assessments for covered processing activities that existed before 1 January 2026 (the date the PRA regulations took effect). Covered activities include: selling or sharing personal information; processing sensitive PI; using ADMT for significant decisions; profiling in HR or educational contexts; and training ADMT or biometric technologies. Annual senior-executive attestation and summary submission to CPPA is due April 1, 2028.

    Begin PRA process now for complex activities Cal. Civ. Code §1798.185(a)(15)(A)
    Critical Deadline
    DPDPA India. Full Substantive Compliance Mandatory
    13 May 2027
    ~13 months

    All substantive obligations of the DPDPA 2023 and DPDP Rules 2025 become enforceable with no grace period. Obligations include: privacy notices and granular consent; verifiable parental consent for children's data; 72-hour breach notification to DPBI and data principals; automated deletion when purpose is served; data principal rights infrastructure (access, correction, erasure, grievance redressal within 90 days); and security safeguards. Full penalties. up to ₹250 crore per violation. apply from Day 1.

    Penalty: up to ₹250 crore per violation No grace period after this date DPDPA 2023. Schedule + S. 3–17
    Upcoming
    EU AI Act. Full Application (All Provisions)
    2 August 2027
    ~16 months

    Full application including high-risk AI systems embedded in regulated products (medical devices, machinery, aviation, automotive). Legacy AI systems deployed before August 2026 that are subject to Annex III must comply by this date. Note: Under the EU's Digital Omnibus simplification package (proposed November 2025), certain enforcement timelines for high-risk systems may be extended if harmonised standards are unavailable. backstop dates of December 2, 2027 and August 2, 2028 have been proposed.

    Regulation (EU) 2024/1689. Art. 113 Digital Omnibus simplification package under consideration
    Upcoming
    CCPA/CPRA. First Cybersecurity Audit Certification Due (>$100M Revenue)
    1 April 2028
    ~24 months

    Businesses with annual revenue exceeding $100M that process PI presenting a "significant risk to security" must file their first annual independent cybersecurity audit certification by April 1, 2028. Phased for smaller businesses: $50M–$100M by April 1, 2029; $25M–$50M by April 1, 2030. Triggers for "significant risk": 50%+ revenue from selling/sharing PI; 250,000+ consumer records; or 50,000+ sensitive PI records.

    Cal. Civ. Code §1798.185(a)(15)(B) California Privacy Protection Agency
    Breach Notification Timelines. Quick ReferenceVerified · April 2025
    JurisdictionAuthority NotificationIndividual NotificationThresholdPrimary Reference
    🇪🇺 GDPR (EU)72 hours from awarenessWithout undue delay (high risk)Art. 33: any risk to rights. Art. 34: high riskArts. 33–34, GDPR
    🇮🇳 DPDPA (India)Without delay (initial); 72 hours for full reportWithout delay to each affected data principalAny personal data breachS. 8(6) DPDPA; Rule 7, DPDP Rules 2025
    🇺🇸 CCPA/CPRA (CA)Notify CA AG if >500 CA residents; no fixed deadline"Expedient time". governed by Cal. Civ. Code §1798.82 (not CCPA/CPRA)Unencrypted PI affectedCal. Civ. Code §1798.82
    🇧🇷 LGPD (Brazil)3 working days from awarenessReasonable timeframeRisk or significant harm to data subjectsArt. 48 LGPD; ANPD CD/ANPD 15/2024
    🇹🇭 PDPA (Thailand)72 hours for high-risk breachesWithout undue delay (high risk)Likely to cause harm to data subjectsS. 37(3), PDPA Thailand
    🇸🇬 PDPA (Singapore)3 calendar days after notifiable determination (30-day overall target from discovery)As soon as practicable after PDPC notifiedSignificant harm OR 500+ individualsS. 26D, PDPA Singapore
    🇨🇳 PIPL (China)Immediately to CAC. Major incidents (national security / >100K persons): 1–8 hours (Cybersecurity Incident Reporting Measures, eff. 1 Nov 2025)Immediately, unless effective remediation avoids harmAny PI breach or potential breachArt. 57 PIPL; CAC Cybersecurity Incident Reporting Measures 2025
    🇿🇦 POPIA (South Africa)As soon as reasonably possible to Information RegulatorAs soon as reasonably possibleReasonable belief of unauthorised accessS. 22, POPIA
    🇦🇺 Privacy Act (Australia)As soon as practicable to OAICAs soon as practicable (or publish statement if impracticable)Likely to result in serious harm (NDB scheme)Pt IIIC, Privacy Act 1988
    A breach response plan must be tailored to your specific circumstances, data types, and jurisdictions. This playbook provides a legally grounded starting framework. not a substitute for qualified legal advice or a pre-approved incident response plan.
    Select Jurisdiction
    🔐
    Select a jurisdiction
    Choose from the list to see your full breach response playbook.
    DPO / Information Officer Necessity Checker

    Answer the questions to determine whether appointment of a DPO or equivalent is mandatory under GDPR, DPDPA, LGPD, and PDPA frameworks.

    Penalty Structures. All 9 JurisdictionsPrimary sources
    JurisdictionMaximum Administrative FineCriminal PenaltiesOther ConsequencesEnforcement Authority
    🇪🇺 GDPR (EU) €20M or 4% of global annual turnover. whichever is higher (Art. 83(5))
    €10M or 2% for less serious violations (Art. 83(4))
    Member state criminal law applies. varies by country Temporary/permanent bans on processing; orders to erase data; suspension of data flows National DPAs (CNIL, ICO, BfDI, DPC, etc.)
    🇮🇳 DPDPA (India) Up to ₹250 crore for failure to implement security safeguards or failure to notify breach. ₹200 crore for children's data violations. ₹50 crore for failure to maintain accuracy. ₹10,000 per individual for unresolved grievances (Schedule, DPDPA 2023) No criminal sanctions under DPDPA (administrative penalties only) DPBI can issue directions to cease processing; SDF-specific orders Data Protection Board of India (DPBI)
    🇺🇸 CCPA/CPRA (CA) $2,500 per unintentional violation; $7,500 per intentional violation (Cal. Civ. Code §1798.155). Civil penalties up to $2,500 per affected child for children's data violations No criminal sanctions directly under CCPA/CPRA Private right of action for data breach: statutory damages $100–$750 per consumer or actual damages. CPPA enforcement actions. California Privacy Protection Agency (CPPA); CA Attorney General
    🇧🇷 LGPD (Brazil) 2% of Brazil operations turnover in the prior fiscal year, up to R$50M per violation (Art. 52(I)). Reduced for good faith, cooperation, and risk mitigation. No criminal sanctions under LGPD Daily fines; suspension of processing for up to 6 months; prohibition of processing; deletion of personal data Autoridade Nacional de Proteção de Dados (ANPD)
    🇹🇭 PDPA (Thailand) Administrative fines up to THB 5 million (S. 83–86, PDPA Thailand) Up to 1 year imprisonment and/or THB 1M fine. Up to 3 years imprisonment and/or THB 3M fine for sensitive PI. Intentional malicious use: up to 6 months imprisonment and/or THB 500K. Civil liability: actual damages plus additional punitive compensation up to twice actual damages Office of PDPC Thailand; Criminal courts
    🇸🇬 PDPA (Singapore) S$1M or 10% of annual local turnover (whichever is higher) for large organisations. S$1M for all others. (S. 48J, PDPA 2012 as amended 2020) Up to S$100,000 or imprisonment of up to 12 months or both (depending on offence). Enhanced criminal penalties for malicious disclosure Directions to stop collection or use; directions to destroy PI; public naming Personal Data Protection Commission (PDPC)
    🇨🇳 PIPL (China) Up to CNY 50M or 5% of prior year turnover for serious violations (Art. 66(2) PIPL). Up to CNY 1M for less serious violations (Art. 66(1)). Business licence revocation possible. Persons directly responsible: up to CNY 1M personal fine. Criminal liability under PRC Criminal Law for serious cases. Suspension or termination of services; prohibition from processing; national blacklist for responsible individuals Cyberspace Administration of China (CAC); sectoral authorities
    🇿🇦 POPIA (South Africa) Administrative fines up to R10,000,000 (S. 107, POPIA) Imprisonment up to 10 years for certain offences (obstructing the regulator, unlawful processing of special category data maliciously) Civil damages by data subjects; enforcement notices; public naming Information Regulator (South Africa)
    🇦🇺 Privacy Act (Australia) AU$50M or 3× the benefit obtained or 30% of adjusted turnover in the relevant period. whichever is greater. For serious/repeated interferences. (S. 13G, Privacy Act 1988 as amended 2024) No criminal sanctions directly under Privacy Act Civil penalties; enforceable undertakings; injunctions; declaratory relief; compensation orders Office of the Australian Information Commissioner (OAIC)

    Sources: GDPR Arts. 83–84; DPDPA 2023 Schedule; Cal. Civ. Code §1798.155; LGPD Art. 52; PDPA Thailand Ss. 83–86; PDPA Singapore S. 48J; PIPL Art. 66; POPIA S. 107; Privacy Act 1988 (Cth) S. 13G (as amended by Privacy and Other Legislation Amendment Act 2024). Fines are per-violation figures; cumulative fines may be significantly higher for systemic violations.

    GDPR Adequacy Decisions. Current StatusUpdated April 2025

    Countries/territories with a European Commission adequacy decision allow personal data transfers from the EEA without additional transfer mechanisms. Status as of April 2025.

    Adequacy. Full
    Andorra, Argentina, Canada (commercial), Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, Uruguay
    EU–US Data Privacy Framework
    United States. certified organisations only. Adopted 10 July 2023. Under surveillance by CJEU (Schrems III proceedings).
    EU–UK Adequacy
    United Kingdom. Renewed December 2025. Valid until December 2031 (with mid-term review).
    No Adequacy Decision
    India, China, USA (non-certified entities), Brazil, most of Southeast Asia, and most of Africa. SCCs or other Art. 46 mechanisms required.
    04 / 17 · Assessments

    Legitimate Interest Assessment

    The three-part test under Art. 6(1)(f) GDPR. purpose, necessity, and balancing. structured as a guided form. Generates a defensible, documented LIA suitable for your records file.

    A properly documented LIA is required before relying on legitimate interests (ICO guidance). It is the first document supervisory authorities request. Complete all three parts.
    Assessment Details
    01
    Purpose Test

    Identify the legitimate interest pursued. Interests may be your own, those of a third party, or broader commercial or societal interests. Not all interests are legitimate. the test is objective.

    02
    Necessity Test

    Processing must be necessary to achieve the interest. not merely useful. If the interest can be achieved with less intrusive processing, legitimate interests fails.

    03
    Balancing Test

    Weigh your interest against the rights, freedoms, and reasonable expectations of data subjects. If the balance tips toward the individual, legitimate interests fails.

    07 / 17 · Builders

    Data Subject Request Tracker

    Log, track, and manage Data Subject Access Requests and other rights requests. Auto-calculated deadlines per jurisdiction, status management, and CSV export.

    Session only. Data is not persisted beyond your browser tab. Export to CSV before closing. Deadlines are calculated based on statutory response windows in each jurisdiction.
    Add New Request
    0 Requests
    #NameTypeJurisdictionReceivedDeadlineDays LeftStatusActions
    No requests logged. Add your first request above.
    08 / 17 · Builders

    Privacy Notice Generator

    Fill in a structured form and generate a GDPR and DPDPA ready privacy notice draft. The output covers all mandatory disclosures under Arts. 13 and 14 GDPR and S. 5 DPDPA.

    The generated draft is a starting template, not a final legal document. Have a qualified lawyer review and tailor it to your specific processing activities before publication.
    Controller Details
    Data Categories Processed
    Purposes and Legal Bases
    Sharing and Transfers
    Generated Notice Preview
    Fill in the form and click Generate to see your privacy notice here.
    09 / 17 · Builders

    Data Processing Agreement Checklist

    Assess whether a draft DPA covers all mandatory clauses under Art. 28 GDPR, DPDPA processor obligations, and LGPD Art. 39. Answer Yes, Partial, or No per clause and get a structured gap list for negotiation.

    Covers the mandatory clauses under Art. 28(3) GDPR and corresponding provisions. Additional clauses may be required depending on the processing activity, sector, and commercial negotiation.
    10 / 17 · Reference

    Cross-Border Transfer Mechanism Selector

    A decision tree for identifying the correct lawful mechanism for an international personal data transfer. Covers GDPR Chapter V, DPDPA S. 16, PIPL Arts. 38 to 43, and POPIA S. 72.

    Selection of a transfer mechanism is the starting point, not the end. SCCs and BCRs require a Transfer Impact Assessment before reliance (see TIA module).
    11 / 17 · Reference

    Regulatory Authority Directory

    Data protection authorities, complaint portals, and breach notification URLs across nine jurisdictions. Verified against official sources, April 2025.

    Always verify that you are accessing the official website of the relevant authority. Regulatory portals occasionally change URLs; check the official government domain first.
    Summary. Read This First

    Privacipher is a free educational tool built by a practising technology lawyer. It does not give legal advice. Nothing it produces. assessment outputs, gap reports, playbooks, or any other content. constitutes advice on which you should rely without qualified legal review. Use it to structure your thinking and prepare drafts. Have a lawyer check the output. The tool processes nothing on the server side: all data stays in your browser and disappears when you close the tab.

    1
    Nature of This Tool

    Privacipher is an informational and educational privacy compliance platform built and maintained by Adv. Sanket Shah, a technology lawyer practising in Indore, India, holding an LL.M. in IPR and Technology Law from Jindal Global Law School and enrolled at the Bar Council of India.

    The tool is provided free of charge on a purely informational basis. Access to, or use of, Privacipher. including any of its modules (Compliance Checker, RoPA Builder, Transfer Impact Assessment, PIA/DPIA, Breach Response Playbook, Enforcement Calendar, Quick Tools, or any other current or future module). does not create, and is not intended to create, a lawyer-client relationship, an attorney-client relationship, a solicitor-client relationship, or any other professional advisory relationship of any kind between Adv. Sanket Shah and the user.

    No duty of care, confidentiality, privilege, or any other professional obligation arises from the use of this tool. Users are not "clients" of Adv. Sanket Shah by virtue of using Privacipher.

    2
    Not Legal Advice

    Nothing produced by, contained within, or generated by Privacipher constitutes legal advice, legal opinion, or a substitute for qualified legal counsel. This includes without limitation: compliance assessments and readiness scores; gap reports and remediation recommendations; Records of Processing Activities (RoPAs); Transfer Impact Assessments; Privacy and Data Protection Impact Assessments; Breach Response Playbooks; Enforcement Calendar entries; DPO necessity determinations; penalty reference information; adequacy decision summaries; and any other content, output, or guidance the tool generates.

    All outputs are intended as starting points to structure internal thinking, prepare working drafts, and identify areas for further professional review. not as definitive compliance determinations. Before acting on any output, filing any regulatory notification, executing any contractual document, or making any business decision based on or informed by outputs from this tool, users must obtain advice from a qualified lawyer with expertise in the applicable jurisdiction and subject matter.

    Privacy and data protection law is highly fact-specific. A general compliance assessment cannot substitute for advice tailored to your organisation's specific circumstances, processing activities, risk profile, sector, and applicable regulatory requirements.

    3
    No Warranty of Accuracy, Completeness, or Currency

    Reasonable efforts are made to ensure that the content of this tool reflects the state of the law as of the version date stated in the Changelog. All statutory provisions, regulatory deadlines, penalty figures, and enforcement information are verified against primary legal texts at the time of writing. However:

    • · Privacy and data protection laws change frequently and sometimes rapidly. Regulatory guidance, enforcement decisions, and court judgments issued after the version date may alter the analysis.
    • · The tool covers nine jurisdictions at a general level. It does not capture sector-specific regulations (e.g. HIPAA, PCI-DSS, RBI Master Directions, SEBI regulations) that may impose additional or different obligations.
    • · Penalty figures reflect statutory maximums. Actual penalties imposed by regulators depend on mitigating and aggravating factors, cooperation, and enforcement policy. they may be lower or, where multiple violations are aggregated, substantially higher.
    • · Regulatory guidance, working party opinions, and supervisory authority decisions interpret and supplement the text of legislation. The tool cannot capture all such guidance and does not substitute for reading it directly.

    No representation, warranty, or guarantee. express or implied. is made that the content of this tool is accurate, complete, up to date, fit for any particular purpose, or applicable to any particular set of facts. Users are solely responsible for verifying all information against current primary legal texts and official regulatory guidance before acting.

    4
    Limitation of Liability

    To the fullest extent permitted by applicable law, Adv. Sanket Shah, any contributors to the tool, and any persons or entities associated with its development or maintenance expressly disclaim all liability. whether in contract, tort (including negligence), breach of statutory duty, or otherwise. for any loss, damage, cost, expense, regulatory penalty, compliance failure, business disruption, reputational harm, or other consequence of any kind arising from or in connection with:

    • · Use of, or reliance on, any output, content, or guidance generated by or contained within this tool;
    • · Any inaccuracy, incompleteness, or outdatedness in the content of the tool;
    • · Any failure, interruption, or unavailability of the tool;
    • · Any decision made, or action taken or omitted to be taken, on the basis of outputs from this tool. whether or not the loss was foreseeable and whether or not the user was advised of the possibility of such loss.

    Where liability cannot be excluded by law (for example, for fraud or death/personal injury caused by negligence), nothing in these terms limits or excludes that liability.

    5
    Privacy & Data Processing

    Privacipher is a fully client-side application. All processing occurs in your browser using JavaScript. No personal data, company information, assessment answers, RoPA entries, risk assessment data, or any other information entered into or generated by this tool is transmitted to, collected by, logged by, or stored on any server operated by Adv. Sanket Shah or any third party associated with this tool.

    All session data is held in browser memory only and is permanently and irrecoverably lost when the browser tab is closed, unless the user exports it using the built-in export functions (e.g. RoPA CSV/JSON export, gap report export, PIA report export). Adv. Sanket Shah has no access to, and retains no copy of, any data entered by users.

    This tool does not use cookies, tracking pixels, analytics scripts, or any third-party data collection mechanisms. The only external resources loaded are Google Fonts (typography). standard browser privacy controls apply to those requests.

    6
    Permitted Use & Restrictions

    Subject to these terms, you are granted a non-exclusive, revocable, worldwide licence to access and use Privacipher for personal and professional purposes, including in a commercial context. You may use outputs generated by the tool in your own compliance work, client advisory work, internal training, and documentation.

    You must not: (a) resell or sublicense this tool or present it as your own product; (b) remove or obscure any attribution to Adv. Sanket Shah; (c) use the tool or its outputs in a manner that implies endorsement by Adv. Sanket Shah of any product, service, or compliance position without written permission; or (d) represent any output of this tool as constituting legal advice or a formal legal opinion.

    Attribution: if you publicly share or publish outputs generated by this tool, attribution to Privacipher (https://advsanketshah.github.io/Privacipher/) and Adv. Sanket Shah is appreciated but not legally required for personal or professional use.

    7
    Open Source & Contributions

    Privacipher is open source. The source code is publicly available at github.com/advsanketshah/Privacipher. You are welcome to fork, adapt, and contribute to the tool. Pull requests, issue reports, and suggestions for improving regulatory accuracy are actively encouraged.

    If you identify a legal inaccuracy. an incorrect statutory reference, an outdated regulatory deadline, a missing jurisdiction-specific requirement. please raise a GitHub issue citing the primary source (statute, regulation, or official regulatory guidance). This helps keep the tool accurate for all users.

    8
    Third-Party Links & Resources

    This tool may reference or link to external regulatory websites, official gazette publications, supervisory authority portals, and other third-party resources. These links are provided for convenience and reference only. Adv. Sanket Shah has no control over, and accepts no responsibility for, the content, accuracy, or availability of any third-party website or resource. The inclusion of a link does not imply endorsement.

    Links to official regulatory portals (e.g. EDPB, OAIC, PDPC Singapore, Information Regulator South Africa) are provided to help users locate primary sources. Always verify that you are accessing the official website of the relevant authority.

    9
    Governing Law & Jurisdiction

    These terms of use are governed by the laws of India. Any dispute arising from or in connection with the use of this tool shall be subject to the exclusive jurisdiction of the courts of Indore, Madhya Pradesh, India.

    Users outside India access the tool on the understanding that local laws may impose additional obligations, and that accessing the tool does not imply that these terms satisfy any local legal requirement for terms of service, data processing notices, or similar.

    10
    Changes to These Terms

    These terms may be updated from time to time to reflect changes in the tool's features, applicable law, or best practice. The current version of the terms is always available in this tab. The version date is reflected in the tool's Changelog. Continued use of the tool after terms are updated constitutes acceptance of the revised terms.

    These terms were last updated: April 2025 (Privacipher v4.1).

    11
    Contact

    For questions about these terms, to report a legal inaccuracy in the tool, or to enquire about professional legal services:

    advocatesanketshah@gmail.com LinkedIn. Adv. Sanket Shah Portfolio