Compliance investment
What a GDPR audit costs in Germany
Price ranges, what the audit actually checks, and how to decide whether you need one now. Concrete numbers for technical privacy audits in Germany and the EU.
TL;DR
- A focused technical GDPR audit (one website or application, cookie and tracking review, data flow mapping, third-party processor list) costs €3,500 to €8,000.
- A full technical and organisational GDPR audit covering multiple systems, processing records, DPA review, and a remediation roadmap runs €8,000 to €25,000.
- Enterprise-level GDPR compliance programmes (multi-jurisdiction, data residency, AI Act considerations, third-party processor due diligence) cost €25,000 to €60,000 or above.
- Fines under GDPR can reach 4 percent of global annual turnover or €20 million, whichever is higher. For a €10m turnover company, that means up to €400,000 exposure from a single complaint or audit.
- See how we approach technical compliance audits including GDPR review for European companies.
What a technical GDPR audit covers
Most GDPR problems are <em>technical</em>, not just policy documents.
Many companies believe their GDPR compliance is covered by a privacy policy and a cookie banner. It is not. GDPR compliance is a technical matter as much as a legal one. A consent banner that fires after a Google Analytics script has already loaded is not compliant. A HubSpot form that sends personal data to a US server without an adequacy decision or SCCs in place is not compliant. A contact form that stores submissions in a shared database with no retention limit is not compliant.
**A technical GDPR audit checks what the systems actually do, not just what the policy says.** That means: inspecting network requests to identify third-party data flows, verifying consent management platform configuration, checking data processor agreements, reviewing cookie classification, auditing server and database configurations for data minimisation and retention, and testing whether consent withdrawal actually stops data collection.
The audit produces a gap list and a remediation roadmap ordered by risk level. High-risk findings (tracking without consent, data transfers without legal basis) go to the top. Lower-risk findings (missing retention periods on internal logs) go to a maintenance backlog. Companies that act on the high-risk findings first reduce their regulatory exposure significantly even before completing the full remediation.
Cost by audit scope
What a technical GDPR audit costs in Germany and the EU, 2026.
| Audit scope | Typical price range | Timeline | What is covered | Best fit |
|---|---|---|---|---|
| Focused website audit | €3,500 to €8,000 | 2 to 4 weeks | Cookie and tracking audit, consent management review, third-party data flow map, basic DPA checklist, written gap report | Companies wanting a fast baseline on their main website or landing page |
| Full technical and organisational audit | €8,000 to €25,000 | 4 to 8 weeks | All focused items plus: processing records review, data subject rights testing (access, erasure), internal system audit, retention and minimisation check, DPA review for all processors, remediation roadmap | B2B companies preparing for a client audit, investor due diligence, or proactive compliance ahead of regulatory inquiry |
| Multi-system compliance audit | €25,000 to €60,000 | 8 to 16 weeks | All full audit items plus: multi-country jurisdiction mapping, AI Act pre-screening, data residency verification, third-party processor due diligence, board-level risk summary | Mid-market or enterprise companies with multiple products, multiple data residency requirements, or regulated industries |
What raises the cost
Four factors that push a GDPR audit above the base rate.
01
Number of systems and data processors
Every system that touches personal data is in scope: CRM, email marketing, analytics, support tools, HR systems, payment processors, cloud infrastructure. A company using eight third-party processors takes three times longer to audit than one using two. Before commissioning an audit, produce a list of every tool that receives personal data. It will help scope the audit and may reveal surprises.
02
Cross-border data transfers
Data transfers outside the EU or EEA require a legal basis beyond GDPR standard clauses. Standard Contractual Clauses (SCCs), adequacy decisions, or Binding Corporate Rules must be in place. Transfers to the US require scrutiny since the EU-US Data Privacy Framework is subject to challenge. Each transfer route needs documentation. Companies with US-headquartered SaaS tools face the most complexity here.
03
Sensitive data categories
GDPR Article 9 defines special categories: health data, biometric data, genetic data, political opinions, religious beliefs, trade union membership, sexual orientation. Processing any of these requires explicit consent or a specific legal basis. If a company processes special category data, the audit scope expands to verify the legal basis, the data minimisation controls, and the security measures protecting it.
04
Automated decision-making and AI
GDPR Article 22 restricts fully automated decision-making that significantly affects individuals. The EU AI Act adds further requirements for AI systems that assess risk, make recommendations, or influence decisions. If a company uses AI for hiring, credit assessment, or personalised pricing, a GDPR audit must include Article 22 compliance and an AI Act pre-screening. This is an emerging and fast-moving area of the audit scope.
Common questions
What companies ask when deciding whether to commission a GDPR audit.
How much does a GDPR audit cost in Germany?
A focused technical GDPR audit of a website or single application costs €3,500 to €8,000 in Germany. A full technical and organisational audit covering processing records, data subject rights, and a remediation roadmap runs €8,000 to €25,000. Multi-system or enterprise-level audits cost €25,000 to €60,000. These are fees for technical audit work only; legal counsel is billed separately.
Is a GDPR audit required by law?
GDPR does not require a formal external audit by name. It does require controllers to demonstrate compliance on request, maintain processing records, conduct Data Protection Impact Assessments for high-risk processing, and respond to data subject requests within one month. A technical audit is the practical way to verify that systems actually comply, not just that policies say they do.
What is the biggest GDPR risk for B2B websites?
Tracking and analytics without valid consent is the most common high-risk finding in website audits. Google Analytics, Meta Pixel, LinkedIn Insight Tag, and HubSpot tracking all collect personal data. Loading them before consent is recorded, or loading them when a user declines consent, is a GDPR violation. Fines in Germany for consent management failures have run from €50,000 to over €300,000 from single complaints to the DPA.
How long does a GDPR audit take?
A focused website audit takes two to four weeks from kick-off to final report. A full technical and organisational audit takes four to eight weeks. The timeline depends on how quickly the client can provide system access, processor lists, and existing documentation. Companies with no prior compliance documentation take longer than those with an existing record of processing activities.
What happens after the GDPR audit?
The audit produces a gap report ordered by risk level. High-risk findings should be remediated within 30 to 60 days. Medium-risk findings can be addressed in the following quarter. Low-risk findings go into a maintenance plan. Remediation is not included in the audit price but can be scoped separately. Some findings (policy updates, consent banner configuration) are fast to fix. Others (data residency changes, processor replacements) take months.
How we approach GDPR audits at SomeTech.work
We start with the <em>technical layer</em>, where most violations actually live.
Our GDPR audits start with network-level inspection: what data leaves the browser, when, to whom, and under what consent state. **Most organisations are surprised by the gap between what their privacy policy says and what their analytics and marketing stack actually sends.** We produce a written gap report with specific technical findings, risk levels, and remediation steps. Legal interpretation is referred to our privacy law partners.
We cover website and application audits, processing record reviews, data processor due diligence, and consent management platform configuration. For companies that have never had a technical GDPR review, the focused website audit at €3,500 to €8,000 is the right starting point. It surfaces the highest-risk issues quickly without the cost of a full audit. See our technical compliance and strategy services for scope details.
Concrete solution
Bring the operational risk.You get a clear diagnosis and a concrete next step.
We are the right fit if you want a team that pushes back when it matters. See outcomes and metrics →
Reviewing first?
Company evidenceon the site.
Engagements with commercial outcomes on Work. Team bios and operating model on About. Nothing to download. Review it before you commit to a call. Open to review. Commit when ready.