GDPR · Odoo 19

GDPR module for Odoo 19: RoPA, DSAR, breaches and DPIA inside your ERP

The GDPR requires you to document your processing activities, answer data-subject requests on time, log any breach and assess your high-risk processing. Trying to do that with spreadsheets and email threads falls apart fast. This module for Odoo 19 brings the four operational GDPR registers into your own Odoo: records of processing (RoPA, Art.30), data-subject requests (DSAR, Arts.15-21), a breach log (Arts.33-34) and impact assessments (DPIA, Art.35).

RoPA (Art.30)Records of processing activities documented inside Odoo.
DSAR (Arts.15-21)A case for every rights request, with its own deadline.
Breaches (Arts.33-34)A security-incident log with a full audit trail.
DPIA (Art.35)Impact assessments for your high-risk processing.
GDPR compliance registers managed inside Odoo
GDPR inside the ERPRoPA, DSAR, breaches and DPIA in the same Odoo where the data lives.
Source code included (OPL-1) · Odoo 17 · 18 · 19 · One-time 49 € · no SaaS fee · Direct developer support

Real screenshots from the module

The very screens you get in Odoo — the real thing.

odoo-gdpr screenshot

Try the GDPR module inside a real Odoo 19, no sign-up. User demo / flexigodemo.

Try the live demo View on the App Store

The real GDPR problem for a small business

The GDPR does not scale down: if you process personal data, you have to document and run it much like any large company. But a small business has no dedicated privacy team keeping the registers and chasing deadlines week after week.

Registers scattered in spreadsheets

Your RoPA, rights requests and breaches end up spread across loose spreadsheets and email threads. When an audit or a request from the ICO or your DPA lands, pulling it all together is slow, and it is far too easy for something to be missing.

Rights deadlines that slip

An access or erasure request has a one-month clock. Without a case that records the date received and the due date, it is all too easy for a DSAR to go unanswered inside the deadline — which is exactly the kind of failure the GDPR penalises.

A breach with no audit trail

After a personal-data breach you have 72 hours to notify. Without a register capturing when it was detected, what happened and the measures you took, proving after the fact that you acted properly is next to impossible.

What the module does inside Odoo

It does not promise to comply with the GDPR for you or notify the authority on your behalf. It does the concrete, useful part: it keeps the four operational GDPR registers inside Odoo so you can maintain them, query them and produce them whenever you need to.

RoPA — Records of processing (Art.30)

Documents every processing activity: the purpose, the lawful basis, the categories of data and of data subjects, recipients and retention periods — inside Odoo and always ready for an audit.

DSAR — Data-subject requests (Arts.15-21)

Opens a case for every request to access, rectify, erase, object, restrict or port data, capturing the data subject, the type of right, the date received and the deadline, so no request goes unanswered in time.

Breach log (Arts.33-34)

Logs every security incident with the detection date, the nature of the breach, the data affected and the measures taken, leaving the audit trail you need to decide on notifying the authority and the data subjects within the 72-hour window.

DPIA — Impact assessments (Art.35)

Completes a data protection impact assessment for high-risk processing: a description of the processing, the risks to rights and freedoms, the mitigating measures and the decision — all linked back to the matching RoPA activity.

Compliance dashboard

A dashboard inside Odoo that shows your GDPR status at a glance: open DSARs with their deadlines, active breaches and DPIAs pending review, each linking straight to its register. You know where you stand before anyone asks.

Self-service rights portal

Your customers file their rights request straight from the Odoo portal, without emailing you: the DSAR is created automatically, its case opened and its deadline already running, and the data subject can track the status of their request.

Audit log

Every action on the GDPR registers is traced in a tamper-proof audit log: who did what, when and from which IP. Exactly the evidence you want to have when an inspection or a request from the authority arrives.

Retention schedule

Retention periods tied to each RoPA activity, with documented reviews and an automatic reminder when a period is due, so you actively decide to erase, anonymise or justify keeping the data — instead of hoarding everything just in case.

Live inside your Odoo in three steps

No separate platform, no extra login, no data leaving your instance. You install a single Odoo module and your GDPR registers live in the same place as your customers, orders and invoices.

1 · Install the module

Buy the licence on the Odoo App Store, drop the module into your Odoo 19, 18 or 17 and install it. It is self-contained and runs on both Community and Enterprise — no external service to wire up.

2 · Fill in your RoPA

Record your processing activities once — purpose, lawful basis, data categories, recipients and retention. That RoPA becomes the backbone everything else hangs off: DSARs, DPIAs and the retention schedule.

3 · Run it day to day

From then on it is business as usual: DSARs come in through the portal, breaches get logged as they happen, DPIAs are completed for risky processing, and the dashboard keeps every deadline in view.

One price. No subscription. Source included.

You buy the module once and it is yours to run on your own Odoo — no per-user fee, no separate privacy SaaS bleeding your budget every month.

49 € one-time payment

A single 49 € payment on the Odoo App Store. No monthly fee, no annual renewal to keep it running — you own the module.

Source code included (OPL-1)

You get the full source under the OPL-1 licence, so your team or your integrator can review it, tweak fields and adapt it to how you work.

Odoo 17, 18 and 19

Built and tested for Odoo 17, 18 and 19, on Community and Enterprise alike, so you are covered on your current version and your next upgrade.

Support straight from the developer

When you have a question about the RoPA or a DSAR you talk to the person who wrote the code, not a call-centre script. If you need a hand setting it up, we help.

Buy on the App Store — 49 €

The person who builds the module is the person who answers you

FlexigoTech is Flexibles y Accesorios Gobe, S.L., based in Barcelona. Development is handled by a single developer, so when you ask about the RoPA or a DSAR you are talking directly to whoever wrote the code — not a salesperson and not a first-line support desk that just forwards tickets.

19native Odoo
BCNlocal development
0extra SaaS

What it does and what it doesn't

It is a native Odoo 19 module — no external platform to maintain, no extra SaaS fee, and your data stays in your own instance. We don't make up reviews or certifications: the tool keeps your RoPA, DSARs, breaches and DPIAs. The official notification to the authority and the controller's legal responsibility stay with you, and we tell you that before you buy, not after.

Try the live demoAsk a question

If you came for the GDPR, this is for you too

The GDPR rarely comes alone. It usually turns up next to the whistleblowing channel, NIS2 security and other compliance duties that can all live inside a single Odoo.

Questions that usually come up with the GDPR

What does the GDPR module for Odoo 19 cover?

It covers the four operational GDPR registers inside Odoo: your records of processing activities (RoPA, Art.30), the handling of data-subject requests (DSAR, Arts.15-21), the personal-data breach log (Arts.33-34) and data protection impact assessments (DPIA, Art.35). Everything lives in your own Odoo, with no separate privacy platform to run alongside it.

Does the module make my business GDPR-compliant automatically?

No. Under the GDPR, compliance is the responsibility of the controller and the processor. What the module gives you is the structure to document and run that compliance inside Odoo: record your processing, handle rights requests against their deadlines, log an incident and complete a DPIA. The decisions and the legal responsibility stay with you or your DPO.

How does the module handle a data-subject request (DSAR)?

It opens a case for every request to access, rectify, erase, object, restrict or port data (Arts.15-21), recording the data subject, the type of right, the date received and the one-month response deadline, so no DSAR slips past the time limit the GDPR sets.

Does the Odoo GDPR module work with Odoo Community?

Yes. The module runs on both Odoo Community and Enterprise, for versions 19, 18 and 17. It is self-contained: it does not depend on any Enterprise-only app, so a Community install is enough to keep your RoPA, DSARs, breaches and DPIAs inside Odoo.

Can I try the module before buying?

Yes. There is a live demo — a real Odoo 19 with the module installed and no sign-up (user demo, password flexigodemo) — where you can browse the RoPA, open a DSAR, log a breach and complete a DPIA. Once you are happy, you buy the licence on the Odoo App Store for a one-time 49 €, source code included, and we can help you set it up if you need a hand.

The GDPR applies to you today. The only question is where your registers are.

You can carry on with loose spreadsheets, or have your RoPA, DSARs, breaches and DPIAs sorted inside Odoo. Try the demo and see it for yourself in five minutes.

Try the live demoView on the App Store · +34 639 913 105