GDPR/DSGVO Elite

A specialized skill for EU General Data Protection Regulation (GDPR) and German Datenschutz-Grundverordnung (DSGVO) compliance — covering data protection auditing, privacy impact assessments, data processing agreements, consent management, breach notification procedures, and regulatory compliance documentation.

When to Use This Skill

Choose GDPR/DSGVO Elite when you need to:

• Audit data processing activities for GDPR compliance
• Conduct Data Protection Impact Assessments (DPIAs)
• Draft data processing agreements with third-party processors
• Design consent management workflows for web applications
• Prepare data breach notification documents and timelines
• Create Records of Processing Activities (RoPA)

Consider alternatives when:

• You need US privacy law compliance (CCPA, HIPAA — use specific skills)
• You need general legal contract drafting (use a legal skill)
• You need security implementation (use a cybersecurity skill)

Quick Start

Copy
# Run a GDPR compliance audit
claude "Perform a GDPR compliance check for a SaaS application that collects user emails, tracks page views with analytics, and stores data on AWS eu-west-1. Identify gaps and recommend fixes."

Copy
# GDPR Compliance Audit: SaaS Application

## Processing Activities Identified

| Activity          | Legal Basis       | Data Categories     | Status  |
|------------------|-------------------|---------------------|---------|
| User registration| Contractual (6.1b)| Email, name         | ✅ OK   |
| Page analytics   | Consent (6.1a)    | IP, behavior, device| ⚠️ Gap  |
| Email marketing  | Consent (6.1a)    | Email, preferences  | ⚠️ Gap  |
| Cloud storage    | Legitimate (6.1f) | All user data       | ✅ OK   |

## Gaps Found

### 1. Analytics Without Valid Consent (HIGH)
**Issue**: Page view tracking fires before cookie consent.
**GDPR Article**: 6(1)(a), ePrivacy Directive Art. 5(3)
**Fix**: Block analytics scripts until explicit consent.
Implement a consent management platform (CMP).

### 2. No Cookie Banner Implementation (HIGH)
**Issue**: No mechanism to collect/manage cookie consent.
**Fix**: Implement TCF 2.0 compliant consent banner with:
- Accept / Reject / Customize options
- Granular category selection
- Consent withdrawal mechanism

### 3. Missing Privacy Policy Sections (MEDIUM)
**Issue**: Privacy policy lacks data retention periods
and automated decision-making disclosures.
**Fix**: Add sections per Articles 13/14 checklist.

### 4. No Data Processing Agreement with AWS (MEDIUM)
**Issue**: AWS DPA not executed.
**Fix**: Sign AWS GDPR Data Processing Addendum
(available at aws.amazon.com/compliance/gdpr-center).

Core Concepts

GDPR Legal Bases for Processing

Legal Basis	Article	When to Use	Documentation Required
Consent	6(1)(a)	Marketing, analytics, non-essential cookies	Consent records, withdrawal mechanism
Contractual	6(1)(b)	Service delivery, account management	Contract/ToS reference
Legal Obligation	6(1)(c)	Tax records, employee data	Applicable law citation
Vital Interests	6(1)(d)	Emergency medical situations	Justification document
Public Interest	6(1)(e)	Government, public authorities	Legal basis reference
Legitimate Interest	6(1)(f)	Security, fraud prevention, analytics	LIA (Legitimate Interest Assessment)

Data Subject Rights

Copy
## Rights Checklist (Articles 15-22)

### Right of Access (Art. 15)
- [ ] Can users request all data held about them?
- [ ] Response within 30 days?
- [ ] Provided in machine-readable format?

### Right to Rectification (Art. 16)
- [ ] Can users correct inaccurate data?
- [ ] Are corrections propagated to processors?

### Right to Erasure (Art. 17)
- [ ] Can users request account/data deletion?
- [ ] Are backups purged within retention period?
- [ ] Are processors notified of erasure requests?

### Right to Data Portability (Art. 20)
- [ ] Can users export data in JSON/CSV?
- [ ] Can data be transferred to another controller?

### Right to Object (Art. 21)
- [ ] Can users opt out of profiling?
- [ ] Can users object to legitimate interest processing?
- [ ] Is direct marketing opt-out immediate?

Data Breach Response

Copy
## Breach Notification Timeline

### Within 72 Hours — Supervisory Authority (Art. 33)
Notify the relevant DPA with:
- Nature of the breach (categories, approximate numbers)
- Contact details of the DPO
- Likely consequences
- Measures taken or proposed

### Without Undue Delay — Data Subjects (Art. 34)
Required when breach is "likely to result in a high risk
to the rights and freedoms of natural persons":
- Clear description of the breach
- Likely consequences
- Measures taken to address it
- Recommendations for individuals to protect themselves

### Documentation Requirements
- Date and time of discovery
- How breach was discovered
- Data categories and volume affected
- Root cause analysis
- Remediation actions with timelines

Configuration

Parameter	Description	Example
jurisdiction	Primary EU member state	"Germany" / "France"
company_role	Controller or processor	"controller"
industry	Business sector for specific guidance	"SaaS" / "healthcare"
data_categories	Types of personal data processed	["email", "IP", "name"]
audit_scope	Scope of compliance check	"full" / "processing"
output_format	Documentation format	"markdown" / "docx"

Best Practices

1. Map all data flows before assessing compliance — Create a complete inventory of every system that touches personal data, including third-party services, analytics tools, and CDNs. You cannot assess compliance for processing activities you haven't identified.

2. Use consent only when you genuinely offer a choice — If the service cannot function without the data, consent is the wrong legal basis — use contractual necessity instead. Consent must be freely given, and "consent or no service" is not free consent under GDPR.

3. Document your Legitimate Interest Assessments — When relying on Article 6(1)(f), write a formal LIA that balances your legitimate interest against the individual's rights. Regulators specifically ask for these during audits, and "we thought it was legitimate" without documentation is insufficient.

4. Implement privacy by design in your development process — Integrate data protection considerations into your product development lifecycle, not as an afterthought. Review new features for data protection implications before they reach production, include DPIA screening in your sprint process.

5. Test your data subject rights workflows quarterly — Submit test access, deletion, and portability requests through your own systems. Many organizations discover their rights-handling processes are broken only when a real data subject or regulator tests them.

Common Issues

Cookie consent is collected but not enforced technically — Having a cookie banner that records consent but doesn't actually block tracking scripts until consent is given provides zero compliance benefit. Verify that analytics, advertising, and social media scripts are technically blocked until the user actively consents, and that rejection works as completely as acceptance.

Data retention schedules exist on paper but aren't automated — A privacy policy that states "we retain data for 12 months" means nothing if the data actually sits in the database for years. Implement automated data purging with scheduled jobs, and monitor that purges actually run. Manual retention management fails at scale.

Data processing agreements are missing for key vendors — Every third-party processor (cloud hosting, analytics, email service, payment processor) requires a signed Data Processing Agreement under Article 28. Maintain a vendor register with DPA status, and make DPA execution part of your vendor onboarding checklist.