GDPR Compliance Skill
Purpose
Ensures compliance with EU General Data Protection Regulation (GDPR) for systems that process personal data.
Rules
Privacy by Design (Article 25)
MUST:
-
Implement data minimization (collect only necessary data)
-
Use pseudonymization where possible
-
Encrypt personal data at rest and in transit
-
Implement access controls
-
Enable data portability
-
Design for right to erasure
Lawful Basis for Processing
MUST HAVE one of:
-
Consent (freely given, specific, informed, unambiguous)
-
Contract (necessary for contract performance)
-
Legal obligation
-
Vital interests
-
Public task
-
Legitimate interests
Data Subject Rights
MUST SUPPORT:
-
Right to access (provide copy within 30 days)
-
Right to rectification (correct inaccurate data)
-
Right to erasure ("right to be forgotten")
-
Right to restrict processing
-
Right to data portability
-
Right to object
Data Breach Response (Article 33-34)
MUST:
-
Detect breach within reasonable time
-
Assess risk to data subjects
-
Notify supervisory authority within 72 hours (if high risk)
-
Notify affected individuals without undue delay
-
Document all breaches
Hack23 Homepage Context
No Personal Data Processing:
-
Static website, no user accounts
-
No cookies, no tracking
-
No forms, no personal data collection
-
Privacy by design: collect nothing
Privacy Policy MUST State:
-
No personal data collected
-
No cookies used
-
Server logs may contain IP addresses (retained 90 days)
-
Contact information for data protection inquiries
Related Policies
-
Privacy Policy
-
Data Classification Policy