gdpr-compliance

GDPR Compliance Planning

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "gdpr-compliance" with this command: npx skills add melodic-software/claude-code-plugins/melodic-software-claude-code-plugins-gdpr-compliance

GDPR Compliance Planning

Comprehensive guidance for General Data Protection Regulation compliance before development begins.

When to Use This Skill

  • Planning systems that process EU residents' personal data

  • Designing consent management and preference centers

  • Implementing data subject rights (access, erasure, portability)

  • Conducting Data Protection Impact Assessments (DPIA)

  • Defining data processing agreements and controller/processor relationships

GDPR Fundamentals

The 7 Principles

Principle Description Implementation Focus

Lawfulness, Fairness, Transparency Valid legal basis, fair processing, clear privacy notices Consent flows, privacy policies

Purpose Limitation Collect for specified, explicit purposes Purpose tracking, use restriction

Data Minimization Adequate, relevant, limited to purpose Field-level justification

Accuracy Keep data accurate and up to date Update mechanisms, verification

Storage Limitation Keep only as long as necessary Retention policies, auto-deletion

Integrity and Confidentiality Appropriate security measures Encryption, access control

Accountability Demonstrate compliance Audit logs, documentation

Lawful Bases for Processing

  1. Consent - Freely given, specific, informed, unambiguous
  2. Contract - Necessary for contract performance
  3. Legal Obligation - Required by law
  4. Vital Interests - Protect someone's life
  5. Public Task - Official authority/public interest
  6. Legitimate Interest - Balanced against data subject rights

Legitimate Interest Assessment (LIA):

  • Purpose test: Is there a legitimate interest?

  • Necessity test: Is processing necessary for that interest?

  • Balancing test: Do subject's interests override?

Data Subject Rights Implementation

Rights Checklist

Right Description Response Time Implementation

Access Copy of personal data 1 month Export endpoint

Rectification Correct inaccurate data 1 month Update endpoint

Erasure ("Right to be Forgotten") Delete personal data 1 month Deletion pipeline

Restrict Processing Limit use of data 1 month Processing flags

Data Portability Machine-readable export 1 month JSON/CSV export

Object Stop processing Without undue delay Opt-out mechanism

Automated Decision-Making Human review of decisions Varies Review queue

.NET Implementation Patterns

// Data Subject Request Handling public interface IDataSubjectRequestHandler { Task<DataExport> HandleAccessRequest(Guid subjectId, CancellationToken ct); Task HandleErasureRequest(Guid subjectId, ErasureScope scope, CancellationToken ct); Task<PortableData> HandlePortabilityRequest(Guid subjectId, string format, CancellationToken ct); }

public class DataSubjectRequestService : IDataSubjectRequestHandler { private readonly IPersonalDataLocator _dataLocator; private readonly IAuditLogger _auditLogger; private readonly TimeProvider _timeProvider;

public async Task&#x3C;DataExport> HandleAccessRequest(Guid subjectId, CancellationToken ct)
{
    await _auditLogger.LogRequestReceived(subjectId, "Access", _timeProvider.GetUtcNow());

    var locations = await _dataLocator.LocateAllPersonalData(subjectId, ct);
    var export = new DataExport
    {
        SubjectId = subjectId,
        GeneratedAt = _timeProvider.GetUtcNow(),
        Categories = new List&#x3C;DataCategory>()
    };

    foreach (var location in locations)
    {
        var data = await location.ExtractData(ct);
        export.Categories.Add(new DataCategory
        {
            Name = location.CategoryName,
            Purpose = location.ProcessingPurpose,
            LawfulBasis = location.LawfulBasis,
            RetentionPeriod = location.RetentionPolicy,
            Data = data
        });
    }

    await _auditLogger.LogRequestCompleted(subjectId, "Access", _timeProvider.GetUtcNow());
    return export;
}

public async Task HandleErasureRequest(Guid subjectId, ErasureScope scope, CancellationToken ct)
{
    // Check for legal holds or retention requirements
    var blocks = await CheckErasureBlocks(subjectId, ct);
    if (blocks.Any())
    {
        throw new ErasureBlockedException(blocks);
    }

    var locations = await _dataLocator.LocateAllPersonalData(subjectId, ct);

    foreach (var location in locations)
    {
        if (scope.IncludesCategory(location.CategoryName))
        {
            // Soft delete with scheduled hard delete
            await location.MarkForDeletion(_timeProvider.GetUtcNow().AddDays(30), ct);
        }
    }

    await _auditLogger.LogErasureInitiated(subjectId, scope, _timeProvider.GetUtcNow());
}

}

Consent Management

// Consent tracking with granular purposes public class ConsentRecord { public Guid SubjectId { get; init; } public string Purpose { get; init; } = string.Empty; public bool IsGranted { get; init; } public DateTimeOffset Timestamp { get; init; } public string ConsentMechanism { get; init; } = string.Empty; // e.g., "WebForm", "API" public string ConsentVersion { get; init; } = string.Empty; // Version of consent text public string? WithdrawalTimestamp { get; set; } }

public interface IConsentManager { Task RecordConsent(ConsentRecord consent, CancellationToken ct); Task WithdrawConsent(Guid subjectId, string purpose, CancellationToken ct); Task<bool> HasValidConsent(Guid subjectId, string purpose, CancellationToken ct); Task<IReadOnlyList<ConsentRecord>> GetConsentHistory(Guid subjectId, CancellationToken ct); }

public class GdprConsentManager : IConsentManager { private readonly IConsentRepository _repository; private readonly IEventPublisher _events;

public async Task&#x3C;bool> HasValidConsent(Guid subjectId, string purpose, CancellationToken ct)
{
    var latest = await _repository.GetLatestConsent(subjectId, purpose, ct);

    if (latest is null)
        return false;

    if (latest.WithdrawalTimestamp is not null)
        return false;

    // Check if consent version is still current
    var currentVersion = await _repository.GetCurrentConsentVersion(purpose, ct);
    if (latest.ConsentVersion != currentVersion)
    {
        // Consent was given under old terms - needs re-consent
        return false;
    }

    return latest.IsGranted;
}

}

Data Protection Impact Assessment (DPIA)

When DPIA is Required

DPIA is mandatory when processing is likely to result in high risk:

  • Systematic and extensive profiling with significant effects

  • Large-scale processing of special category data

  • Systematic monitoring of public areas

  • New technologies with unknown privacy impact

  • Automated decision-making with legal/similar effects

  • Large-scale processing of children's data

DPIA Template Structure

1. Description of Processing

  • Nature: What will you do with the data?
  • Scope: How much data, how many subjects, geographic area?
  • Context: Internal/external factors affecting expectations?
  • Purpose: What are you trying to achieve?

2. Necessity and Proportionality

  • Lawful basis and justification
  • Purpose limitation assessment
  • Data minimization measures
  • Data quality approach
  • Storage limitation policy

3. Risk Assessment

Risks to Individuals

RiskLikelihoodSeverityScoreMitigation
Unauthorized accessMediumHigh6Encryption, MFA
Data breachLowCritical4Monitoring, IR plan
Inaccurate profilingMediumMedium4Human review

Residual Risk

[After mitigations applied]

4. Consultation

  • DPO advice obtained: [Date]
  • Supervisory authority consulted: [If required]
  • Data subject views considered: [How]

5. Sign-Off

RoleNameApprovalDate
Project Owner[ ]
DPO[ ]
CISO[ ]

Risk Scoring Matrix

     SEVERITY
     Low(1)  Medium(2)  High(3)  Critical(4)

L High(4) 4 8 12 16 I Med(3) 3 6 9 12 K Low(2) 2 4 6 8 E V.Low(1) 1 2 3 4

Thresholds:

  • 1-4: Acceptable risk

  • 5-8: Mitigations required

  • 9-12: Senior approval required

  • 13+: Consult supervisory authority

Privacy by Design Checklist

Architecture Phase

  • Data flows documented with personal data highlighted

  • Purpose for each data element defined

  • Lawful basis identified per purpose

  • Retention periods defined per category

  • Access control requirements specified

  • Encryption requirements defined

  • Pseudonymization opportunities identified

Development Phase

  • Consent collection implemented correctly

  • Data subject rights endpoints created

  • Audit logging captures processing activities

  • Data retention automation implemented

  • Encryption at rest and in transit

  • Input validation prevents excess collection

  • Error messages don't leak personal data

Testing Phase

  • Consent flows tested (grant, withdraw, re-consent)

  • All DSR endpoints functional

  • Retention automation verified

  • Access controls tested

  • Audit logs complete and accurate

  • Penetration testing for data exposure

Record of Processing Activities (ROPA)

Article 30 Requirements

Controllers must maintain records of:

Processing Activity: Customer Account Management Controller: [Organization Name] DPO Contact: dpo@example.com Purposes:

  • Account authentication
  • Order fulfillment
  • Customer support Categories of Data Subjects:
  • Customers
  • Prospective customers Categories of Personal Data:
  • Name, email, phone
  • Address
  • Order history
  • Payment tokens (not card numbers) Recipients:
  • Payment processor (Stripe)
  • Shipping provider (FedEx)
  • Customer support platform (Zendesk) International Transfers:
  • Stripe Inc. (US) - SCCs
  • None to third countries without safeguards Retention:
  • Active account: Duration of relationship
  • Closed account: 7 years (legal requirement) Security Measures:
  • TLS 1.3 in transit
  • AES-256 at rest
  • Role-based access control
  • Regular access reviews

International Data Transfers

Transfer Mechanisms Post-Schrems II

Mechanism Use Case Requirements

Adequacy Decision EU-approved countries None additional

Standard Contractual Clauses (SCCs) Most common TIA required

Binding Corporate Rules Intra-group transfers Supervisory approval

Derogations (Art. 49) Occasional transfers Limited scope

Transfer Impact Assessment (TIA)

Transfer Impact Assessment

1. Transfer Details

  • Exporter: [EU entity]
  • Importer: [Third country entity]
  • Countries: [List]
  • Data types: [Categories]
  • Transfer mechanism: [SCCs/BCRs/etc.]

2. Third Country Assessment

  • Laws requiring disclosure to authorities
  • Surveillance legislation
  • Rule of law / judicial independence
  • Practical access by authorities

3. Supplementary Measures

  • Technical: [Encryption, pseudonymization]
  • Contractual: [Additional clauses]
  • Organizational: [Policies, training]

4. Conclusion

  • Risk level: [Acceptable/Requires mitigation/Unacceptable]
  • Decision: [Proceed/Modify/Suspend]

Cross-References

  • CCPA/CPRA: See similar concepts (disclosure, deletion, opt-out)

  • AI Governance: ai-governance skill for AI-specific requirements

  • Security Frameworks: security-frameworks for technical controls

  • Data Classification: data-classification for sensitivity levels

Resources

  • GDPR Full Text

  • EDPB Guidelines

  • ICO GDPR Guidance

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Coding

design-thinking

No summary provided by upstream source.

Repository SourceNeeds Review
-109
melodic-software
Coding

plantuml-syntax

No summary provided by upstream source.

Repository SourceNeeds Review
-77
melodic-software
Coding

system-prompt-engineering

No summary provided by upstream source.

Repository SourceNeeds Review
-59
melodic-software