name: gdpr-data-protection description: Implement GDPR (Reg 2016/679) data protection — DPIA templates, Art.30 processing records, data subject rights, legal bases, and cross-border transfers. version: "1.0.0" last-updated: "2026-04-17" model_tested: "claude-sonnet-4-6" category: compliance platforms: [claude-code, codex, gemini-cli, cursor, copilot, windsurf, cline] language: en geo_relevance: [eu, fr] priority: critical dependencies: mcp: [] skills: [] apis: [] data: [] update_sources:

• url: "https://edpb.europa.eu/our-work-tools" check_frequency: "quarterly" last_checked: "2026-04-17"
• url: "https://www.cnil.fr/fr/outil-pia" check_frequency: "quarterly" last_checked: "2026-04-17" license: MIT

GDPR Data Protection

DISCLAIMER: This skill provides guidance only. It does not constitute legal advice. Always verify with a Data Protection Officer or legal professional.

When to Use

• Designing systems that process personal data
• Conducting a Data Protection Impact Assessment (DPIA)
• Creating Article 30 processing records
• Implementing data subject rights (access, deletion, portability)
• Evaluating legal bases for data processing
• Planning cross-border data transfers

Step 1: Identify Legal Basis (Article 6)

Every processing activity needs exactly one legal basis:

Consent requirements: freely given, specific, informed, unambiguous, easy to withdraw.

Step 2: Data Minimization Checklist

Before collecting any personal data:

1. Is this data necessary for the stated purpose?
2. Can the purpose be achieved with less data?
3. Can the data be anonymized or pseudonymized?
4. Is the retention period defined and minimal?
5. Are access controls in place (who can see what)?

Step 3: Article 30 Processing Record

Every controller must maintain a record of processing activities:

Processing Activity: [Name]
Controller: [Organization name, contact]
DPO Contact: [If applicable]
Purpose: [Specific, explicit purpose]
Legal Basis: [From Step 1]
Data Categories: [e.g., name, email, IP address]
Data Subjects: [e.g., customers, employees]
Recipients: [Who receives the data, including processors]
Third Country Transfers: [If any, with safeguard mechanism]
Retention Period: [Specific duration or criteria]
Security Measures: [Encryption, access control, etc.]

Step 4: Data Subject Rights

Respond within 1 month (extendable to 3 months for complex requests):

Step 5: DPIA (Data Protection Impact Assessment)

Required when processing is "likely to result in a high risk":

• Large-scale processing of special categories (health, biometrics)
• Systematic monitoring of public areas
• Automated decision-making with legal effects
• New technologies with unknown risks

DPIA Structure (CNIL template)

1. Description: Processing, purposes, data flows, retention
2. Necessity and proportionality: Legal basis, minimization, rights
3. Risk assessment: Likelihood x severity for confidentiality, integrity, availability
4. Measures: Technical and organizational measures to mitigate risks

Step 6: Cross-Border Transfers

Personal data leaving the EEA requires a transfer mechanism:

Post-Schrems II: SCCs must include a Transfer Impact Assessment (TIA) evaluating whether the recipient country's laws undermine the protections.

Penalties

France-Specific (CNIL)

• Cookie consent: prior opt-in required (no cookie walls)
• Child consent: 15 years (not 16 as in GDPR default)
• DPIA tool: cnil.fr/fr/outil-pia (free, open source)
• DPO designation mandatory for: public bodies, large-scale systematic monitoring, large-scale special categories

What This Skill Does NOT Do

• Does not implement consent management UI
• Does not configure cookie banners
• Does not perform the DPIA risk assessment (guides structure)
• Does not replace a DPO or legal counsel