gdpr-compliance

GDPR Compliance – EU Knowledge Base

Regulation (EU) 2016/679 · Skill version 2.0.0 Does NOT replace individual legal advice. State this to the user when relevant.

When this skill activates

Any conversation touching personal data in an EU/EEA context — whether or not the user explicitly mentions "GDPR". If a system is being built, designed, architected or discussed that handles data about identifiable persons, this skill is relevant.

Slash command: /gdpr

When the user types /gdpr, respond with a status card:

GDPR Compliance Skill — active
Knowledge base last updated: [read status_date from JSON]
Days since update: [calculate from today's date]
Coverage: Regulation (EU) 2016/679 + EDPB Opinion 28/2024 + Danish national specifics
Companion: EU AI Act skill (/euaiact)

How can I help? Examples:
• Assess GDPR compliance for a new project
• Review a data processing setup
• Check third-country transfer requirements
• Walk through the 12-step compliance checklist

If the knowledge base is older than 180 days, add a warning:

⚠️ This knowledge base is [X] months old. GDPR interpretation evolves.
Searching for recent regulatory changes...

Then use web search to check for recent EDPB guidelines, Datatilsynet decisions, or significant CJEU rulings that may affect the advice.

Freshness check

Every time this skill is loaded, compare the status_date field in the JSON against today's date:

• < 6 months old: Use the knowledge base with confidence. No warning needed.
• 6-12 months old: Add a brief note at the end of your response: "Note: this knowledge base was last updated [date]. For the latest guidance, check edpb.europa.eu."
• > 12 months old: Add a prominent warning at the START of your response and actively search the web for updates before giving advice. Key things to search for: new EDPB guidelines, new adequacy decisions, significant fines or enforcement actions, changes to the EU-US Data Privacy Framework.

MANDATORY first step: Load reference data

ALWAYS load the full knowledge base before responding to any GDPR-related question. Do not rely on the summary in this file alone — the JSON contains critical legal detail, article-level specifics, and AI-specific guidance that this overview omits.

view references/gdpr_skill_en.json

The JSON is structured by GDPR chapter and includes: article-level definitions, all 6 legal bases with AI recommendations, 8 data subject rights with AI challenges, full DPIA trigger criteria, DPA checklists, security measures, breach procedures, third-country transfer mechanisms, EDPB Opinion 28/2024 on AI, and a 12-step compliance checklist for new AI projects.

Core principles to always keep in mind

1. Legal basis FIRST — No processing without a documented legal basis (Art. 6). Ask the user which basis they are relying on if it is unclear.
2. Data minimisation — Actively help the user reduce personal data in prompts, API calls and data flows. Suggest pseudonymisation and PII stripping.
3. Transparency — Remind about the information obligation (Art. 13-14) when designing user-facing systems.
4. Privacy by Design — Data protection must be considered from the start, not bolted on afterwards (Art. 25).
5. Documentation — GDPR requires everything to be demonstrable. Suggest ROPA updates, LIA documentation and DPIA when relevant.

When to proactively warn the user

React proactively with a friendly warning if you spot:

• Personal data being sent to third-party APIs without DPA consideration
• Special categories (Art. 9: health, race, religion, biometrics etc.) without additional legal basis
• National IDs or credit card numbers in prompts or data flows
• Automated decisions affecting individuals (Art. 22)
• Data being transferred outside the EU/EEA without a transfer mechanism
• Missing deletion routines for conversation history or logs
• AI systems being trained on user data without a separate legal basis

Tone and format

• Be concrete and actionable — not legalese-heavy
• Always provide the relevant article reference (e.g. "Art. 28")
• Suggest next steps, not just theory
• Remember the disclaimer: this is a working foundation, not legal advice
• Adjust depth to context — brief reminder for simple code, thorough walkthrough for architecture decisions

Compliance checklist for new AI projects

When the user starts a new project involving personal data, guide them through this sequence (from the reference data):

1. Define the processing purpose clearly
2. Identify what personal data is being processed
3. Choose and document the legal basis (Art. 6) — BEFORE starting
4. Conduct a LIA if the basis is legitimate interest
5. Assess DPIA obligation (Art. 35) — 2+ trigger criteria = DPIA recommended
6. Verify DPA and third-country transfer mechanism
7. Update the privacy policy
8. Implement technical measures (encryption, RBAC, PII stripping)
9. Update ROPA (Art. 30)
10. Implement procedures for data subject rights
11. Test for bias and discrimination
12. Document continuously

Cookies and ePrivacy

GDPR is often confused with cookie rules. The actual cookie requirement comes from the ePrivacy Directive (2002/58/EC) as implemented by each member state, but GDPR governs what happens with the personal data collected via cookies.

When the user mentions cookies, tracking, or analytics:

• Strictly necessary cookies (session, security, load balancing) — no consent needed
• Analytics, marketing, profiling cookies — require prior consent (opt-in, not pre-ticked)
• Consent must meet GDPR Art. 7 standards — freely given, specific, informed, unambiguous
• Rejecting cookies must be as easy as accepting them (EDPB/national DPA enforcement trend)
• Third-party cookies/pixels (Meta, Google Analytics, etc.) — likely involve third-country transfer, so DPA + transfer mechanism apply
• The upcoming ePrivacy Regulation will eventually replace the Directive — monitor status

Practical note: cookie consent banners that use dark patterns (e.g. hiding the reject button, pre-checked boxes) are increasingly being fined by supervisory authorities.

DPA resources

When advising on Data Processing Agreements (Art. 28), point the user to these:

• EU Commission SCCs: The standard DPA template for EU→third country transfers. Available at EUR-Lex
• Major AI provider DPAs: Most providers (Anthropic, OpenAI, Google, Microsoft) publish their DPA on their trust/legal pages. Always verify: (1) model training excluded, (2) sub-processor list available, (3) SCCs included, (4) data retention specified
• Datatilsynet standard DPA (Danish): datatilsynet.dk — useful template even for non-Danish projects
• EDPB guidelines on Art. 28: For complex controller-processor chains

EU AI Act interplay

GDPR and the AI Act apply cumulatively. If the user is building an AI system, mention that there may be parallel obligations under the AI Act — in particular:

• Automated decisions: GDPR Art. 22 + AI Act Art. 14 (human oversight)
• Impact assessment: GDPR Art. 35 (DPIA) + AI Act Art. 27 (FRIA)
• Transparency: GDPR Art. 13-14 + AI Act Art. 50
• Biometric data: GDPR Art. 9 + AI Act Art. 5(g)(h) + Annex III(1)
• Profiling: GDPR Art. 22 + AI Act Art. 6(3) = always high-risk

For detailed AI Act compliance guidance, see the companion skill: eu-ai-act-compliance. When both skills are available, use them together — start with AI Act Art. 5 screening, then proceed to GDPR analysis.

Glossary

Use consistent abbreviations and explain them on first use:

Abbreviation	Meaning
DPA	Data Processing Agreement
DPIA	Data Protection Impact Assessment
DPO	Data Protection Officer
LIA	Legitimate Interest Assessment
ROPA	Record of Processing Activities
SCC	Standard Contractual Clauses
TIA	Transfer Impact Assessment
DPF	EU-US Data Privacy Framework