gdpr-compliance
$
npx mdskill add guia-matthieu/clawfu-skills/gdpr-complianceEnsures GDPR compliance for marketing by managing consent, data processing, privacy notices, and data subject rights.
- Helps design consent flows, write privacy notices, audit data practices, and handle data subject requests.
- Integrates with or depends on GDPR Articles 6, 7, 12-23 and EDPB Guidelines for legal compliance.
- Decides recommendations based on lawful basis assessment, consent requirements, and transparency obligations.
- Presents results through drafted language, gap identification, documentation creation, and control suggestions.
SKILL.md
.github/skills/gdpr-complianceView on GitHub ↗
---
name: gdpr-compliance
description: Ensure GDPR compliance for marketing activities including consent management, data processing, privacy notices, and data subject rights
license: MIT
metadata:
author: ClawFu
version: 1.0.0
mcp-server: "@clawfu/mcp-skills"
---
# GDPR Compliance for Marketing
> Ensure your marketing activities comply with GDPR requirements for consent, data processing, and privacy rights.
## When to Use This Skill
- Designing consent collection flows
- Writing privacy notices
- Auditing marketing data practices
- Handling data subject requests
- Documenting lawful basis
## Methodology Foundation
Based on **GDPR Articles 6, 7, 12-23** and **EDPB Guidelines**, covering:
- Lawful basis determination
- Consent requirements
- Transparency obligations
- Data subject rights
- Documentation requirements
## What Claude Does vs What You Decide
| Claude Does | You Decide |
|-------------|------------|
| Explains GDPR requirements | Business risk tolerance |
| Drafts compliant language | Implementation priority |
| Identifies gaps | Legal interpretation |
| Creates documentation | DPO consultation needs |
| Suggests controls | Resource allocation |
## Instructions
### Step 1: Lawful Basis Assessment
**Six Lawful Bases (Article 6):**
| Basis | Marketing Use | Documentation Needed |
|-------|---------------|----------------------|
| **Consent** | Email marketing, cookies, tracking | Consent records |
| **Contract** | Customer communications | Contract terms |
| **Legitimate Interest** | Soft opt-in, B2B marketing | LIA document |
| **Legal Obligation** | Regulatory comms | Legal reference |
| **Vital Interest** | Rarely applicable | - |
| **Public Task** | Rarely applicable | - |
**Marketing Activity Mapping:**
| Activity | Typical Basis | Requirements |
|----------|---------------|--------------|
| Email newsletter | Consent | Double opt-in, easy unsubscribe |
| Existing customer upsell | Legitimate Interest | LIA, opt-out available |
| Cold B2B outreach | Legitimate Interest | LIA, clear identity |
| Website cookies | Consent | Banner, granular choices |
| Retargeting ads | Consent | Cookie consent |
| Lead magnets | Consent | Clear purpose, separate consent |
### Step 2: Consent Requirements
**Valid Consent Criteria (Article 7):**
| Requirement | What It Means | Example |
|-------------|---------------|---------|
| Freely given | No bundling, no penalty | Separate from T&Cs |
| Specific | Clear purpose stated | "Marketing emails about [X]" |
| Informed | Who, what, why explained | Privacy notice linked |
| Unambiguous | Clear affirmative action | Unchecked checkbox |
| Withdrawable | Easy to revoke | One-click unsubscribe |
**Consent Record Requirements:**
```
Record for each consent:
- Who consented (identifier)
- When (timestamp)
- What they consented to (purpose)
- How (mechanism)
- What they were told (notice version)
```
### Step 3: Privacy Notice Requirements
**Required Elements (Articles 13-14):**
| Element | First-Party Data | Third-Party Data |
|---------|------------------|------------------|
| Controller identity | Required | Required |
| DPO contact | If applicable | If applicable |
| Purposes | Required | Required |
| Lawful basis | Required | Required |
| Recipients | Required | Required |
| Transfers | If applicable | If applicable |
| Retention | Required | Required |
| Rights | Required | Required |
| Withdrawal | If consent | If consent |
| Complaint right | Required | Required |
| Source | N/A | Required |
### Step 4: Data Subject Rights
**Rights Framework:**
| Right | Timeline | Marketing Impact |
|-------|----------|------------------|
| Access (Art. 15) | 1 month | Provide all marketing data |
| Rectification (Art. 16) | 1 month | Update preferences |
| Erasure (Art. 17) | 1 month | Remove from lists |
| Restriction (Art. 18) | 1 month | Pause processing |
| Portability (Art. 20) | 1 month | Export in machine format |
| Objection (Art. 21) | Immediate for marketing | Stop direct marketing |
### Step 5: Documentation & Records
**Required Documentation:**
1. Records of Processing Activities (ROPA)
2. Legitimate Interest Assessments
3. Consent records and mechanisms
4. Privacy notices (versioned)
5. Data Subject Request log
6. Breach notification procedures
## Examples
### Example 1: Marketing Email Consent Flow
**Input:**
```
Design a GDPR-compliant consent flow for:
- SaaS product newsletter
- Product updates
- Promotional offers
- Third-party partner offers
```
**Output:**
```
## GDPR-Compliant Email Consent Flow
### Consent Collection UI
---
**Signup Form Fields:**
```
Email: [________________]
[ ] I agree to receive the monthly newsletter with industry insights
[ ] I agree to receive product updates and feature announcements
[ ] I agree to receive promotional offers and discounts
[ ] I agree to receive relevant offers from our trusted partners
[Sign Up]
By signing up, you confirm you've read our [Privacy Notice].
You can withdraw consent anytime via unsubscribe link or contacting us.
```
**Design Requirements:**
- All checkboxes unchecked by default
- No "select all" option
- Each purpose separate
- Privacy notice linked, not buried
- No dark patterns
---
### Consent Record Structure
```json
{
"email": "user@example.com",
"consents": [
{
"purpose": "newsletter",
"granted": true,
"timestamp": "2026-01-31T10:30:00Z",
"source": "signup_form_v3",
"notice_version": "privacy_v2.1"
},
{
"purpose": "product_updates",
"granted": true,
"timestamp": "2026-01-31T10:30:00Z",
"source": "signup_form_v3",
"notice_version": "privacy_v2.1"
},
{
"purpose": "promotional",
"granted": false,
"timestamp": null,
"source": null,
"notice_version": null
},
{
"purpose": "third_party",
"granted": false,
"timestamp": null,
"source": null,
"notice_version": null
}
],
"ip_address": "192.168.1.1",
"user_agent": "Mozilla/5.0..."
}
```
---
### Email Footer (Required)
```
---
You're receiving this because you subscribed to our [newsletter/updates].
Manage preferences: [link]
Unsubscribe from this list: [link]
Unsubscribe from all: [link]
[Company Name]
[Address]
[Contact Email]
```
---
### Preference Center
| Subscription | Status | Action |
|--------------|--------|--------|
| Monthly Newsletter | [ON/OFF] | Industry insights and tips |
| Product Updates | [ON/OFF] | New features and improvements |
| Promotional Offers | [ON/OFF] | Discounts and special deals |
| Partner Offers | [ON/OFF] | Relevant third-party offers |
[Update Preferences] [Unsubscribe from All]
---
### Compliance Checklist
- [ ] All consents granular (separate checkboxes)
- [ ] Checkboxes unchecked by default
- [ ] Clear description of each purpose
- [ ] Privacy notice accessible
- [ ] Withdrawal mechanism clear
- [ ] Consent records stored
- [ ] Double opt-in implemented
- [ ] Unsubscribe in every email
- [ ] Preference center available
```
### Example 2: Legitimate Interest Assessment
**Input:**
```
We want to email our existing customers about related products.
Do we need consent or can we use legitimate interest?
```
**Output:**
```
## Legitimate Interest Assessment: Customer Cross-Sell
### Summary
You can likely rely on legitimate interest (not consent) for
emailing existing customers about **similar** products, but must
complete this assessment and offer easy opt-out.
---
### Three-Part LIA Test
#### 1. Purpose Test: Is There a Legitimate Interest?
**Interest:** Promote related products to existing customers
**Legitimacy:** Yes - recognized business interest in customer development
**Benefit:** Revenue growth, customer relationship deepening
✅ **PASS**
---
#### 2. Necessity Test: Is Processing Necessary?
| Question | Answer |
|----------|--------|
| Is email necessary to achieve the interest? | Yes - direct communication channel |
| Is there a less intrusive way? | In-app notifications possible but less effective |
| Is the processing proportionate? | Yes - limited frequency, relevant content |
✅ **PASS** (with conditions)
**Conditions:**
- Limit to genuinely related products
- Reasonable frequency (not daily)
- Honor opt-outs immediately
---
#### 3. Balancing Test: Individual Rights vs. Your Interest
| Factor | Assessment |
|--------|------------|
| Nature of data | Basic contact info - low sensitivity |
| Reasonable expectations | Customers expect marketing from sellers |
| Relationship | Existing customer relationship |
| Impact on individual | Minor inconvenience, easy to opt out |
| Safeguards | Opt-out in every email |
✅ **PASS**
---
### Conclusion
**Lawful Basis:** Legitimate Interest (Article 6(1)(f))
**Requirements for Compliance:**
1. **Document this LIA** and keep on file
2. **Include in privacy notice:**
"We may contact existing customers about similar products
based on legitimate interest. You can opt out at any time."
3. **Easy opt-out:** Every email must have unsubscribe
4. **Honor preferences:** Immediate suppression on opt-out
5. **Similar products only:** Don't expand to unrelated offerings
6. **Reasonable frequency:** No more than weekly
---
### Template Email Footer
```
You're receiving this as a valued [Company] customer.
Not interested in product updates?
[Opt out of marketing] | [Manage preferences]
This email was sent based on our legitimate interest in keeping
customers informed about relevant products. See our Privacy Notice
for details and your rights.
```
---
### When This Doesn't Apply
Use **consent** instead if:
- Products are significantly different
- Customer bought once 2+ years ago
- You acquired data from third party
- Customer previously opted out
- Emails are primarily promotional (not informational)
```
## Skill Boundaries
### What This Skill Does Well
- Explaining GDPR requirements
- Drafting compliant language
- Creating documentation templates
- Identifying compliance gaps
### What This Skill Cannot Do
- Provide legal advice
- Know your specific jurisdiction nuances
- Guarantee regulatory acceptance
- Replace DPO consultation
### When to Escalate to Human
- Complex cross-border transfers
- Regulatory investigation
- Data breach response
- Novel processing activities
## Iteration Guide
**Follow-up Prompts:**
- "Draft the privacy notice section for [activity]"
- "How do we handle a right to erasure request?"
- "What documentation do we need for [processing]?"
- "Is this cookie banner compliant?"
## References
- GDPR Text (Regulation 2016/679)
- EDPB Guidelines on Consent
- ICO Direct Marketing Guidance
- CNIL Cookie Guidelines
## Related Skills
- `terms-analyzer` - Terms of service review
- `contract-review` - DPA analysis
- `nda-generator` - Confidentiality
## Skill Metadata
- **Domain**: Legal / Marketing
- **Complexity**: Intermediate
- **Mode**: centaur
- **Time to Value**: 1-2 hours per assessment
- **Prerequisites**: Basic GDPR familiarity