gdpr-data-handling
wshobson/agents
Implement GDPR-compliant data handling with consent management and data subject rights.
What is gdpr-data-handling?
This skill provides practical guidance for building systems that process EU personal data in compliance with GDPR regulations. Use it when implementing consent management, handling data subject requests, designing privacy-first architectures, or conducting compliance reviews.
- Categorize personal data by protection level (basic, sensitive, criminal, children's)
- Identify lawful bases for processing under Article 6
- Implement data subject rights handling (access, rectification, erasure, portability, objection)
- Design consent management systems with proper opt-in mechanisms
- Create data processing agreements and documentation
- Encrypt and control access to personally identifiable information
How to install gdpr-data-handling
npx skills add https://github.com/wshobson/agents --skill gdpr-data-handlingHow to use gdpr-data-handling
- 1.Identify all personal data your system collects and categorize by type (basic, sensitive, criminal, or children's)
- 2.Determine the lawful basis for each processing activity under Article 6
- 3.Document your processing activities and create data processing agreements
- 4.Implement consent management that uses explicit opt-in (never pre-checked boxes)
- 5.Build data subject request handling workflows with 30-day response targets
- 6.Encrypt PII at rest and in transit, implement access controls on need-to-know basis
- 7.Establish data retention schedules and automated deletion processes
- 8.Conduct regular compliance audits to verify ongoing adherence
Use cases
- Building EU-facing applications that collect user data
- Implementing consent banners and preference management systems
- Processing data subject access requests within 30-day deadlines
- Designing data retention and deletion policies
- Conducting GDPR compliance audits of existing systems
- Backend engineers building data processing systems
- Privacy officers and compliance teams
- Product managers designing EU-compliant features
- Security architects implementing data protection
- Full-stack developers handling user data
gdpr-data-handling FAQ
Basic personal data includes name, email, and phone number requiring standard protection. Sensitive data (Article 9) includes health, religion, and ethnicity requiring explicit consent. Criminal data (Article 10) requires official authority to process.
No. Legitimate interest is one of six lawful bases under Article 6, but it must be balanced against data subject rights. Consent, contract necessity, legal obligation, vital interests, or public interest may be more appropriate depending on your use case.
You must respond within 1 month of receiving a valid data subject request. This applies to all rights including access, rectification, erasure, restriction, portability, and objection.
No. GDPR requires consent to be freely given, specific, and informed. Pre-checked boxes violate this requirement—consent must be opt-in, not opt-out.
You must use appropriate safeguards such as Standard Contractual Clauses (SCCs) or rely on an adequacy decision from the European Commission. Direct transfers without safeguards violate GDPR.
Full instructions (SKILL.md)
Source of truth, from wshobson/agents.
name: gdpr-data-handling description: Implement GDPR-compliant data handling with consent management, data subject rights, and privacy by design. Use when building systems that process EU personal data, implementing privacy controls, or conducting GDPR compliance reviews.
GDPR Data Handling
Practical implementation guide for GDPR-compliant data processing, consent management, and privacy controls.
When to Use This Skill
- Building systems that process EU personal data
- Implementing consent management
- Handling data subject requests (DSRs)
- Conducting GDPR compliance reviews
- Designing privacy-first architectures
- Creating data processing agreements
Core Concepts
1. Personal Data Categories
| Category | Examples | Protection Level |
|---|---|---|
| Basic | Name, email, phone | Standard |
| Sensitive (Art. 9) | Health, religion, ethnicity | Explicit consent |
| Criminal (Art. 10) | Convictions, offenses | Official authority |
| Children's | Under 16 data | Parental consent |
2. Legal Bases for Processing
Article 6 - Lawful Bases:
├── Consent: Freely given, specific, informed
├── Contract: Necessary for contract performance
├── Legal Obligation: Required by law
├── Vital Interests: Protecting someone's life
├── Public Interest: Official functions
└── Legitimate Interest: Balanced against rights
3. Data Subject Rights
Right to Access (Art. 15) ─┐
Right to Rectification (Art. 16) │
Right to Erasure (Art. 17) │ Must respond
Right to Restrict (Art. 18) │ within 1 month
Right to Portability (Art. 20) │
Right to Object (Art. 21) ─┘
Detailed worked examples and patterns
Detailed sections (starting with ## Implementation Patterns) live in references/details.md. Read that file when the navigation summary above is insufficient.
Best Practices
Do's
- Minimize data collection - Only collect what's needed
- Document everything - Processing activities, legal bases
- Encrypt PII - At rest and in transit
- Implement access controls - Need-to-know basis
- Regular audits - Verify compliance continuously
Don'ts
- Don't pre-check consent boxes - Must be opt-in
- Don't bundle consent - Separate purposes separately
- Don't retain indefinitely - Define and enforce retention
- Don't ignore DSARs - 30-day response required
- Don't transfer without safeguards - SCCs or adequacy decisions
Related skills
More from wshobson/agents and the wider catalog.
tailwind-design-system
Build production-ready design systems with Tailwind CSS v4, design tokens, and component libraries.
typescript-advanced-types
Master TypeScript's advanced type system: generics, conditional types, mapped types, and utility types for type-safe applications.
nodejs-backend-patterns
Build production-ready Node.js backends with Express/Fastify, middleware patterns, auth, and database integration.
python-performance-optimization
Profile and optimize Python code using cProfile, memory profilers, and performance best practices.
brand-landingpage
Brand-first landing page designer with guided interviews and Stitch-powered iteration.
python-testing-patterns
Implement comprehensive testing strategies with pytest, fixtures, mocking, and test-driven development.