GC
GDPR Compliance
🔵 Stable🕐 updated 2026-06-24
🔷 SkillSpec L3
⚙ ships an executable helper
pm-compliance
Assess GDPR compliance and build the core records (ROPA, lawful basis, DSAR, DPIA triggers). Use when asked to get GDPR-compliant, build a Record of Processing Activities, decide a lawful basis, handle data-subject requests, or check whether a DPIA is needed. Produces a GDPR assessment — a ROPA, lawful-basis mapping per activity, DSAR workflow, DPIA-trigger screen, and a prioritised gap list.
📚 Based on EU GDPR (Art. 6, 9, 30, 35 + data-subject rights)
What to give it
▸Processing activities — what personal data you collect, why, and where it flows (this is the spine; everything hangs off it).
▸Role — controller (you decide the why/how) or processor (you act on a controller's instructions); your obligations differ.
▸Data subjects & data types — whose data, and whether any is special-category (health, biometrics, etc.) or about children.
▸Transfers — any processing or storage outside the EEA (triggers transfer-mechanism requirements).
✅ The bar it holds itself to
Every skill in this library self-verifies — these are this skill's own quality checks, straight from its definition.
✓Every processing activity has a documented lawful basis and a retention period
✓"Consent" isn't used as a lazy default where contract or legitimate interests genuinely apply
✓Special-category data has its additional Art. 9 condition identified
✓DPIA-triggering activities are flagged, not buried
✓Cross-border transfers name a valid mechanism (adequacy, SCCs, etc.)
✓The DSAR workflow names the one-month statutory deadline
⚠️ What it refuses to do
Do not default every activity to "consent" — it's revocable and high-maintenance; use the basis that actually fits
Do not skip the ROPA — without the record of what you process, every other GDPR obligation is unanchored
Do not store data with no retention period — "forever" is not a lawful retention policy
Do not treat a DPIA as optional for high-risk processing — it's a legal requirement, not best practice
Do not give legal advice as settled law — flag where a DPO or counsel must confirm (esp. lawful basis and transfers)
Install
npx pm-claude-skills add --agent claude # or codex · cursor · gemini · hermes
# or one-line MCP (every skill, any client):
claude mcp add pm-skills -- npx -y pm-claude-skills-mcp
Related skills
🔌 Embed this skill
Drop this on your blog, docs, or site — it renders a "Run this skill" card:
<div data-pm-skill="gdpr-compliance"></div>
<script src="https://mohitagw15856.github.io/pm-claude-skills/embed.js" async></script>
💬 Discussion
GDPR Compliance is one of 625 open-source professional AI agent skills — all SkillSpec L3.
Try them all in the browser · ⭐ Star on GitHub · Browse the full catalog