Skills gdpr-data-handling
🛡️

gdpr-data-handling

Safe 🌐 Network access⚙️ External commands

Implement GDPR compliant data handling

GDPR requirements are complex and easy to miss during development. This skill provides clear patterns for consent management, data subject rights, and privacy by design to help you build compliant systems.

Supports: Claude Codex Code(CC)
📊 69 Adequate
1

Download the skill ZIP

2

Upload in Claude

Go to Settings → Capabilities → Skills → Upload skill

3

Toggle on and start using

Test it

Using "gdpr-data-handling". Create a GDPR compliance checklist for a SaaS app handling EU user data.

Expected outcome:

  • Document the legal basis for each processing purpose
  • Implement DSAR workflows with 30-day response tracking
  • Define retention periods with deletion or anonymization

Using "gdpr-data-handling". How should we handle consent withdrawals?

Expected outcome:

  • Record withdrawal timestamp and source in audit log
  • Immediately disable data processing for that purpose
  • Notify downstream systems via event bus
  • Retain minimal data for legal compliance only

Using "gdpr-data-handling". What data can we keep after account deletion?

Expected outcome:

  • Transaction records for legal obligation (7 years tax)
  • Anonymized analytics data with no user linkage
  • No marketing consent data after withdrawal
  • Minimal audit logs with hashed identifiers only

Security Audit

Safe
v4 • 1/17/2026

Pure documentation skill with example code patterns only. No executable scripts, file access, environment access, network calls, or external command execution. All 62 static findings are false positives caused by markdown formatting and documentation text being misidentified as security patterns.

2
Files scanned
791
Lines analyzed
2
findings
4
Total audits

Risk Factors

🌐 Network access (15)
skill-report.json:6 SKILL.md:200 SKILL.md:228 SKILL.md:230 SKILL.md:256 SKILL.md:260 SKILL.md:262 SKILL.md:294 SKILL.md:298 SKILL.md:300 SKILL.md:301 SKILL.md:223 SKILL.md:614 SKILL.md:615 SKILL.md:616
⚙️ External commands (17)
SKILL.md:32-40 SKILL.md:40-44 SKILL.md:44-51 SKILL.md:51-57 SKILL.md:57-133 SKILL.md:133-135 SKILL.md:135-182 SKILL.md:182-186 SKILL.md:186-311 SKILL.md:311-315 SKILL.md:315-393 SKILL.md:393-397 SKILL.md:397-458 SKILL.md:458-462 SKILL.md:462-555 SKILL.md:555-559 SKILL.md:559-594
Audited by: claude View Audit History →

Quality Score

38
Architecture
100
Maintainability
85
Content
20
Community
100
Security
87
Spec Compliance

What You Can Build

Plan GDPR scope

Identify required consent, retention, and DSAR features for a new EU product launch.

Build DSAR flow

Implement access, erasure, and portability workflows across multiple data sources.

Review compliance

Use the checklist to audit data handling processes and documentation completeness.

Try These Prompts

Consent basics 
Draft a GDPR compliant consent capture flow for analytics and marketing with audit logging steps.
DSAR process 
Outline a DSAR access request workflow with verification, deadlines, and data collection steps.
Retention policy 
Propose data retention rules for user accounts, support tickets, and analytics with legal bases.
Breach response 
Create a breach notification plan that meets 72-hour reporting requirements and user notification rules.

Best Practices

  • Map each data field to a documented lawful basis
  • Log all consent changes with timestamps, sources, and policy versions
  • Separate PII storage from behavioral data models with encryption

Avoid

  • Bundling consent for unrelated purposes without granular opt-in
  • Keeping data without a defined retention period or legal basis
  • Ignoring DSAR verification steps or missing 30-day response deadlines

Frequently Asked Questions

Is this compatible with Claude, Codex, and Claude Code?
Yes. It provides plain text guidance that works across all AI coding platforms.
What are the limits of this skill?
It provides patterns and examples only and does not replace professional legal advice.
How do I integrate it with my stack?
Map the patterns to your data sources and implement the interfaces shown in your code.
Does it collect or send any data?
No. It contains static guidance only and does not access files or networks.
What if my DSAR workflow fails?
Check identity verification, data source access permissions, and log exceptions for follow up.
How does it compare to a legal review?
It complements legal review with implementation guidance but is not a legal substitute.

Developer Details

Author

wshobson

License

MIT

Repository

https://github.com/wshobson/agents/tree/main/plugins/hr-legal-compliance/skills/gdpr-data-handling

Ref

main

File structure

📄 SKILL.md