| name | compliance-rgpd |
| description | Ensures personal data protection and privacy rights according to GDPR/RGPD |
| category | Privacy & Data Protection |
| keywords | GDPR, RGPD, data protection, privacy, consent, DPIA, data subject rights |
| license | MIT |
SKILL: RGPD — Personal Data Protection & Privacy
📖 What is RGPD?
Règlement Général sur la Protection des Données (Regulation (EU) 2016/679)
📋 Essential Definitions
- Personal Data: Any info identifying/identifiable natural person (name, ID, online identifier, location, genetic/biometric/health/economic/cultural/social factors)
- Processing: Any operation on personal data (collection, storage, disclosure, erasure, etc.)
- Controller: Determines purposes and means of processing
- Processor: Processes data per controller's instructions
- Data Subject: Person the data is about
- Breach: Unauthorized/unlawful destruction, loss, alteration, disclosure, access
- Consent: Freely given, specific, informed, unambiguous indication of wishes
- Profiling: Automated processing to evaluate personal aspects
For exhaustive definitions, see RGPD-REFERENCE.md
🎯 7 Processing Principles (Article 5)
- Lawfulness, Fairness, Transparency — Processed lawfully, fairly, transparently
- Purpose Limitation — Collected for specific purpose; can't be further processed incompatibly (except archiving, research, statistics)
- Data Minimization — Only adequate, relevant data necessary for purpose
- Accuracy — Accurate and up-to-date; false data must be rectified/deleted
- Storage Limitation — Kept only as long as necessary
- Integrity & Confidentiality — Processed securely; protected from loss, destruction, unauthorized access
- Accountability — Controller must DEMONSTRATE compliance (not just "tried our best")
📌 Lawful Basis for Processing (Article 6)
Processing is ONLY lawful if ONE of these applies:
1. Consent — Data subject has given freely, specific, informed, unambiguous consent
- ✅ Can be withdrawn, must be as easy as giving
- ❌ Cannot be condition for non-necessary services
- ❌ Cannot be pre-checked boxes
2. Contract — Processing necessary for entering/performing contract with data subject
3. Legal Obligation — Processing required by EU/Member State law
4. Vital Interests — Necessary to protect life/health of data subject or another person
5. Public Task — Necessary for public interest or official authority (basis in law required)
6. Legitimate Interests — Necessary for legitimate interests (controller or third party)
- ❌ NOT if data subject's rights override (especially children)
- ❌ Cannot apply to public authorities performing tasks
- ✅ Requires Legitimate Interest Assessment (LIA)
const determineLawfulBasis = (context: ProcessingContext): LawfulBasis => {
if (context.hasExplicitConsent) return 'consent'
if (context.isContractRequired) return 'contract'
if (context.hasLegalObligation) return 'legal-obligation'
if (context.protectsVitalInterests) return 'vital-interests'
if (context.isPublicTask) return 'public-task'
if (context.hasLegitimateInterest && !context.dataSubjectRightsOverride) {
return 'legitimate-interest'
}
throw new Error('NO LAWFUL BASIS — PROCESSING ILLEGAL')
}
🔐 Special Categories of Data (Article 9)
PROHIBITED: Processing of racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic, biometric, health, or sex life data
Exceptions (ONE must apply):
- Explicit consent
- Employment/social protection (with legal framework)
- Vital interests (subject incapable of consent)
- Not-for-profit organizations (members/contacts only, no external disclosure)
- Manifestly public data (made public BY the data subject)
- Legal claims (establishment, exercise, defense)
- Substantial public interest (proportionate, with safeguards)
- Occupational medicine (by health professional under confidentiality)
- Public health (serious health threat, quality of healthcare)
- Archiving/research/statistics (with appropriate safeguards)
const processHealthData = (userId: string, context: SpecialCategoryContext) => {
if (!context.hasException) {
throw new Error('Cannot process special category data without valid exception')
}
const encrypted = encrypt(userData, encryptionKey)
auditLog.record('special-data-access', userId, new Date())
}
const illegalProfiling = (userData: User) => {
const riskScore = model.predict(userData.healthData)
}
📋 Lawful Basis for Special Categories (Article 9(3))
If using exceptions (h) above, personal data must be processed:
- By/under responsibility of professional with confidentiality obligation
- OR another person with secrecy obligation under EU/Member State law
- Examples: Doctors, lawyers, accountants
✅ Consent Requirements (Articles 7-8)
Consent MUST be:
Child Consent (Article 8): Age 16+ can consent (or lower per Member State, min 13); below requires parental consent
@Post('api/v1/consent')
async setConsent(@Body() data: ConsentRequest, @Request() req) {
const record = {
userId: req.user.id,
type: data.consentType,
given: true,
timestamp: new Date(),
ip: req.ip,
userAgent: req.headers['user-agent']
}
await this.consentService.save(record)
return { success: true, consentId: record.id }
}
@Delete('api/v1/consent/:consentId')
@UseGuards(JwtAuthGuard)
async withdrawConsent(@Param('consentId') id: string, @Request() req) {
const consent = await this.consentService.findById(id)
if (consent.userId !== req.user.id) throw new ForbiddenException()
consent.given = false
consent.withdrawnAt = new Date()
await this.consentService.save(consent)
await this.processingService.stopForConsent(id)
return { success: true }
}
<input type="checkbox" defaultChecked={true} />
👥 Seven Data Subject Rights (Articles 12-22)
Response deadline: 1 month (extendable +2 months if complex). Format: Electronic if requested electronically. Cost: Free
1. Right of Access (Article 15)
Request copy of personal data + info about processing (purposes, recipients, retention, source, automated decisions)
2. Right to Rectification (Article 16)
Correct inaccurate or incomplete data (without undue delay)
3. Right to Erasure (Article 17) — "Right to be Forgotten"
Must erase if: No longer necessary, consent withdrawn, data processed unlawfully, legal obligation requires it, collected from child
Exceptions: Freedom of expression, legal obligation to retain, public health, archiving/research/statistics, legal claims
4. Right to Restrict Processing (Article 18)
When: Accuracy contested, processing unlawful, no longer needed but needed for legal claims, objection pending
Effect: Only storage allowed; no processing without consent
5. Right to Data Portability (Article 20)
Get data in structured, commonly used, machine-readable format (JSON/CSV); transmit to another controller
Applies if: Consent-based OR contract-based processing; automated processing
6. Right to Object (Article 21)
Object to processing based on public task/legitimate interests or direct marketing (must be honored)
7. Right NOT to be Subject to Automated Decision-Making (Article 22)
Prohibition: Decisions based SOLELY on automated processing with legal effects
Exceptions: Contract-necessary, legal basis, explicit consent
When allowed: Must provide human intervention right, ability to express viewpoint, right to contest
@Get('api/v1/users/me/personal-data')
@UseGuards(JwtAuthGuard)
async getMyPersonalData(@Request() req) {
const userData = await this.userService.getFullProfile(req.user.id)
return {
personalData: userData,
accessedAt: new Date().toISOString(),
article: 'Article 15 - Right of Access'
}
}
@Delete('api/v1/users/me')
@UseGuards(JwtAuthGuard)
async deleteMyAccount(@Request() req) {
const userId = req.user.id
await this.userService.erase(userId)
const recipients = await this.auditService.getRecipients(userId)
for (const recipient of recipients) {
await this.notificationService.notifyErasure(recipient, userId)
}
await this.auditService.logErasure(userId)
return { success: true }
}
@Get('api/v1/users/me/export')
@UseGuards(JwtAuthGuard)
async exportMyData(@Request() req) {
const userData = await this.userService.findById(req.user.id)
const csvData = this.dataFormatter.toCSV(userData)
return {
filename: `user-${req.user.id}-${new Date().toISOString()}.csv`,
data: csvData,
contentType: 'text/csv'
}
}
const decideLoanApproval = (userData: User): boolean => {
return model.predict(userData) > 0.7
}
const reviewLoanApplication = (userData: User) => {
return {
automatedScore: model.predict(userData),
requiresHumanReview: true,
applicantCanObject: true,
applicantCanRequestHumanReview: true,
finalDecision: null
}
}
� Security of Processing (Article 32)
class DataSecurityService {
encryptAtRest(data: string, key: string): string {
const cipher = crypto.createCipheriv('aes-256-gcm', Buffer.from(key), iv)
return cipher.update(data, 'utf8', 'hex') + cipher.final('hex')
}
async getPersonalData(userId: string, requester: User) {
if (!requester.hasPermission('read-personal-data')) {
throw new ForbiddenException('Insufficient permissions')
}
await this.auditLog.record({
action: 'data-access',
dataId: userId,
requester: requester.id,
timestamp: new Date(),
})
}
}
🚨 Personal Data Breach (Articles 33-34)
Notification to Authority: Within 72 hours of discovering breach
- Nature of breach (categories and number of subjects affected)
- Likely consequences
- Measures taken/proposed
Notification to Data Subjects: Required if high risk to rights/freedoms
- Nature of breach
- Contact information for DPO
- Mitigation steps taken
@Post('api/v1/security/notify-breach')
async notifyBreach(@Body() breach: DataBreach) {
const riskAssessment = breach.assessRisk()
await this.supervisoryAuthority.notifyBreach({
description: breach.description,
affectedSubjects: breach.estimateAffected(),
consequences: riskAssessment,
measures: breach.responseMeasures
})
if (riskAssessment.highRisk) {
const affectedUsers = await this.getUsersAffected(breach)
for (const user of affectedUsers) {
await this.emailService.sendBreachNotification(user.email, {
description: breach.description,
dpoContact: this.dpo.email,
actions: ['Monitor account', 'Change password', 'Review activity']
})
}
}
}
🌍 Cross-Border Data Transfers (Articles 44-49)
Lawful transfer mechanisms:
- Adequacy Decision — Country ensures adequate protection (Switzerland, Canada, Japan, South Korea)
- Standard Contractual Clauses (SCCs) — EU-approved contract safeguards
- Binding Corporate Rules (BCRs) — Multi-entity data protection policies
- Derogations (limited) — Explicit consent, contract necessary, vital interests, legal claims, public interest
class DataTransferAssessment {
assessTransfer(targetCountry: string): TransferMechanism {
if (this.hasAdequacyDecision(targetCountry)) {
return { mechanism: 'adequacy', country: targetCountry }
}
return { mechanism: 'scc', country: targetCountry, mustSign: true }
}
}
✅ When to Apply This SKILL
- ✅ Determining lawful basis for data collection
- ✅ Collecting/processing special category data
- ✅ Implementing user rights (access, erasure, portability)
- ✅ Designing security measures (encryption, access controls)
- ✅ Handling data breaches (notification procedures)
- ✅ Managing processor contracts
- ✅ Planning cross-border transfers
- ✅ Audit compliance checklist
📋 Quick Compliance Checklist
For complete regulatory definitions, penalties, and references, see RGPD-REFERENCE.md