ワンクリックで
compliance-rgpd
Ensures personal data protection and privacy rights according to GDPR/RGPD
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Ensures personal data protection and privacy rights according to GDPR/RGPD
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
Guide users through creating custom VS Code agents with specialized capabilities, tool restrictions, and subagent workflows. Use when users want to create agent modes, define specialized workflows with context isolation, or build multi-stage agent systems with different tool access per stage. Provides structured interview process for comprehensive agent development.
Technology-agnostic, referential-agnostic orchestration framework for all compliance standards (RGAA, RGESN, RGS, RGPD, RGI, W3C-WSG)
Ensures digital accessibility for all users (WCAG 2.1 AA compliance, French RGAA 4.1.2 standard)
Ensures eco-responsible IT practices and minimizes environmental impact
Ensures system interoperability via open standards, documented APIs, and standardized data exchange
Ensures information security and compliance with French security standards
| name | compliance-rgpd |
| description | Ensures personal data protection and privacy rights according to GDPR/RGPD |
| category | Privacy & Data Protection |
| keywords | GDPR, RGPD, data protection, privacy, consent, DPIA, data subject rights |
| license | MIT |
Règlement Général sur la Protection des Données (Regulation (EU) 2016/679)
RGPD-REFERENCE.md for complete definitions, penalties, and regulatory contextFor exhaustive definitions, see RGPD-REFERENCE.md
Processing is ONLY lawful if ONE of these applies:
// Decision tree: Which lawful basis applies?
const determineLawfulBasis = (context: ProcessingContext): LawfulBasis => {
if (context.hasExplicitConsent) return 'consent'
if (context.isContractRequired) return 'contract'
if (context.hasLegalObligation) return 'legal-obligation'
if (context.protectsVitalInterests) return 'vital-interests'
if (context.isPublicTask) return 'public-task'
if (context.hasLegitimateInterest && !context.dataSubjectRightsOverride) {
return 'legitimate-interest'
}
throw new Error('NO LAWFUL BASIS — PROCESSING ILLEGAL')
}
PROHIBITED: Processing of racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic, biometric, health, or sex life data
Exceptions (ONE must apply):
// ✅ Correct: Process special category with exception
const processHealthData = (userId: string, context: SpecialCategoryContext) => {
if (!context.hasException) {
throw new Error('Cannot process special category data without valid exception')
}
const encrypted = encrypt(userData, encryptionKey)
auditLog.record('special-data-access', userId, new Date())
}
// ❌ Avoid: Processing without exception
const illegalProfiling = (userData: User) => {
// Using health data to price insurance without exception = ILLEGAL
const riskScore = model.predict(userData.healthData)
}
If using exceptions (h) above, personal data must be processed:
Consent MUST be:
Child Consent (Article 8): Age 16+ can consent (or lower per Member State, min 13); below requires parental consent
// ✅ Correct: Explicit opt-in with withdrawal
@Post('api/v1/consent')
async setConsent(@Body() data: ConsentRequest, @Request() req) {
const record = {
userId: req.user.id,
type: data.consentType,
given: true,
timestamp: new Date(),
ip: req.ip,
userAgent: req.headers['user-agent']
}
await this.consentService.save(record)
return { success: true, consentId: record.id }
}
@Delete('api/v1/consent/:consentId')
@UseGuards(JwtAuthGuard)
async withdrawConsent(@Param('consentId') id: string, @Request() req) {
const consent = await this.consentService.findById(id)
if (consent.userId !== req.user.id) throw new ForbiddenException()
consent.given = false
consent.withdrawnAt = new Date()
await this.consentService.save(consent)
await this.processingService.stopForConsent(id) // STOP processing
return { success: true }
}
// ❌ Avoid: Pre-checked (not freely given)
<input type="checkbox" defaultChecked={true} />
Response deadline: 1 month (extendable +2 months if complex). Format: Electronic if requested electronically. Cost: Free
Request copy of personal data + info about processing (purposes, recipients, retention, source, automated decisions)
Correct inaccurate or incomplete data (without undue delay)
Must erase if: No longer necessary, consent withdrawn, data processed unlawfully, legal obligation requires it, collected from child Exceptions: Freedom of expression, legal obligation to retain, public health, archiving/research/statistics, legal claims
When: Accuracy contested, processing unlawful, no longer needed but needed for legal claims, objection pending Effect: Only storage allowed; no processing without consent
Get data in structured, commonly used, machine-readable format (JSON/CSV); transmit to another controller Applies if: Consent-based OR contract-based processing; automated processing
Object to processing based on public task/legitimate interests or direct marketing (must be honored)
Prohibition: Decisions based SOLELY on automated processing with legal effects Exceptions: Contract-necessary, legal basis, explicit consent When allowed: Must provide human intervention right, ability to express viewpoint, right to contest
// 1️⃣ Right of Access (Article 15)
@Get('api/v1/users/me/personal-data')
@UseGuards(JwtAuthGuard)
async getMyPersonalData(@Request() req) {
const userData = await this.userService.getFullProfile(req.user.id)
return {
personalData: userData,
accessedAt: new Date().toISOString(),
article: 'Article 15 - Right of Access'
}
}
// 3️⃣ Right to Erasure (Article 17)
@Delete('api/v1/users/me')
@UseGuards(JwtAuthGuard)
async deleteMyAccount(@Request() req) {
const userId = req.user.id
// Erase all personal data
await this.userService.erase(userId)
// Notify recipients who received the data
const recipients = await this.auditService.getRecipients(userId)
for (const recipient of recipients) {
await this.notificationService.notifyErasure(recipient, userId)
}
// Immutable audit log
await this.auditService.logErasure(userId)
return { success: true }
}
// 5️⃣ Right to Data Portability (Article 20)
@Get('api/v1/users/me/export')
@UseGuards(JwtAuthGuard)
async exportMyData(@Request() req) {
const userData = await this.userService.findById(req.user.id)
const csvData = this.dataFormatter.toCSV(userData)
return {
filename: `user-${req.user.id}-${new Date().toISOString()}.csv`,
data: csvData,
contentType: 'text/csv'
}
}
// 7️⃣ Right NOT to Automated Decision-Making (Article 22)
// ❌ ILLEGAL: Pure automated credit decision
const decideLoanApproval = (userData: User): boolean => {
return model.predict(userData) > 0.7 // No human review = VIOLATION
}
// ✅ CORRECT: Automated assistance + human oversight
const reviewLoanApplication = (userData: User) => {
return {
automatedScore: model.predict(userData), // Assistance only
requiresHumanReview: true,
applicantCanObject: true,
applicantCanRequestHumanReview: true,
finalDecision: null // Pending human decision
}
}
class DataSecurityService {
encryptAtRest(data: string, key: string): string {
const cipher = crypto.createCipheriv('aes-256-gcm', Buffer.from(key), iv)
return cipher.update(data, 'utf8', 'hex') + cipher.final('hex')
}
async getPersonalData(userId: string, requester: User) {
if (!requester.hasPermission('read-personal-data')) {
throw new ForbiddenException('Insufficient permissions')
}
await this.auditLog.record({
action: 'data-access',
dataId: userId,
requester: requester.id,
timestamp: new Date(),
})
}
}
Notification to Authority: Within 72 hours of discovering breach
Notification to Data Subjects: Required if high risk to rights/freedoms
@Post('api/v1/security/notify-breach')
async notifyBreach(@Body() breach: DataBreach) {
const riskAssessment = breach.assessRisk()
// Notify supervisory authority (72-hour deadline)
await this.supervisoryAuthority.notifyBreach({
description: breach.description,
affectedSubjects: breach.estimateAffected(),
consequences: riskAssessment,
measures: breach.responseMeasures
})
// Notify data subjects if high risk
if (riskAssessment.highRisk) {
const affectedUsers = await this.getUsersAffected(breach)
for (const user of affectedUsers) {
await this.emailService.sendBreachNotification(user.email, {
description: breach.description,
dpoContact: this.dpo.email,
actions: ['Monitor account', 'Change password', 'Review activity']
})
}
}
}
Lawful transfer mechanisms:
class DataTransferAssessment {
assessTransfer(targetCountry: string): TransferMechanism {
if (this.hasAdequacyDecision(targetCountry)) {
return { mechanism: 'adequacy', country: targetCountry }
}
// Default to SCCs
return { mechanism: 'scc', country: targetCountry, mustSign: true }
}
}
For complete regulatory definitions, penalties, and references, see RGPD-REFERENCE.md