OpenSkillIndex← back to search
claude-code

Claude-Skills gdpr-dsgvo-expert

install
source · Clone the upstream repo
git clone https://github.com/borghei/Claude-Skills
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/borghei/Claude-Skills "$T" && mkdir -p ~/.claude/skills && cp -r "$T/ra-qm-team/gdpr-dsgvo-expert" ~/.claude/skills/borghei-claude-skills-gdpr-dsgvo-expert && rm -rf "$T"
manifest: ra-qm-team/gdpr-dsgvo-expert/SKILL.md
source content

GDPR/DSGVO Expert

Tools and guidance for EU General Data Protection Regulation (GDPR) and German Bundesdatenschutzgesetz (BDSG) compliance.

Table of Contents

Tools

GDPR Compliance Checker

Scans codebases for potential GDPR compliance issues including personal data patterns and risky code practices.

# Scan a project directory
python scripts/gdpr_compliance_checker.py /path/to/project

# JSON output for CI/CD integration
python scripts/gdpr_compliance_checker.py . --json --output report.json

Detects:

  • Personal data patterns (email, phone, IP addresses)
  • Special category data (health, biometric, religion)
  • Financial data (credit cards, IBAN)
  • Risky code patterns:
    • Logging personal data
    • Missing consent mechanisms
    • Indefinite data retention
    • Unencrypted sensitive data
    • Disabled deletion functionality

Output:

  • Compliance score (0-100)
  • Risk categorization (critical, high, medium)
  • Prioritized recommendations with GDPR article references

DPIA Generator

Generates Data Protection Impact Assessment documentation following Art. 35 requirements.

# Get input template
python scripts/dpia_generator.py --template > input.json

# Generate DPIA report
python scripts/dpia_generator.py --input input.json --output dpia_report.md

Features:

  • Automatic DPIA threshold assessment
  • Risk identification based on processing characteristics
  • Legal basis requirements documentation
  • Mitigation recommendations
  • Markdown report generation

DPIA Triggers Assessed:

  • Systematic monitoring (Art. 35(3)(c))
  • Large-scale special category data (Art. 35(3)(b))
  • Automated decision-making (Art. 35(3)(a))
  • WP29 high-risk criteria

Data Subject Rights Tracker

Manages data subject rights requests under GDPR Articles 15-22.

# Add new request
python scripts/data_subject_rights_tracker.py add \
  --type access --subject "John Doe" --email "john@example.com"

# List all requests
python scripts/data_subject_rights_tracker.py list

# Update status
python scripts/data_subject_rights_tracker.py status --id DSR-202601-0001 --update verified

# Generate compliance report
python scripts/data_subject_rights_tracker.py report --output compliance.json

# Generate response template
python scripts/data_subject_rights_tracker.py template --id DSR-202601-0001

Supported Rights:

RightArticleDeadline
AccessArt. 1530 days
RectificationArt. 1630 days
ErasureArt. 1730 days
RestrictionArt. 1830 days
PortabilityArt. 2030 days
ObjectionArt. 2130 days
Automated decisionsArt. 2230 days

Features:

  • Deadline tracking with overdue alerts
  • Identity verification workflow
  • Response template generation
  • Compliance reporting

Reference Guides

GDPR Compliance Guide

references/gdpr_compliance_guide.md

Comprehensive implementation guidance covering:

  • Legal bases for processing (Art. 6)
  • Special category requirements (Art. 9)
  • Data subject rights implementation
  • Accountability requirements (Art. 30)
  • International transfers (Chapter V)
  • Breach notification (Art. 33-34)

German BDSG Requirements

references/german_bdsg_requirements.md

German-specific requirements including:

  • DPO appointment threshold (§ 38 BDSG - 20+ employees)
  • Employment data processing (§ 26 BDSG)
  • Video surveillance rules (§ 4 BDSG)
  • Credit scoring requirements (§ 31 BDSG)
  • State data protection laws (Landesdatenschutzgesetze)
  • Works council co-determination rights

DPIA Methodology

references/dpia_methodology.md

Step-by-step DPIA process:

  • Threshold assessment criteria
  • WP29 high-risk indicators
  • Risk assessment methodology
  • Mitigation measure categories
  • DPO and supervisory authority consultation
  • Templates and checklists

Workflows

Workflow 1: New Processing Activity Assessment

Step 1: Run compliance checker on codebase
        → python scripts/gdpr_compliance_checker.py /path/to/code

Step 2: Review findings and compliance score
        → Address critical and high issues

Step 3: Determine if DPIA required
        → Check references/dpia_methodology.md threshold criteria

Step 4: If DPIA required, generate assessment
        → python scripts/dpia_generator.py --template > input.json
        → Fill in processing details
        → python scripts/dpia_generator.py --input input.json --output dpia.md

Step 5: Document in records of processing activities

Workflow 2: Data Subject Request Handling

Step 1: Log request in tracker
        → python scripts/data_subject_rights_tracker.py add --type [type] ...

Step 2: Verify identity (proportionate measures)
        → python scripts/data_subject_rights_tracker.py status --id [ID] --update verified

Step 3: Gather data from systems
        → python scripts/data_subject_rights_tracker.py status --id [ID] --update in_progress

Step 4: Generate response
        → python scripts/data_subject_rights_tracker.py template --id [ID]

Step 5: Send response and complete
        → python scripts/data_subject_rights_tracker.py status --id [ID] --update completed

Step 6: Monitor compliance
        → python scripts/data_subject_rights_tracker.py report

Workflow 3: German BDSG Compliance Check

Step 1: Determine if DPO required
        → 20+ employees processing personal data automatically
        → OR processing requires DPIA
        → OR business involves data transfer/market research

Step 2: If employees involved, review § 26 BDSG
        → Document legal basis for employee data
        → Check works council requirements

Step 3: If video surveillance, comply with § 4 BDSG
        → Install signage
        → Document necessity
        → Limit retention

Step 4: Register DPO with supervisory authority
        → See references/german_bdsg_requirements.md for authority list

Key GDPR Concepts

Legal Bases (Art. 6)

  • Consent: Marketing, newsletters, analytics (must be freely given, specific, informed)
  • Contract: Order fulfillment, service delivery
  • Legal obligation: Tax records, employment law
  • Legitimate interests: Fraud prevention, security (requires balancing test)

Special Category Data (Art. 9)

Requires explicit consent or Art. 9(2) exception:

  • Health data
  • Biometric data
  • Racial/ethnic origin
  • Political opinions
  • Religious beliefs
  • Trade union membership
  • Genetic data
  • Sexual orientation

Data Subject Rights

All rights must be fulfilled within 30 days (extendable to 90 for complex requests):

  • Access: Provide copy of data and processing information
  • Rectification: Correct inaccurate data
  • Erasure: Delete data (with exceptions for legal obligations)
  • Restriction: Limit processing while issues are resolved
  • Portability: Provide data in machine-readable format
  • Object: Stop processing based on legitimate interests

German BDSG Additions

TopicBDSG SectionKey Requirement
DPO threshold§ 3820+ employees = mandatory DPO
Employment§ 26Detailed employee data rules
Video§ 4Signage and proportionality
Scoring§ 31Explainable algorithms

Cross-Reference: CCPA/CPRA US Privacy Comparison

When operating across EU and US jurisdictions, align GDPR compliance with California Consumer Privacy Act (CCPA) as amended by CPRA. Key differences to manage:

DimensionGDPRCCPA/CPRA
ScopeAny org processing EU resident dataFor-profit businesses meeting revenue/data thresholds
Legal basis6 lawful bases required (Art. 6)No legal basis requirement; opt-out model
ConsentOpt-in by defaultOpt-out (except minors and sensitive data)
Data subject rightsAccess, rectification, erasure, portability, objectionKnow, delete, correct, opt-out of sale/sharing, limit sensitive data use
Breach notification72 hours to supervisory authority (Art. 33)"Most expedient time possible" to consumers
EnforcementDPAs with fines up to 4% global turnoverCalifornia Privacy Protection Agency (CPPA), $2,500-$7,500 per violation
DPO requirementMandatory in many cases (Art. 37)No DPO requirement
Children's dataUnder 16 requires parental consent (Art. 8)Under 16 opt-in for sale; under 13 parental consent

Practical alignment: Build a unified privacy program that satisfies the stricter GDPR requirements by default, then layer CCPA/CPRA-specific mechanisms (e.g., "Do Not Sell or Share My Personal Information" link, annual metrics disclosure).

See also: 

../ccpa-cpra-specialist/SKILL.md
for full CCPA/CPRA compliance workflows and tools.

Infrastructure Privacy Controls

Cookie Consent and Tracking

Implement compliant cookie consent per GDPR Art. 6 + ePrivacy Directive:

CategoryExamplesConsent RequiredDefault State
Strictly NecessarySession, CSRF, load balancerNoActive
FunctionalLanguage preference, UI settingsYesInactive
AnalyticsGoogle Analytics, Matomo, HotjarYesInactive
MarketingFacebook Pixel, Google Ads, retargetingYesInactive

Implementation requirements:

  • Banner must block all non-essential cookies until explicit consent
  • Pre-checked boxes are NOT valid consent (Planet49 ruling, CJEU C-673/17)
  • Consent must be as easy to withdraw as to give
  • Record consent proof (timestamp, version, choices made)
  • Re-consent on material changes to cookie policy

Global Privacy Control (GPC) Signal

Per CCPA/CPRA regulations and emerging EU guidance:

  • Detect 
    Sec-GPC: 1
    HTTP header and 
    navigator.globalPrivacyControl
    JavaScript API
  • Treat GPC as valid opt-out signal for CCPA/CPRA
  • For GDPR: GPC can serve as a signal of objection under Art. 21 — evaluate on a case-by-case basis
  • Log GPC signal detection and honor it automatically

Data Localization and Cross-Border Transfers

Transfer MechanismStatus (post-Schrems II)When to Use
EU Adequacy DecisionValidTransfers to adequate countries (e.g., Japan, UK, South Korea, US via DPF)
Standard Contractual Clauses (SCCs)Valid with TIADefault mechanism for non-adequate countries
Binding Corporate Rules (BCRs)ValidIntra-group transfers in multinationals
EU-US Data Privacy Framework (DPF)Valid (since July 2023)US companies certified under DPF
Derogations (Art. 49)Limited use onlyExplicit consent, contract necessity — not for systematic transfers

Transfer Impact Assessment (TIA) requirements for SCCs:

  1. Map the data flow (what data, to whom, where)
  2. Assess recipient country legal framework (surveillance laws, access by authorities)
  3. Evaluate supplementary measures needed (encryption, pseudonymization, contractual)
  4. Document assessment and review annually

AI-Specific GDPR Requirements

Automated Decision-Making (Art. 22)

Art. 22 restricts decisions based solely on automated processing that produce legal or similarly significant effects:

RequirementImplementation
Right not to be subject to automated decisionsProvide human review mechanism for consequential decisions
Right to explanationDocument and explain logic, significance, and consequences
Right to contestEnable data subjects to challenge automated decisions
Explicit consent or contract necessitySecure Art. 22(2) legal basis before deploying
Suitable safeguardsImplement human oversight, right to express point of view

AI transparency checklist:

  • Document algorithmic logic in plain language
  • Implement human-in-the-loop for high-stakes decisions (credit, employment, insurance)
  • Provide opt-out mechanism for fully automated decisions
  • Conduct and document bias testing (protected characteristics under Art. 9)
  • Log all automated decisions with reasoning for auditability
  • Include AI decision-making in privacy notice (Art. 13(2)(f), Art. 14(2)(g))

AI Training Data Requirements

RequirementGDPR BasisAction
Lawful basis for training dataArt. 6Legitimate interest (with DPIA) or consent
Purpose limitationArt. 5(1)(b)Training purpose must be compatible with original collection
Data minimizationArt. 5(1)(c)Use minimum data necessary; prefer synthetic/anonymized data
AccuracyArt. 5(1)(d)Ensure training data is accurate and up-to-date
Storage limitationArt. 5(1)(e)Define retention for training datasets
Special category dataArt. 9Explicit consent or Art. 9(2)(j) research exemption for health/biometric data
Right to erasureArt. 17Implement mechanism to remove individual data from training sets (or document inability)
Data scrapingArt. 14Inform data subjects when using publicly available data for training

Enhanced DPIA Methodology with EU AI Act Integration

When DPIA + AI Act Conformity Assessment Overlap

For AI systems processing personal data, both GDPR Art. 35 DPIA and EU AI Act conformity assessment may apply:

AI Risk Level (EU AI Act)GDPR DPIA Required?Combined Assessment Approach
Unacceptable (Art. 5)N/A — prohibitedDo not deploy
High-risk (Annex III)Almost always yesJoint DPIA + conformity assessment
Limited risk (Art. 50)Evaluate per Art. 35 criteriaDPIA if systematic monitoring or profiling
Minimal riskEvaluate per Art. 35 criteriaStandard DPIA threshold assessment

Enhanced DPIA Process for AI Systems

Step 1: AI System Classification
        → Classify under EU AI Act risk levels
        → Map to GDPR Art. 35(3) triggers

Step 2: Data Flow and Processing Analysis
        → Document training data sources and legal basis
        → Map inference data flows
        → Identify automated decision points (Art. 22)

Step 3: AI-Specific Risk Assessment
        → Bias and discrimination risk (protected groups)
        → Accuracy and reliability risk
        → Explainability and transparency gaps
        → Data quality and representativeness
        → Model drift and ongoing monitoring needs

Step 4: Fundamental Rights Impact
        → Right to non-discrimination
        → Right to privacy and data protection
        → Freedom of expression (content moderation AI)
        → Right to an effective remedy

Step 5: Combined Mitigation Measures
        → Technical: differential privacy, federated learning, model cards
        → Organizational: AI ethics board, human oversight procedures
        → Contractual: AI-specific DPA clauses with processors
        → Monitoring: continuous bias monitoring, performance drift detection

Step 6: DPO and Supervisory Authority Consultation
        → Consult DPO on combined assessment
        → Prior consultation with SA if high residual risk (Art. 36)
        → Notify national AI authority if high-risk AI system

Privacy by Design Technical Controls

Data Minimization Techniques

TechniqueDescriptionUse Case
Field-level encryptionEncrypt specific PII fields at restDatabase storage
TokenizationReplace PII with non-reversible tokensPayment processing, analytics
Data maskingObscure portions of data (e.g., email: j***@example.com)UI display, logging
AggregationProcess only aggregated/statistical dataAnalytics, reporting
Purpose-scoped accessLimit data access to specific processing purposesMulti-purpose systems
Automatic expirationTTL-based data deletionSession data, temporary processing

Pseudonymization Implementation (Recital 26, Art. 4(5))

MethodReversibilityStrengthBest For
HMAC-basedReversible with keyStrongInternal analytics with re-identification need
Format-preserving encryptionReversible with keyStrongLegacy system compatibility
Deterministic hashing (salted)One-wayMediumCross-dataset linkage without PII
Random ID mappingReversible with lookup tableStrongResearch datasets

Key management for pseudonymization:

  • Store re-identification keys separately from pseudonymized data
  • Apply strict access controls to key material (minimum two-person rule)
  • Document key rotation schedule
  • Log all re-identification events

Encryption Standards

LayerMinimum StandardRecommended
At restAES-256AES-256-GCM with envelope encryption
In transitTLS 1.2TLS 1.3
DatabaseTransparent Data Encryption (TDE)Column-level encryption for PII
BackupsAES-256AES-256 + separate key from production
Key managementHardware-backed (HSM/KMS)Cloud KMS with customer-managed keys (BYOK)

Cross-Framework Privacy Mapping

RequirementGDPR ArticleCCPA/CPRA SectionHIPAA RuleNIS2 Article
Risk assessmentArt. 35 (DPIA)§1798.185 (risk assessment regs)§164.308(a)(1)Art. 21(2)(a)
Breach notificationArt. 33-34 (72 hrs to SA)§1798.150 (to consumers)§164.404-408 (60 days)Art. 23 (24 hrs early warning)
Data minimizationArt. 5(1)(c)§1798.100(c) (collection limitation)§164.502(b) (minimum necessary)Art. 21(2)(e)
EncryptionArt. 32(1)(a)Implicit (reasonable security)§164.312(a)(2)(iv) (addressable)Art. 21(2)(e)
Access controlsArt. 32(1)(b)Implicit (reasonable security)§164.312(a)(1) (access control)Art. 21(2)(d)
Incident responseArt. 33-34§1798.150§164.308(a)(6)Art. 21(2)(b)
Supply chain securityArt. 28 (processor agreements)§1798.140(ag) (service provider contracts)§164.308(b) (BAAs)Art. 21(2)(d)
Governance/accountabilityArt. 5(2), Art. 24§1798.185 (audit regs)§164.308(a)(1)Art. 20 (governance)
Right to delete/erasureArt. 17§1798.105Limited (retention rules)N/A
Data portabilityArt. 20§1798.130(a)(2)N/AN/A

Cross-references: See 

../information-security-manager-iso27001/SKILL.md
for ISO 27001 security controls, and 
../mdr-745-specialist/SKILL.md
for healthcare device data protection under MDR.

Cross-Framework Privacy Integration

GDPR ↔ CCPA/CPRA Comparison

AspectGDPRCCPA/CPRA
ScopeAny org processing EU residents' data$25M+ revenue, 100K+ consumers, or 50%+ revenue from selling PI
Legal Basis6 legal bases required (Art. 6)Opt-out model (no legal basis needed for collection)
ConsentOpt-in requiredOpt-out for sale/sharing
Right to DeleteArt. 17§1798.105
Data PortabilityArt. 20§1798.130
PenaltiesUp to €20M or 4% global turnover$2,500-$7,500 per violation
DPO RequiredYes (in many cases)No
DPIA RequiredYes (high risk processing)Risk assessments (CPRA)

AI-Specific GDPR Requirements

  • Automated Decision-Making (Art. 22): Right not to be subject to decisions based solely on automated processing with legal/significant effects
  • AI Training Data: Legitimate interest or consent required; purpose limitation applies to model training
  • Profiling: Requires explicit consent for automated profiling with significant effects
  • EU AI Act Integration: High-risk AI systems processing personal data require DPIA per Art. 35 GDPR
  • Cross-reference: See 
    eu-ai-act-specialist
    for AI-specific compliance

Infrastructure Privacy Controls

  • Cookie Consent: TCF 2.2 compliant consent management platform (CMP)
  • Global Privacy Control (GPC): Must honor GPC browser signals (also CCPA requirement)
  • Data Localization: EU data residency requirements, Schrems II adequacy decisions
  • Cross-Border Transfers: Standard Contractual Clauses (SCCs), adequacy decisions, binding corporate rules
  • Privacy by Design Controls: Data minimization, pseudonymization, encryption at rest/transit, access logging

Cross-Framework Mapping

ControlGDPRCCPAHIPAANIS2
Privacy NoticeArt. 13-14§1798.100Privacy Practices
Data Subject RightsArt. 15-22§1798.100-125Access/Amendment
Breach NotificationArt. 33-34§1798.150§164.404-408Art. 23
DPO/Privacy OfficerArt. 37-39Privacy Officer
Risk AssessmentArt. 35 (DPIA)Risk Assessment§164.308(a)(1)Art. 21
EncryptionArt. 32Reasonable Security§164.312(a)(2)(iv)Art. 21.2.h
TrainingArt. 39.1.b§164.308(a)(5)Art. 21.2.g

Troubleshooting

ProblemPossible CauseResolution
Compliance checker reports critical findings for special category dataCode processes health, biometric, or religious data without explicit consent or Art. 9(2) exceptionIdentify all special category data processing; secure explicit consent or document applicable Art. 9(2) exception; implement field-level encryption for sensitive fields
DPIA generator determines assessment required but organization has no DPIA processProcessing triggers Art. 35(3) criteria (systematic monitoring, large-scale special categories, or automated decision-making)Follow the DPIA methodology in 
references/dpia_methodology.md
; generate template with 
dpia_generator.py --template
; consult DPO before proceeding; consider prior consultation with supervisory authority if high residual risk (Art. 36)
Data subject rights requests consistently exceed 30-day deadlineManual fulfillment without tracking system, unclear data location, or complex verification requirementsDeploy 
data_subject_rights_tracker.py
for automated deadline monitoring; map all personal data locations using data inventory; streamline identity verification to proportionate measures
Cross-border transfer mechanism invalidated or uncertainReliance on deprecated mechanism or Transfer Impact Assessment not completed for SCCsReview current adequacy decisions (UK, Japan, South Korea, US via DPF); for SCCs, complete Transfer Impact Assessment per Schrems II requirements; document supplementary measures (encryption, pseudonymization)
Cookie consent banner flagged as non-compliantPre-checked boxes, cookie wall blocking access, or reject button harder to find than acceptImplement TCF 2.2 compliant CMP; ensure all non-essential cookies blocked until explicit consent; make reject as prominent as accept (per Planet49 ruling, CJEU C-673/17); record consent proof
GDPR compliance checker detects personal data in application logsApplication logs contain email addresses, IP addresses, or user identifiersImplement log sanitization to mask or pseudonymize personal data before storage; configure logging frameworks to exclude PII fields; set log retention limits aligned with purpose
AI system processing personal data lacks Art. 22 safeguardsAutomated decision-making produces legal or significant effects without human review mechanismImplement human-in-the-loop for high-stakes decisions; provide right to explanation and right to contest; document algorithmic logic in plain language; include AI decision-making in privacy notice per Art. 13(2)(f)

Success Criteria

  • Compliance score of 80+ on codebase scan -- indicating no critical personal data exposure issues, with all high-risk patterns addressed and documented
  • All data subject rights requests fulfilled within 30 days -- tracked via 
    data_subject_rights_tracker.py
    with identity verification completed, response templates generated, and compliance reports showing zero overdue requests
  • DPIA completed for all high-risk processing activities -- covering Art. 35(3) triggers, WP29 criteria, risk mitigation measures, and DPO consultation; prior SA consultation documented where required
  • Records of Processing Activities (Art. 30) maintained and current -- covering all processing activities with purposes, legal bases, data categories, recipients, retention periods, and transfer mechanisms
  • Cross-border transfer mechanisms validated -- adequacy decisions, SCCs with TIA, or BCRs in place for all international data flows, reviewed annually
  • Cookie consent implementation compliant -- non-essential cookies blocked until explicit consent, reject as easy as accept, consent proof recorded with timestamp and version, GPC signal honored
  • DPO appointed and registered where required -- including German BDSG Section 38 threshold (20+ employees processing personal data automatically), with supervisory authority notification

Scope & Limitations

In Scope:

  • Codebase scanning for personal data patterns and risky processing practices
  • DPIA generation following Art. 35 requirements with threshold assessment and risk mitigation
  • Data subject rights request tracking (Art. 15-22) with deadline monitoring and response templates
  • German BDSG-specific requirements (DPO threshold, employment data, video surveillance, credit scoring)
  • Cross-border transfer mechanism assessment (adequacy decisions, SCCs, BCRs, DPF)
  • AI-specific GDPR requirements (Art. 22 automated decisions, training data governance, profiling)
  • Cross-framework privacy mapping (GDPR, CCPA/CPRA, HIPAA, NIS2)

Out of Scope:

  • Legal advice on specific legal basis selection or legitimate interest balancing tests -- consult DPO and legal counsel
  • Supervisory authority notification or interaction for breach reporting (Art. 33-34)
  • Implementation of cookie consent management platforms or consent management code
  • GDPR representative appointment logistics for non-EU organizations (Art. 27)
  • Binding Corporate Rules (BCR) application or approval process
  • German Landesdatenschutzgesetze (state-level data protection laws) beyond general guidance

Important Notes:

  • GDPR enforcement fines reached EUR 2.3 billion in 2025, a 38% year-over-year increase; healthcare violations spiked with average penalties of EUR 203,000
  • The EU AI Act creates dual obligations for AI systems processing personal data -- both DPIA (GDPR Art. 35) and conformity assessment (AI Act) may apply simultaneously
  • Dark patterns in consent interfaces are under heightened enforcement scrutiny; regulators are penalizing cookie walls, manipulative UI, and buried reject options

Integration Points

SkillIntegrationWhen to Use
ccpa-cpra-privacy-expert
Unified privacy program covering both GDPR and CCPA/CPRA; cross-framework mappingWhen organization processes data of both EU residents and California consumers
eu-ai-act-specialist
Combined DPIA + AI Act conformity assessment for high-risk AI systems processing personal dataWhen AI system triggers both GDPR Art. 35 DPIA and EU AI Act high-risk classification
information-security-manager-iso27001
ISO 27001 security controls support GDPR Art. 32 security of processing requirementsWhen implementing technical and organizational measures for personal data protection
infrastructure-compliance-auditor
Technical privacy controls validation (encryption, access controls, logging, data masking)When assessing infrastructure supporting GDPR privacy-by-design requirements
dora-compliance-expert
DORA complements GDPR for financial sector ICT systems processing personal dataWhen financial entity must align DORA ICT security with GDPR data protection requirements

Tool Reference

gdpr_compliance_checker.py

Scans codebases for potential GDPR compliance issues including personal data patterns and risky code practices.

FlagRequiredDescription
<project_dir>
YesPath to project directory to scan
--json
NoOutput results in JSON format for CI/CD integration
--output <file>
NoExport report to specified file path

Detects: Email, phone, IP address, credit card, IBAN, German ID patterns; special category data (health, biometric, religion); risky code patterns (logging PII, missing consent, indefinite retention, unencrypted sensitive data, disabled deletion). Output: Compliance score (0-100), risk categorization (critical/high/medium), and prioritized recommendations with GDPR article references.

dpia_generator.py

Generates Data Protection Impact Assessment documentation following Art. 35 requirements.

FlagRequiredDescription
--template
NoGenerate blank DPIA input template to stdout
--input <file>
Yes (unless 
--template
or 
--interactive
)		Path to JSON processing activity description
--output <file>
NoExport DPIA report to specified file path (markdown format)
--interactive
NoLaunch interactive mode for guided DPIA creation

Features: Automatic DPIA threshold assessment against Art. 35(3) triggers and WP29 criteria, risk identification based on processing characteristics, legal basis documentation, mitigation recommendations, and markdown report generation.

data_subject_rights_tracker.py

Manages data subject rights requests under GDPR Articles 15-22 with deadline tracking and response templates.

SubcommandDescription
add
Add new request (
--type
, 
--subject
, 
--email
required)
list
List all tracked requests
status
View or update request status (
--id
required, 
--update
to change status)
report
Generate compliance report (
--output
for file export)
template
Generate response template for specific request (
--id
required)
FlagDescription
--type <right>
Right type: 
access
, 
rectification
, 
erasure
, 
restriction
, 
portability
, 
objection
, 
automated
--subject <name>
Data subject name
--email <email>
Data subject email address
--id <request_id>
Request identifier (e.g., 
DSR-202601-0001
)
--update <status>
New status: 
received
, 
verified
, 
in_progress
, 
completed
, 
denied
, 
extended
--output <file>
Export report or template to specified file path

Features: 30-day deadline tracking with overdue alerts, identity verification workflow, response template generation per right type, and compliance reporting with metrics.