GDPR Data Handling

Practical implementation guide for GDPR-compliant data processing, consent management, and privacy controls.

When to Use This Skill

• Building systems that process EU personal data
• Implementing consent management
• Handling data subject requests (DSRs)
• Conducting GDPR compliance reviews
• Designing privacy-first architectures
• Creating data processing agreements

Core Concepts

1. Personal Data Categories

2. Legal Bases for Processing

Article 6 - Lawful Bases:
├── Consent: Freely given, specific, informed
├── Contract: Necessary for contract performance
├── Legal Obligation: Required by law
├── Vital Interests: Protecting someone's life
├── Public Interest: Official functions
└── Legitimate Interest: Balanced against rights

3. Data Subject Rights

Right to Access (Art. 15)      ─┐
Right to Rectification (Art. 16) │
Right to Erasure (Art. 17)       │ Must respond
Right to Restrict (Art. 18)      │ within 1 month
Right to Portability (Art. 20)   │
Right to Object (Art. 21)       ─┘

Detailed worked examples and patterns

Detailed sections (starting with ## Implementation Patterns) live in references/details.md. Read that file when the navigation summary above is insufficient.

Best Practices

Do's

• Minimize data collection - Only collect what's needed
• Document everything - Processing activities, legal bases
• Encrypt PII - At rest and in transit
• Implement access controls - Need-to-know basis
• Regular audits - Verify compliance continuously

Don'ts

• Don't pre-check consent boxes - Must be opt-in
• Don't bundle consent - Separate purposes separately
• Don't retain indefinitely - Define and enforce retention
• Don't ignore DSARs - 30-day response required
• Don't transfer without safeguards - SCCs or adequacy decisions