--- name: gdpr-compliance-guia-matthieu title: GDPR Compliance for Marketing description: Ensure GDPR compliance for marketing activities including consent management, data processing, privacy notices, and data subject rights author: guia-matthieu author_url: https://github.com/guia-matthieu/clawfu-skills/tree/main/skills/legal/gdpr-compliance license: MIT version: 0.1.0 execution_mode: open jurisdiction: general practice: data-protection language: en --- # GDPR Compliance for Marketing > Ensure your marketing activities comply with GDPR requirements for consent, data processing, and privacy rights. ## When to Use This Skill - Designing consent collection flows - Writing privacy notices - Auditing marketing data practices - Handling data subject requests - Documenting lawful basis ## Methodology Foundation Based on **GDPR Articles 6, 7, 12-23** and **EDPB Guidelines**, covering: - Lawful basis determination - Consent requirements - Transparency obligations - Data subject rights - Documentation requirements ## What Claude Does vs What You Decide | Claude Does | You Decide | |-------------|------------| | Explains GDPR requirements | Business risk tolerance | | Drafts compliant language | Implementation priority | | Identifies gaps | Legal interpretation | | Creates documentation | DPO consultation needs | | Suggests controls | Resource allocation | ## Instructions ### Step 1: Lawful Basis Assessment **Six Lawful Bases (Article 6):** | Basis | Marketing Use | Documentation Needed | |-------|---------------|----------------------| | **Consent** | Email marketing, cookies, tracking | Consent records | | **Contract** | Customer communications | Contract terms | | **Legitimate Interest** | Soft opt-in, B2B marketing | LIA document | | **Legal Obligation** | Regulatory comms | Legal reference | | **Vital Interest** | Rarely applicable | - | | **Public Task** | Rarely applicable | - | **Marketing Activity Mapping:** | Activity | Typical Basis | Requirements | |----------|---------------|--------------| | Email newsletter | Consent | Double opt-in, easy unsubscribe | | Existing customer upsell | Legitimate Interest | LIA, opt-out available | | Cold B2B outreach | Legitimate Interest | LIA, clear identity | | Website cookies | Consent | Banner, granular choices | | Retargeting ads | Consent | Cookie consent | | Lead magnets | Consent | Clear purpose, separate consent | ### Step 2: Consent Requirements **Valid Consent Criteria (Article 7):** | Requirement | What It Means | Example | |-------------|---------------|---------| | Freely given | No bundling, no penalty | Separate from T&Cs | | Specific | Clear purpose stated | "Marketing emails about [X]" | | Informed | Who, what, why explained | Privacy notice linked | | Unambiguous | Clear affirmative action | Unchecked checkbox | | Withdrawable | Easy to revoke | One-click unsubscribe | **Consent Record Requirements:** ``` Record for each consent: - Who consented (identifier) - When (timestamp) - What they consented to (purpose) - How (mechanism) - What they were told (notice version) ``` ### Step 3: Privacy Notice Requirements **Required Elements (Articles 13-14):** | Element | First-Party Data | Third-Party Data | |---------|------------------|------------------| | Controller identity | Required | Required | | DPO contact | If applicable | If applicable | | Purposes | Required | Required | | Lawful basis | Required | Required | | Recipients | Required | Required | | Transfers | If applicable | If applicable | | Retention | Required | Required | | Rights | Required | Required | | Withdrawal | If consent | If consent | | Complaint right | Required | Required | | Source | N/A | Required | ### Step 4: Data Subject Rights **Rights Framework:** | Right | Timeline | Marketing Impact | |-------|----------|------------------| | Access (Art. 15) | 1 month | Provide all marketing data | | Rectification (Art. 16) | 1 month | Update preferences | | Erasure (Art. 17) | 1 month | Remove from lists | | Restriction (Art. 18) | 1 month | Pause processing | | Portability (Art. 20) | 1 month | Export in machine format | | Objection (Art. 21) | Immediate for marketing | Stop direct marketing | ### Step 5: Documentation & Records **Required Documentation:** 1. Records of Processing Activities (ROPA) 2. Legitimate Interest Assessments 3. Consent records and mechanisms 4. Privacy notices (versioned) 5. Data Subject Request log 6. Breach notification procedures ## Examples ### Example 1: Marketing Email Consent Flow **Input:** ``` Design a GDPR-compliant consent flow for: - SaaS product newsletter - Product updates - Promotional offers - Third-party partner offers ``` **Output:** ``` ## GDPR-Compliant Email Consent Flow ### Consent Collection UI --- **Signup Form Fields:** ``` Email: [________________] [ ] I agree to receive the monthly newsletter with industry insights [ ] I agree to receive product updates and feature announcements [ ] I agree to receive promotional offers and discounts [ ] I agree to receive relevant offers from our trusted partners [Sign Up] By signing up, you confirm you've read our [Privacy Notice]. You can withdraw consent anytime via unsubscribe link or contacting us. ``` **Design Requirements:** - All checkboxes unchecked by default - No "select all" option - Each purpose separate - Privacy notice linked, not buried - No dark patterns --- ### Consent Record Structure ```json { "email": "user@example.com", "consents": [ { "purpose": "newsletter", "granted": true, "timestamp": "2026-01-31T10:30:00Z", "source": "signup_form_v3", "notice_version": "privacy_v2.1" }, { "purpose": "product_updates", "granted": true, "timestamp": "2026-01-31T10:30:00Z", "source": "signup_form_v3", "notice_version": "privacy_v2.1" }, { "purpose": "promotional", "granted": false, "timestamp": null, "source": null, "notice_version": null }, { "purpose": "third_party", "granted": false, "timestamp": null, "source": null, "notice_version": null } ], "ip_address": "192.168.1.1", "user_agent": "Mozilla/5.0..." } ``` --- ### Email Footer (Required) ``` --- You're receiving this because you subscribed to our [newsletter/updates]. Manage preferences: [link] Unsubscribe from this list: [link] Unsubscribe from all: [link] [Company Name] [Address] [Contact Email] ``` --- ### Preference Center | Subscription | Status | Action | |--------------|--------|--------| | Monthly Newsletter | [ON/OFF] | Industry insights and tips | | Product Updates | [ON/OFF] | New features and improvements | | Promotional Offers | [ON/OFF] | Discounts and special deals | | Partner Offers | [ON/OFF] | Relevant third-party offers | [Update Preferences] [Unsubscribe from All] --- ### Compliance Checklist - [ ] All consents granular (separate checkboxes) - [ ] Checkboxes unchecked by default - [ ] Clear description of each purpose - [ ] Privacy notice accessible - [ ] Withdrawal mechanism clear - [ ] Consent records stored - [ ] Double opt-in implemented - [ ] Unsubscribe in every email - [ ] Preference center available ``` ### Example 2: Legitimate Interest Assessment **Input:** ``` We want to email our existing customers about related products. Do we need consent or can we use legitimate interest? ``` **Output:** ``` ## Legitimate Interest Assessment: Customer Cross-Sell ### Summary You can likely rely on legitimate interest (not consent) for emailing existing customers about **similar** products, but must complete this assessment and offer easy opt-out. --- ### Three-Part LIA Test #### 1. Purpose Test: Is There a Legitimate Interest? **Interest:** Promote related products to existing customers **Legitimacy:** Yes - recognized business interest in customer development **Benefit:** Revenue growth, customer relationship deepening ✅ **PASS** --- #### 2. Necessity Test: Is Processing Necessary? | Question | Answer | |----------|--------| | Is email necessary to achieve the interest? | Yes - direct communication channel | | Is there a less intrusive way? | In-app notifications possible but less effective | | Is the processing proportionate? | Yes - limited frequency, relevant content | ✅ **PASS** (with conditions) **Conditions:** - Limit to genuinely related products - Reasonable frequency (not daily) - Honor opt-outs immediately --- #### 3. Balancing Test: Individual Rights vs. Your Interest | Factor | Assessment | |--------|------------| | Nature of data | Basic contact info - low sensitivity | | Reasonable expectations | Customers expect marketing from sellers | | Relationship | Existing customer relationship | | Impact on individual | Minor inconvenience, easy to opt out | | Safeguards | Opt-out in every email | ✅ **PASS** --- ### Conclusion **Lawful Basis:** Legitimate Interest (Article 6(1)(f)) **Requirements for Compliance:** 1. **Document this LIA** and keep on file 2. **Include in privacy notice:** "We may contact existing customers about similar products based on legitimate interest. You can opt out at any time." 3. **Easy opt-out:** Every email must have unsubscribe 4. **Honor preferences:** Immediate suppression on opt-out 5. **Similar products only:** Don't expand to unrelated offerings 6. **Reasonable frequency:** No more than weekly --- ### Template Email Footer ``` You're receiving this as a valued [Company] customer. Not interested in product updates? [Opt out of marketing] | [Manage preferences] This email was sent based on our legitimate interest in keeping customers informed about relevant products. See our Privacy Notice for details and your rights. ``` --- ### When This Doesn't Apply Use **consent** instead if: - Products are significantly different - Customer bought once 2+ years ago - You acquired data from third party - Customer previously opted out - Emails are primarily promotional (not informational) ``` ## Skill Boundaries ### What This Skill Does Well - Explaining GDPR requirements - Drafting compliant language - Creating documentation templates - Identifying compliance gaps ### What This Skill Cannot Do - Provide legal advice - Know your specific jurisdiction nuances - Guarantee regulatory acceptance - Replace DPO consultation ### When to Escalate to Human - Complex cross-border transfers - Regulatory investigation - Data breach response - Novel processing activities ## Iteration Guide **Follow-up Prompts:** - "Draft the privacy notice section for [activity]" - "How do we handle a right to erasure request?" - "What documentation do we need for [processing]?" - "Is this cookie banner compliant?" ## References - GDPR Text (Regulation 2016/679) - EDPB Guidelines on Consent - ICO Direct Marketing Guidance - CNIL Cookie Guidelines ## Related Skills - `terms-analyzer` - Terms of service review - `contract-review` - DPA analysis - `nda-generator` - Confidentiality ## Skill Metadata - **Domain**: Legal / Marketing - **Complexity**: Intermediate - **Mode**: centaur - **Time to Value**: 1-2 hours per assessment - **Prerequisites**: Basic GDPR familiarity