gdpr-compliance
Installation
SKILL.md
GDPR Compliance Coding Guidelines
1. Overview
The General Data Protection Regulation (GDPR), effective 25 May 2018, governs how organizations collect, store, process, and delete personal data of individuals in the EU/EEA. It applies to ANY service that processes data of EU/EEA residents, regardless of where the service is hosted. Non-compliance carries penalties of up to 4% of annual global turnover or EUR 20 million, whichever is greater. Every developer writing code that touches user data — names, emails, IP addresses, cookies, device IDs, location data, or any information that can identify a natural person — must follow these patterns.
2. The 7 Principles (Art. 5)
| # | Principle | What Developers Must Do |
|---|---|---|
| 1 | Lawfulness, fairness, transparency | Collect data only with a valid lawful basis (Art. 6). Show clear consent UI. Link to a readable privacy policy before any data collection. |
| 2 | Purpose limitation | Collect data for specified, explicit purposes. Use separate consent checkboxes per purpose. Never repurpose collected data without new consent. |
| 3 | Data minimization | Collect only what is strictly needed. Remove "nice to have" fields from forms and database schemas. If you do not need a birthdate, do not ask for it. |
| 4 | Accuracy | Provide edit-profile endpoints. Validate inputs at collection. Allow users to correct their data at any time. |
| 5 | Storage limitation | Define retention periods per data type. Implement automated cleanup jobs. Delete or anonymize data when the retention period expires. |
| 6 | Integrity & confidentiality | Encrypt PII at rest and in transit. Enforce role-based access control. Maintain audit logs of data access. |
| 7 | Accountability | Document all processing activities. Maintain a Record of Processing Activities (ROPA). Log consent events with timestamps and versions. |