Draft GDPR/DSGVO-compliant privacy notices as .docx for any EU/EEA jurisdiction and audience. Use when user asks to create a privacy policy/notice, mentions "Datenschutzerklärung", "politique de confidentialité", "privacy notice", needs Art. 13/14 disclosures, AI Act transparency, cookie policy, or notices for applicants ("Bewerber-Datenschutz"), employees ("Beschäftigten-Datenschutz"), B2B partners, or B2C customers. Covers DE (DSGVO+BDSG+TDDDG), FR (RGPD+LIL+LCEN), AT, IT, ES, NL, BE, IE, UK GDPR. Five notice types: Website/App, Applicant, Employee, Business Partner, B2C Customer.
Generate jurisdiction-aware, GDPR-compliant privacy notices as professional .docx documents.
1. SCOPE → Notice type, jurisdiction(s), template choice
2. INTAKE → Type-driven collection: controller info, data inventory, legal bases
3. DRAFT → Generate notice from template + type profile + collected info
4. VERIFY → Art. 13/14 compliance check + type-specific checks + AI Act check
5. DELIVER → .docx output via docx skill
Before anything else, determine what type of privacy notice is needed. Load references/NOTICE_TYPES.md and ask:
"What type of privacy notice do you need?"
| Type | Description |
|---|
| Website / App | For visitors, users, subscribers of a website, web app, or mobile app |
| Applicant / Recruiting | For job applicants and candidates (Bewerber, candidats) |
| Employee | For employees, contractors, interns (Beschäftigte, salariés) |
| Business Partner (B2B) | For contact persons at vendors, suppliers, clients, partners |
| B2C Customer | For end consumers in a customer/purchase relationship |
| Combined | Multiple audiences in one or several linked notices |
The selected type determines:
Refer to references/NOTICE_TYPES.md for the full section map, data profile, legal bases, intake questions, and retention defaults for each type.
Ask which countries/markets the service targets. Load the appropriate reference:
| Target Market | Reference File |
|---|---|
| Germany / DACH | references/DE.md |
| France | references/FR.md |
| Other EU (AT, IT, ES, NL, BE, IE, UK) | references/OTHER_EU.md |
| Always load | references/EU_COMMON.md |
For multi-jurisdiction services, load all relevant files and note where requirements differ (e.g., children's age thresholds, DPO thresholds, retention rules).
Ask the user:
"I will draft the privacy notice as a professional .docx document. Do you have an existing template or privacy notice I should use as a base? If not, I will use one of our pre-built templates."
| Option | Action |
|---|---|
| User provides template | Use their .docx as base — preserve structure, wording, and formatting; only fill/adapt |
| No user template | Generate from references/templates.md using the docx skill |
references/templates.md includes: 13-section structure, Art. 21 objection box (visually highlighted), purposes/retention table, cookie table, AI/automated decision-making section, children's data section, proper header/footer with page numbers, A4 formatting, TOC, and full translations for DE, FR, and EN. Select the language matching the target jurisdiction.
If user provides a template: faithfully preserve its structure and validated wording. Only replace placeholders and adapt to the specific case. Do NOT rewrite validated legal language.
If the service targets multiple jurisdictions or language groups, determine the language approach:
| Scenario | Approach |
|---|---|
| Single market, single language | One notice in the market's language (e.g., DE only → German) |
| Single market, international workforce/users | Primary language + English version. State which version governs in case of conflict. |
| Two markets, two languages | Option A: Two separate notices (one per language), each self-contained. Option B: Bilingual notice with clear visual separation (e.g., side-by-side columns or sequential sections). |
| Pan-EU / many markets | English as primary + translations for key markets. Each translation should be a standalone notice, not a partial translation. |
| Swiss company (nDSG + GDPR) | Address both the Swiss nFADP (new Federal Act on Data Protection) and GDPR. Typical approach: single notice referencing both regimes, in at least German + French (+ Italian if applicable). Note: nFADP has no consent requirement for general processing but requires information duties similar to Art. 13/14 GDPR. |
Template handling for bilingual documents:
Multi-language verification checklist (add to Step 4 if applicable):
If the notice type is Website / App, further classify the platform to anticipate data categories. See references/NOTICE_TYPES.md → "Website / App" → "Sub-Types & Data Profiles" for details.
| Sub-Type | Typical Additional Data |
|---|---|
| Brochure/corporate site | Contact forms, analytics, cookies only |
| E-commerce | Account, payment, order history, shipping, returns |
| SaaS / Web app | Account, usage data, feature logs, API keys, collaboration data |
| Mobile app | Device ID, push tokens, permissions (camera, location, contacts), app usage |
| Marketplace | Dual roles (buyers/sellers), ratings, messaging, payment escrow |
| Platform with AI features | Training data, AI inputs/outputs, model decisions, profiling |
Collect ALL information before drafting. Use the type profile from references/NOTICE_TYPES.md to guide the intake — each type pre-defines likely data categories, legal bases, and type-specific questions.
Ask in logical groups, not all at once. Start with Group A (always), then use the type profile to determine which categories to probe and which type-specific questions to ask.
For each collection point (forms, account creation, purchase, cookies, app usage):
Categories to probe:
EU_COMMON.md → "Special Category Data (Art. 9)" for the full intake protocol. Determine the Art. 9(2) exception for each category, confirm the dual legal basis (Art. 6 + Art. 9(2)), and document additional safeguards. Common triggers by notice type: Employee (church tax, disability, sick leave, union dues), Applicant (disability, health, religion), B2C (health data for pharmacy/insurance/fitness).For each processing activity, determine the legal basis. Reference EU_COMMON.md for guidance.
Present as a table for the user to confirm:
| Purpose | Legal Basis | Data Categories |
|---|---|---|
| Service provision / contract execution | Art. 6(1)(b) | [to fill] |
| Account management | Art. 6(1)(b) | [to fill] |
| Legal/tax compliance | Art. 6(1)(c) — [specific law] | [to fill] |
| Analytics | Art. 6(1)(f) or consent | [to fill] |
| Marketing / newsletter | Art. 6(1)(a) consent | [to fill] |
| AI-based processing | [determine per use case] | [to fill] |
DPA / Art. 28 Cross-Reference — For each processor identified:
If the service uses AI/ML:
Check whether a Data Protection Impact Assessment may be required. If 2 or more of the following indicators apply, inform the user and recommend a DPIA as a separate deliverable:
If 2+ indicators are flagged:
After collection, produce a structured summary for user confirmation:
NOTICE TYPE: [Website / Applicant / Employee / B2B / B2C / Combined]
CONTROLLER: [Name, form, address]
JURISDICTION(S): [Countries]
PLATFORM: [Type / Sub-type if website]
DPO: [Yes/No + contact]
DATA CATEGORIES: [List by collection point]
PURPOSES + BASES: [Table]
PROCESSORS: [List with locations]
TRANSFERS: [Countries + mechanisms]
COOKIES: [Categories + tools + CMP — if applicable per type]
AI PROCESSING: [Yes/No + details]
RETENTION: [Key periods — cross-check with type defaults]
SPECIFICS: [Anything unusual]
SECTIONS TO INCLUDE: [Based on type section map]
SECTIONS TO SKIP: [Based on type section map]
Confirm with user before proceeding to draft.
Use the section map from references/NOTICE_TYPES.md for the selected notice type. Only include sections marked ✅ or ⚠️ (if applicable). Skip sections marked ❌. This avoids irrelevant content (e.g., cookie tables in an applicant notice).
For combined notices covering multiple audiences, see references/NOTICE_TYPES.md → "Combined Notices" for structural options (single comprehensive, separate, or layered).
PRIVACY NOTICE / DATENSCHUTZERKLÄRUNG / POLITIQUE DE CONFIDENTIALITÉ
[Company Name]
Last updated: [DATE]
1. WHO WE ARE (Controller identity + DPO)
2. WHAT DATA WE COLLECT (by category, with source + mandatory/optional)
3. WHY WE PROCESS YOUR DATA (purposes + legal bases table, incl. retention per purpose)
4. WHO RECEIVES YOUR DATA (recipients + processors)
5. INTERNATIONAL TRANSFERS (countries + safeguards)
6. HOW LONG WE KEEP YOUR DATA (retention table — can be merged with section 3)
7. YOUR RIGHTS (all applicable rights + exercise procedure)
8. COOKIES & TRACKING (categories + management + CMP reference)
9. AI & AUTOMATED DECISIONS (if applicable — Art. 22 + AI Act)
10. DATA SECURITY (general measures, no sensitive technical details)
11. CHILDREN'S DATA (if applicable — age threshold + mechanism)
12. CHANGES TO THIS NOTICE (notification method)
13. CONTACT (email + postal + form link)
Before delivery, perform a structured final check in this order:
1. Re-read the jurisdiction reference(s) loaded in Step 1 (DE.md, FR.md, OTHER_EU.md). Cross-check:
2. Verify Art. 13/14 mandatory disclosures against EU_COMMON.md → "Mandatory Disclosures Checklist". Every item must be present or explicitly not applicable with reason.
3. Additional checks:
4. Type-specific checks (from references/NOTICE_TYPES.md):
Applicant: § 26 BDSG referenced (DE)? Talent pool consent separate? Retention ≤ 6 months post-rejection unless consent? Art. 14 used if data from recruiters?
Employee: § 26 BDSG as primary basis (DE)? Works council mentioned if relevant? IT monitoring disclosed? Complex retention chain complete?
B2B: Art. 14 disclosure if data not from data subject directly? Source of data disclosed? Contact person vs. contracting entity distinction clear?
B2C Customer: Soft opt-in conditions met (DE: § 7(3) UWG)? Payment processor disclosed? Loyalty program terms clear? Profiling disclosed if applicable?
5. AI Act compliance (if AI features present):
Generate the final document using the docx generation skill (/mnt/skills/public/docx/SKILL.md in Claude.ai Projects, or the docx-processing-anthropic skill in Claude Code). If no docx skill is available, generate well-formatted Markdown as fallback.
Read the docx skill instructions before generating the file. Use docx-js for new documents. Follow all critical rules from the docx skill (DXA widths, LevelFormat.BULLET for lists, ShadingType.CLEAR for tables, etc.).
Present the .docx file with:
IMPORTANT: Always recommend that the user has the notice reviewed by qualified legal counsel before publication. This tool assists in drafting — it does not replace legal advice.
Present the following checklist to the user to guide their internal review and publication process:
Legal Review:
Technical Review:
Translation QA (if multi-language):
Publication Requirements:
Ongoing Review Triggers — Recommend the user reviews the notice when:
breach-sentinel skill| Do | Avoid |
|---|---|
| "you" / "your data" / "Sie" / "Ihre Daten" | "the user" / "the data subject" / "der Betroffene" |
| Short, clear sentences | Dense legal paragraphs |
| Specific examples for complex processing | Vague language ("various data", "diverse Daten") |
| Tables for structured information | Walls of text for purposes/retention |
| Precise article references | Generic "in accordance with applicable law" |
| Active voice | Passive constructions where avoidable |
| Plain language with legal precision | Either pure legalese or oversimplified language |