Ensure GDPR compliance for marketing activities including consent management, data processing, privacy notices, and data subject rights
Ensure your marketing activities comply with GDPR requirements for consent, data processing, and privacy rights.
Based on GDPR Articles 6, 7, 12-23 and EDPB Guidelines, covering:
| Claude Does | You Decide |
|---|---|
| Explains GDPR requirements | Business risk tolerance |
| Drafts compliant language | Implementation priority |
| Identifies gaps | Legal interpretation |
| Creates documentation | DPO consultation needs |
| Suggests controls | Resource allocation |
Six Lawful Bases (Article 6):
| Basis | Marketing Use | Documentation Needed |
|---|---|---|
| Consent | Email marketing, cookies, tracking | Consent records |
| Contract | Customer communications | Contract terms |
| Legitimate Interest | Soft opt-in, B2B marketing | LIA document |
| Legal Obligation | Regulatory comms | Legal reference |
| Vital Interest | Rarely applicable | - |
| Public Task | Rarely applicable | - |
Marketing Activity Mapping:
| Activity | Typical Basis | Requirements |
|---|---|---|
| Email newsletter | Consent | Double opt-in, easy unsubscribe |
| Existing customer upsell | Legitimate Interest | LIA, opt-out available |
| Cold B2B outreach | Legitimate Interest | LIA, clear identity |
| Website cookies | Consent | Banner, granular choices |
| Retargeting ads | Consent | Cookie consent |
| Lead magnets | Consent | Clear purpose, separate consent |
Valid Consent Criteria (Article 7):
| Requirement | What It Means | Example |
|---|---|---|
| Freely given | No bundling, no penalty | Separate from T&Cs |
| Specific | Clear purpose stated | "Marketing emails about [X]" |
| Informed | Who, what, why explained | Privacy notice linked |
| Unambiguous | Clear affirmative action | Unchecked checkbox |
| Withdrawable | Easy to revoke | One-click unsubscribe |
Consent Record Requirements:
Record for each consent:
- Who consented (identifier)
- When (timestamp)
- What they consented to (purpose)
- How (mechanism)
- What they were told (notice version)
Required Elements (Articles 13-14):
| Element | First-Party Data | Third-Party Data |
|---|---|---|
| Controller identity | Required | Required |
| DPO contact | If applicable | If applicable |
| Purposes | Required | Required |
| Lawful basis | Required | Required |
| Recipients | Required | Required |
| Transfers | If applicable | If applicable |
| Retention | Required | Required |
| Rights | Required | Required |
| Withdrawal | If consent | If consent |
| Complaint right | Required | Required |
| Source | N/A | Required |
Rights Framework:
| Right | Timeline | Marketing Impact |
|---|---|---|
| Access (Art. 15) | 1 month | Provide all marketing data |
| Rectification (Art. 16) | 1 month | Update preferences |
| Erasure (Art. 17) | 1 month | Remove from lists |
| Restriction (Art. 18) | 1 month | Pause processing |
| Portability (Art. 20) | 1 month | Export in machine format |
| Objection (Art. 21) | Immediate for marketing | Stop direct marketing |
Required Documentation:
Input:
Design a GDPR-compliant consent flow for:
- SaaS product newsletter
- Product updates
- Promotional offers
- Third-party partner offers
Output:
## GDPR-Compliant Email Consent Flow
### Consent Collection UI
---
**Signup Form Fields:**
Email: [________________]
[ ] I agree to receive the monthly newsletter with industry insights [ ] I agree to receive product updates and feature announcements [ ] I agree to receive promotional offers and discounts [ ] I agree to receive relevant offers from our trusted partners
[Sign Up]
By signing up, you confirm you've read our [Privacy Notice]. You can withdraw consent anytime via unsubscribe link or contacting us.
**Design Requirements:**
- All checkboxes unchecked by default
- No "select all" option
- Each purpose separate
- Privacy notice linked, not buried
- No dark patterns
---
### Consent Record Structure
```json
{
"email": "[email protected]",
"consents": [
{
"purpose": "newsletter",
"granted": true,
"timestamp": "2026-01-31T10:30:00Z",
"source": "signup_form_v3",
"notice_version": "privacy_v2.1"
},
{
"purpose": "product_updates",
"granted": true,
"timestamp": "2026-01-31T10:30:00Z",
"source": "signup_form_v3",
"notice_version": "privacy_v2.1"
},
{
"purpose": "promotional",
"granted": false,
"timestamp": null,
"source": null,
"notice_version": null
},
{
"purpose": "third_party",
"granted": false,
"timestamp": null,
"source": null,
"notice_version": null
}
],
"ip_address": "192.168.1.1",
"user_agent": "Mozilla/5.0..."
}
---
You're receiving this because you subscribed to our [newsletter/updates].
Manage preferences: [link]
Unsubscribe from this list: [link]
Unsubscribe from all: [link]
[Company Name]
[Address]
[Contact Email]
| Subscription | Status | Action |
|---|---|---|
| Monthly Newsletter | [ON/OFF] | Industry insights and tips |
| Product Updates | [ON/OFF] | New features and improvements |
| Promotional Offers | [ON/OFF] | Discounts and special deals |
| Partner Offers | [ON/OFF] | Relevant third-party offers |
[Update Preferences] [Unsubscribe from All]
### Example 2: Legitimate Interest Assessment
**Input:**
We want to email our existing customers about related products. Do we need consent or can we use legitimate interest?
**Output:**
You can likely rely on legitimate interest (not consent) for emailing existing customers about similar products, but must complete this assessment and offer easy opt-out.
Interest: Promote related products to existing customers Legitimacy: Yes - recognized business interest in customer development Benefit: Revenue growth, customer relationship deepening
✅ PASS
| Question | Answer |
|---|---|
| Is email necessary to achieve the interest? | Yes - direct communication channel |
| Is there a less intrusive way? | In-app notifications possible but less effective |
| Is the processing proportionate? | Yes - limited frequency, relevant content |
✅ PASS (with conditions)
Conditions:
| Factor | Assessment |
|---|---|
| Nature of data | Basic contact info - low sensitivity |
| Reasonable expectations | Customers expect marketing from sellers |
| Relationship | Existing customer relationship |
| Impact on individual | Minor inconvenience, easy to opt out |
| Safeguards | Opt-out in every email |
✅ PASS
Lawful Basis: Legitimate Interest (Article 6(1)(f))
Requirements for Compliance:
You're receiving this as a valued [Company] customer.
Not interested in product updates?
[Opt out of marketing] | [Manage preferences]
This email was sent based on our legitimate interest in keeping
customers informed about relevant products. See our Privacy Notice
for details and your rights.
Use consent instead if:
## Skill Boundaries
### What This Skill Does Well
- Explaining GDPR requirements
- Drafting compliant language
- Creating documentation templates
- Identifying compliance gaps
### What This Skill Cannot Do
- Provide legal advice
- Know your specific jurisdiction nuances
- Guarantee regulatory acceptance
- Replace DPO consultation
### When to Escalate to Human
- Complex cross-border transfers
- Regulatory investigation
- Data breach response
- Novel processing activities
## Iteration Guide
**Follow-up Prompts:**
- "Draft the privacy notice section for [activity]"
- "How do we handle a right to erasure request?"
- "What documentation do we need for [processing]?"
- "Is this cookie banner compliant?"
## References
- GDPR Text (Regulation 2016/679)
- EDPB Guidelines on Consent
- ICO Direct Marketing Guidance
- CNIL Cookie Guidelines
## Related Skills
- `terms-analyzer` - Terms of service review
- `contract-review` - DPA analysis
- `nda-generator` - Confidentiality
## Skill Metadata
- **Domain**: Legal / Marketing
- **Complexity**: Intermediate
- **Mode**: centaur
- **Time to Value**: 1-2 hours per assessment
- **Prerequisites**: Basic GDPR familiarity