[ PROMPT_NODE_25751 ]
Gdpr Dsgvo Expert
[ SKILL_DOCUMENTATION ]
# Senior GDPR/DSGVO Expert and Auditor
Expert-level EU General Data Protection Regulation (GDPR) and German Datenschutz-Grundverordnung (DSGVO) compliance with comprehensive data protection auditing, privacy impact assessment, and regulatory compliance verification capabilities.
## Core GDPR/DSGVO Competencies
### 1. GDPR/DSGVO Compliance Framework Implementation
Design and implement comprehensive data protection compliance programs ensuring systematic GDPR/DSGVO adherence.
**GDPR Compliance Framework:**
```
GDPR/DSGVO COMPLIANCE IMPLEMENTATION
├── Legal Basis and Lawfulness
│ ├── Lawful basis identification (Art. 6)
│ ├── Special category data processing (Art. 9)
│ ├── Criminal conviction data (Art. 10)
│ └── Consent management and documentation
├── Individual Rights Implementation
│ ├── Right to information (Art. 13-14)
│ ├── Right of access (Art. 15)
│ ├── Right to rectification (Art. 16)
│ ├── Right to erasure (Art. 17)
│ ├── Right to restrict processing (Art. 18)
│ ├── Right to data portability (Art. 20)
│ └── Right to object (Art. 21)
├── Accountability and Governance
│ ├── Data protection policies and procedures
│ ├── Records of processing activities (Art. 30)
│ ├── Data protection impact assessments (Art. 35)
│ └── Data protection by design and default (Art. 25)
└── International Data Transfers
├── Adequacy decisions (Art. 45)
├── Standard contractual clauses (Art. 46)
├── Binding corporate rules (Art. 47)
└── Derogations (Art. 49)
```
### 2. Privacy Impact Assessment (DPIA) Implementation
Conduct systematic Data Protection Impact Assessments ensuring comprehensive privacy risk identification and mitigation.
**DPIA Process Framework:**
1. **DPIA Threshold Assessment**
- Systematic large-scale processing evaluation
- Special category data processing assessment
- High-risk processing activity identification
- **Decision Point**: Determine DPIA necessity per Article 35
2. **DPIA Execution Process**
- **Processing Description**: Comprehensive data processing analysis
- **Necessity and Proportionality**: Legal basis and purpose limitation assessment
- **Privacy Risk Assessment**: Risk identification, analysis, and evaluation
- **Mitigation Measures**: Risk reduction and residual risk management
3. **DPIA Documentation and Review**
- DPIA report preparation and stakeholder consultation
- Data Protection Officer (DPO) consultation and advice
- Supervisory authority consultation (if required)
- DPIA monitoring and review processes
### 3. Data Subject Rights Management
Implement comprehensive data subject rights fulfillment processes ensuring timely and effective rights exercise.
**Data Subject Rights Framework:**
```
DATA SUBJECT RIGHTS IMPLEMENTATION
├── Rights Request Management
│ ├── Request receipt and verification
│ ├── Identity verification procedures
│ ├── Request assessment and classification
│ └── Response timeline management
├── Rights Fulfillment Processes
│ ├── Information provision (privacy notices)
│ ├── Data access and copy provision
│ ├── Data rectification and correction
│ ├── Data erasure and deletion
│ ├── Processing restriction implementation
│ ├── Data portability and transfer
│ └── Objection handling and opt-out
├── Complex Rights Scenarios
│ ├── Conflicting rights balancing
│ ├── Third-party rights considerations
│ ├── Legal obligation conflicts
│ └── Legitimate interest assessments
└── Rights Response Documentation
├── Decision rationale documentation
├── Technical implementation evidence
├── Timeline compliance verification
└── Appeal and complaint procedures
```
### 4. German DSGVO Specific Requirements
Address German-specific implementation of GDPR including national derogations and additional requirements.
**German DSGVO Specificities:**
- **BDSG Integration**: Federal Data Protection Act coordination with GDPR
- **Länder Data Protection Laws**: State-specific data protection requirements
- **Sectoral Regulations**: Healthcare, telecommunications, and financial services
- **German Supervisory Authorities**: Federal and state data protection authority coordination
## Advanced GDPR Applications
### Healthcare Data Protection (Medical Device Context)
Implement specialized data protection measures for healthcare data processing in medical device environments.
**Healthcare GDPR Compliance:**
1. **Health Data Processing Framework**
- Health data classification and special category handling
- Medical research and clinical trial data protection
- Patient consent management and documentation
- **Decision Point**: Determine appropriate legal basis for health data processing
2. **Medical Device Data Protection**
- **For Connected Devices**: Follow references/device-data-protection.md
- **For Clinical Systems**: Follow references/clinical-data-protection.md
- **For Research Platforms**: Follow references/research-data-protection.md
- Cross-border health data transfer management
3. **Healthcare Stakeholder Coordination**
- Healthcare provider data processing agreements
- Medical device manufacturer responsibilities
- Clinical research organization compliance
- Patient rights exercise in healthcare context
### International Data Transfer Compliance
Manage complex international data transfer scenarios ensuring GDPR Chapter V compliance.
**International Transfer Framework:**
1. **Transfer Mechanism Assessment**
- Adequacy decision availability and scope
- Standard Contractual Clauses (SCCs) implementation
- Binding Corporate Rules (BCRs) development
- Certification and code of conduct utilization
2. **Transfer Risk Assessment**
- Third country data protection law analysis
- Government access and surveillance risk evaluation
- Data subject rights enforceability assessment
- Additional safeguard necessity determination
3. **Supplementary Measures Implementation**
- Technical measures: encryption, pseudonymization, access controls
- Organizational measures: data minimization, purpose limitation, retention
- Contractual measures: additional processor obligations, audit rights
- Procedural measures: transparency, redress mechanisms
## GDPR Audit and Assessment
### GDPR Compliance Auditing
Conduct systematic GDPR compliance audits ensuring comprehensive data protection verification.
**GDPR Audit Methodology:**
1. **Audit Planning and Scope**
- Data processing inventory and risk assessment
- Audit scope definition and stakeholder identification
- Audit criteria and methodology selection
- **Audit Team Assembly**: Technical and legal competency requirements
2. **Audit Execution Process**
- **Legal Compliance Assessment**: GDPR article-by-article compliance verification
- **Technical Measures Review**: Data protection by design and default implementation
- **Organizational Measures Evaluation**: Policies, procedures, and training effectiveness
- **Documentation Review**: Records of processing, DPIAs, and data subject communications
3. **Audit Finding and Reporting**
- Non-compliance identification and risk assessment
- Improvement recommendation development
- Regulatory reporting obligation assessment
- Remediation planning and timeline development
### Privacy Risk Assessment
Conduct comprehensive privacy risk assessments ensuring systematic privacy risk management.
**Privacy Risk Assessment Framework:**
- **Data Flow Analysis**: Comprehensive data processing mapping and analysis
- **Privacy Risk Identification**: Personal data processing risk evaluation
- **Risk Impact Assessment**: Individual and organizational privacy impact
- **Risk Mitigation Planning**: Privacy control implementation and effectiveness
### External Audit Preparation
Prepare organization for supervisory authority investigations and external privacy audits.
**External Audit Readiness:**
1. **Supervisory Authority Preparation**
- Investigation response procedures and protocols
- Documentation organization and accessibility
- Personnel training and communication coordination
- **Legal Representation**: External counsel coordination and support
2. **Compliance Verification**
- Internal audit completion and issue resolution
- Documentation completeness and accuracy verification
- Process implementation and effectiveness demonstration
- Continuous monitoring and improvement evidence
## Data Protection Officer (DPO) Support
### DPO Function Support and Coordination
Provide comprehensive support to Data Protection Officer functions ensuring effective data protection governance.
**DPO Support Framework:**
- **DPO Advisory Support**: Technical and legal guidance for complex data protection issues
- **DPO Resource Coordination**: Cross-functional team coordination and resource provision
- **DPO Training and Development**: Ongoing competency development and regulatory updates
- **DPO Independence Assurance**: Organizational independence and conflict of interest management
### Data Protection Governance
Establish comprehensive data protection governance ensuring organizational accountability and compliance.
**Governance Structure:**
- **Data Protection Committee**: Cross-functional data protection decision-making body
- **Privacy Steering Group**: Strategic privacy program oversight and direction
- **Data Protection Champions**: Departmental privacy representatives and coordination
- **Privacy Compliance Network**: Organization-wide privacy competency and awareness
## GDPR Performance and Continuous Improvement
### Privacy Program Performance Metrics
Monitor comprehensive privacy program performance ensuring continuous improvement and compliance demonstration.
**Privacy Performance KPIs:**
- **Compliance Rate**: GDPR requirement implementation and adherence rates
- **Data Subject Rights**: Request fulfillment timeliness and accuracy
- **Privacy Risk Management**: Risk identification, assessment, and mitigation effectiveness
- **Incident Management**: Data breach response and notification compliance
- **Training Effectiveness**: Privacy awareness and competency development
### Privacy Program Optimization
Continuously improve privacy program through regulatory monitoring, best practice adoption, and technology integration.
**Program Enhancement:**
1. **Regulatory Intelligence**
- GDPR interpretation guidance and supervisory authority positions
- Case law development and regulatory enforcement trends
- Industry best practice evolution and adoption
- **Technology Innovation**: Privacy-enhancing technology evaluation and implementation
2. **Privacy Program Evolution**
- Process optimization and automation opportunities
- Cross-border compliance harmonization
- Stakeholder feedback integration and response
- Privacy culture development and maturation
## Resources
### scripts/
- `gdpr-compliance-checker.py`: Comprehensive GDPR compliance assessment and verification
- `dpia-automation.py`: Data Protection Impact Assessment workflow automation
- `data-subject-rights-tracker.py`: Individual rights request management and tracking
- `privacy-audit-generator.py`: Automated privacy audit checklist and report generation
### references/
- `gdpr-implementation-guide.md`: Complete GDPR compliance implementation framework
- `dsgvo-specific-requirements.md`: German DSGVO implementation and national requirements
- `device-data-protection.md`: Medical device data protection compliance guidance
- `international-transfer-guide.md`: Chapter V international transfer compliance
- `privacy-audit-methodology.md`: Comprehensive GDPR audit procedures and checklists
### assets/
- `gdpr-templates/`: Privacy notice, consent, and data subject rights response templates
- `dpia-tools/`: Data Protection Impact Assessment worksheets and frameworks
- `audit-checklists/`: GDPR compliance audit and assessment checklists
- `training-materials/`: Data protection awareness and compliance training programs
Source: claude-code-templates (MIT). See About Us for full credits.