casemark/gdpr-dpa
skills/legal/gdpr-dpa/SKILL.md
Drafts GDPR Article 28-compliant Data Processing Addenda with schedules ready for execution. Use when drafting or updating a DPA, vendor GDPR addendum, controller-processor agreement, or data protection addendum involving sub-processors, breach notification, audits, international transfers, or SCCs.
$ install --global
skillsauthnpx skillsauth add casemark/skills gdpr-dpaInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 4, 2026, 3:31 AM118.4s1 file scanned
SKILL.md
- name:
- gdpr-dpa
- description:
- >-
GDPR Data Processing Addendum (DPA)
Produces an Article 28-compliant DPA aligned with the governing service agreement, covering processing details, security, sub-processor controls, breach notice, audits, and deletion terms.
Quick Start
Gather before drafting:
- [ ] Party details: legal names, addresses, registration numbers (Controller + Processor)
- [ ] Underlying agreement reference (name, date, SOWs/order forms)
- [ ] Processing description: subject matter, duration, nature, purpose, operations
- [ ] Data inventory: data subject categories, personal data types, special categories (Art 9), criminal data (Art 10)
- [ ] Transfer map: processing locations, transfer mechanism (adequacy, SCCs, BCRs, Art 49)
- [ ] Security baseline: certifications, TOMs
- [ ] Sub-processor list + approval model (general vs specific) with objection window
- [ ] Incident response SLAs and audit preferences
- [ ] Termination: return/deletion formats, timelines, retention constraints
Drafting Workflow
- Draft header, recitals, effective date, and order-of-precedence clause with the main agreement.
- Define GDPR terms: Controller, Processor, Personal Data, Processing, Sub-processor, Data Protection Laws, Personal Data Breach, Services.
- Insert Article 28(3) mandatory clauses (see checklist below).
- Add security (Art 32), breach notification (Arts 33-34), and assistance (Arts 32-36) clauses.
- Add sub-processor governance (Art 28(2), 28(4)) with flow-down obligations.
- Add audit and compliance evidence provisions (Arts 28(3)(h), 40, 42).
- If data leaves the EEA, add international transfer terms (Art 46 SCCs, Art 47 BCRs, Art 49 derogations).
- Add termination, return/deletion obligations, and backup handling.
- Populate Schedules A-D from inputs; mark gaps as
[REQUIRED].
Article 28(3) Mandatory Clause Checklist
| GDPR basis | Clause | Required content | |---|---|---| | Art 28(3)(a) | Instructions | Process only on documented Controller instructions; notify if instruction violates law | | Art 28(3)(b) | Confidentiality | Authorized personnel bound by confidentiality | | Art 28(3)(c) | Security | Appropriate TOMs per Art 32 | | Art 28(3)(d) | Sub-processors | No sub-processing without authorization; flow-down equivalent obligations | | Art 28(3)(e) | Data subject rights | Assist Controller with Chapter III requests | | Art 28(3)(f) | Assistance | Assist with Art 32-36 obligations including DPIA and prior consultation | | Art 28(3)(g) | Return/Deletion | Return or delete personal data at end of services; certify | | Art 28(3)(h) | Audits/Info | Make information available; allow and contribute to audits |
Key Decision Points
| Decision | Options | Input needed | |---|---|---| | Sub-processor authorization | General / Specific | Controller policy, objection window | | Audit model | On-site / Remote / Third-party / Certification | Vendor policy, existing reports | | Breach notice SLA | 24h / 48h / Other | Risk tolerance, incident playbooks | | Data return format | CSV / JSON / Native export | System compatibility | | Transfer mechanism | Adequacy / SCCs / BCRs / Art 49 | Data flows and locations |
Schedule Templates
Schedule A — Approved Sub-processors
| Name | Location | Processing Activity | Authorization Type | Notice Period | |---|---|---|---|---| | TBD | TBD | TBD | General/Specific | 30 days |
Schedule B — Description of Processing
| Field | Details | |---|---| | Subject matter | | | Duration | | | Nature of processing | | | Purpose | | | Processing operations | | | Categories of data subjects | | | Categories of personal data | | | Special categories (Art 9) | | | Criminal data (Art 10) | | | Processing locations | |
Schedule C — Technical and Organizational Measures
| Domain | Measures | |---|---| | Access control | | | Encryption/pseudonymization | | | Logging/monitoring | | | Availability/resilience | | | Incident response | | | Testing/evaluation | | | Physical security | |
Schedule D — Audit/Certification Evidence
| Evidence | Date | Scope | Reference | |---|---|---|---| | ISO 27001 | | | | | SOC 2 Type II | | | |
Pitfalls
- No absolute security promises. Use "appropriate" measures per Art 32; tie to risk profile.
- Special categories / children's data require heightened safeguards and stricter access controls.
- Missing transfer basis is a blocker. If any non-EEA transfer occurs, specify the mechanism and attach SCCs or equivalent before finalizing.
- Schedule consistency. Keep schedules aligned with DPA body text; ensure sub-processor lists are current.
- Order of precedence. Data protection terms must prevail over conflicting service agreement terms.
- Mark uncertain legal citations with
[VERIFY].
Related Skills
casemark/skills/legal/automated-contract-summary
development
VerifiedTrustedCommunity
name: automated-contract-summary language: en description: Generates structured executive summaries of contracts using ML — captures key terms, party obligations, risk allocations, and compliance requirements in a standardized format. Optimized for high-volume review where speed and consistency matter. tags: - summarization - agreement - corporate --- # Automated Contract Summarization Produces standardized executive summaries of contracts using machine learning, capturing essential term
21SKILL.mdUpdated May 26, 2026
casemark/obligation-mapping
tools
VerifiedTrustedCommunity
Extracts regulatory obligations from dense regulations across jurisdictions. Breaks down multi-level regulations into clear article-level obligations, classifies applicability to a business, and prioritizes by risk level. Use when translating regulations into actionable compliance requirements.
21SKILL.mdUpdated May 25, 2026
casemark/horizon-scanning
development
VerifiedTrustedCommunity
Continuously monitors regulatory landscapes for changes relevant to a specific business. Ingests global regulatory updates, filters by relevance, summarizes impact, and produces an actionable change advisory. Use when tracking regulatory developments affecting a particular product or market.
21SKILL.mdUpdated May 25, 2026
casemark/gap-analysis
testing
VerifiedTrustedCommunity
Compares an organization's existing compliance controls, policies, and procedures against extracted regulatory obligations to identify coverage gaps. Produces a remediation plan with prioritized actions. Use when assessing compliance maturity or preparing for regulatory audits.
21SKILL.mdUpdated May 25, 2026