From privacy-impact-assessment-skills
Conducts pre-DPIA threshold screening for GDPR Article 35 using EDPB WP248 nine-criteria test, national supervisory blacklists, and risk appetite to decide if full DPIA required. Outputs documented decision.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-impact-assessment-skillsThis skill uses the workspace's default tool permissions.
Article 35(1) GDPR requires a DPIA when processing is "likely to result in a high risk to the rights and freedoms of natural persons." This skill provides a structured screening methodology to make that determination before committing to a full DPIA.
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Guides building MCP servers enabling LLMs to interact with external services via tools. Covers best practices, TypeScript/Node (MCP SDK), Python (FastMCP).
Generates original PNG/PDF visual art via design philosophy manifestos for posters, graphics, and static designs on user request.
Article 35(1) GDPR requires a DPIA when processing is "likely to result in a high risk to the rights and freedoms of natural persons." This skill provides a structured screening methodology to make that determination before committing to a full DPIA.
Processing that meets two or more of the following criteria generally requires a DPIA:
| # | Criterion | GDPR Reference |
|---|---|---|
| 1 | Evaluation or scoring | Art. 35(3)(a) |
| 2 | Automated decision-making with legal/similar effect | Art. 35(3)(a) |
| 3 | Systematic monitoring | Art. 35(3)(c) |
| 4 | Sensitive data or data of highly personal nature | Art. 9, Art. 10 |
| 5 | Data processed on a large scale | Recital 91 |
| 6 | Matching or combining datasets | WP248 |
| 7 | Data concerning vulnerable data subjects | WP248 |
| 8 | Innovative use or applying new technological solutions | WP248 |
| 9 | Processing that prevents data subjects from exercising a right | Art. 22, Art. 35(3)(b) |
A DPIA is always required for:
Each EU/EEA supervisory authority publishes a list of processing operations requiring a DPIA. The screening must check the relevant national blacklist based on the controller establishment.
IF any Art. 35(3) mandatory trigger is met → DPIA REQUIRED
ELSE IF processing appears on national SA blacklist → DPIA REQUIRED
ELSE IF 2+ WP248 criteria are met → DPIA REQUIRED
ELSE IF 1 WP248 criterion is met → DPIA RECOMMENDED (risk-based decision)
ELSE → DPIA NOT REQUIRED (document exemption)