[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-89810f5f-e44a-42f5-bfc9-a5cfb6b4ab46":3,"$f8NQPzre278XSGWMJHNulBXJq6syBhvYoT0ErKG6L1zk":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"89810f5f-e44a-42f5-bfc9-a5cfb6b4ab46","gdpr-audit-prep","GDPR审计准备\u003C范围>——GDPR审计6个问题引用强制询问。在年度内部GDPR审查、数据泄露后内部审计、DPA调查准备或收购尽职调查前使用。","cat_coding_review","mod_coding","alirezarezvani,coding","---\nname: \"gdpr-audit-prep\"\ndescription: \"\u002Fcs:gdpr-audit-prep \u003Cscope> — GDPR audit 6-question Article-cited forcing interrogation. Use before annual internal GDPR review, post-breach internal audit, DPA investigation readiness, or acquisition due diligence.\"\n---\n\n# \u002Fcs:gdpr-audit-prep — GDPR DPO Forcing Questions\n\n**Command:** `\u002Fcs:gdpr-audit-prep \u003Cscope>`\n\nThe GDPR DPO auditor pressure-tests any privacy compliance work. Six Article-cited questions before any internal audit, breach response, DPA investigation, or acquisition due diligence.\n\n## When to Run\n\n- Before annual internal GDPR audit\n- Before quarterly Article 30 RoPA refresh\n- Before launching new high-risk processing (Article 35 DPIA required)\n- Post-breach (Articles 33-34)\n- Before DPA investigation response or supervisory authority engagement\n- During acquisition due diligence (target company privacy posture)\n- Quarterly during high-volume new-feature shipping\n\n## The Six DPO Questions\n\n### 1. Show me the Article 30 RoPA — with last-updated date.\n**Most-cited finding area.**\n- Must include all Article 30(1)(a)-(g) elements for controllers\n- Must include all Article 30(2)(a)-(d) elements for processors\n- Updated within reasonable time of changes (90 days expected)\n- Joint controller arrangements documented per Article 26\n\n### 2. For this processing activity, what's the lawful basis under Article 6?\n**Article 6 is exclusive — pick ONE basis per purpose.**\n- Six options: consent \u002F contract \u002F legal obligation \u002F vital interests \u002F public task \u002F legitimate interests\n- Where \"legitimate interests\": LIA documented\n- Where \"consent\": records per Article 7; withdrawal mechanism\n- Special categories (Article 9) require an Article 9(2) exception\n\n### 3. For high-risk processing, where's the DPIA per Article 35?\n**Required for high-risk; sample 3-5 activities.**\n- Article 35(7)(a)-(d) required elements:\n  - Systematic description of processing\n  - Necessity + proportionality assessment\n  - Risks to rights + freedoms\n  - Measures to address risks\n- DPO consulted per Article 35(2)\n- Article 36 prior consultation triggered for residual high risk\n- For AI systems: integrates with EU AI Act Article 27 FRIA (cross-check with cs-ai-act-compliance)\n\n### 4. Show me a DSAR from the last 30 days — and the response timing.\n**Articles 15-22 operational workflow.**\n- Response within 1 month (Article 12(3)); extension up to 2 months for complex requests\n- Identity verification process documented\n- Right of access response includes all Article 15 information\n- Right to erasure (Article 17) workflow covers backups + processors\n\n### 5. Show me Transfer Impact Assessments for the largest non-EU transfers.\n**Schrems II discipline.**\n- Adequacy decision OR SCCs (Article 46) OR derogation (Article 49)\n- TIA per EDPB Recommendations 01\u002F2020 + 02\u002F2020\n- Supplementary measures where TIA flagged risk\n- US transfers covered by EU-US Data Privacy Framework adequacy (Jul 2023) — verify list of certified entities\n\n### 6. Show me the breach log per Article 33(5) — all breaches, not just notifiable ones.\n**Article 33(5) requires logging ALL breaches.**\n- Internal breach detection mechanism documented\n- Article 33 DPA notification within 72 hours (where required)\n- Article 34 data subject notification (where high risk)\n- Root cause + corrective action via CAPA system\n- Cross-check with cs-ciso-iso27001 for A.5.24-27 incident management alignment\n\n## Workflow\n\n```bash\n# 1. Compliance posture\npython ..\u002F..\u002Fra-qm-team\u002Fskills\u002Fgdpr-dsgvo-expert\u002Fscripts\u002Fgdpr_compliance_checker.py compliance_state.json\n\n# 2. DPIA for high-risk activities\npython ..\u002F..\u002Fra-qm-team\u002Fskills\u002Fgdpr-dsgvo-expert\u002Fscripts\u002Fdpia_generator.py processing_activity.json\n\n# 3. DSAR workflow validation\npython ..\u002F..\u002Fra-qm-team\u002Fskills\u002Fgdpr-dsgvo-expert\u002Fscripts\u002Fdata_subject_rights_tracker.py dsar_log.json\n\n# 4. Cross-framework reuse with ISO 27001 + SOC 2 + ISO 42001\npython ..\u002F..\u002Fskills\u002Fcompliance-os\u002Fscripts\u002Fcross_framework_mapper.py program.json\n```\n\n## Output Format\n\n```markdown\n# GDPR Audit Prep: \u003Cscope>\n**Date:** YYYY-MM-DD\n**Article Citations:** Every finding cites Article + paragraph; no paraphrase.\n\n## The Decision Being Made\n[RoPA-refresh | DPIA-required | DSAR-workflow | transfer-risk | breach-followup | DPA-readiness]\n\n## Article 30 RoPA Status\n- Last refresh: YYYY-MM-DD\n- Required elements present: yes\u002Fno per processing activity\n- Joint controller arrangements: documented\u002Fmissing\n\n## Article 6 Lawful Basis Discipline\n- Activities reviewed: N\n- Legitimate-interests claims without LIA: \u003Clist>\n- Article 9 special categories with documented exception: yes\u002Fno\n\n## Article 35 DPIA Quality\n- High-risk activities requiring DPIA: \u003Clist>\n- DPIAs complete per Article 35(7): pass\u002Ffail per activity\n- Article 36 prior consultation triggered: \u003Clist>\n\n## Data Subject Rights (Articles 12-22)\n- DSARs in last 90 days: N\n- Average response time: X days (target: ≤ 30)\n- Right to erasure backup-processor flow: complete\u002Fincomplete\n\n## Article 28 Processor Management\n- Processors reviewed: N\n- Contracts with all Article 28(3)(a)-(j) clauses: % complete\n- Sub-processor flow-down notification mechanism: yes\u002Fno\n\n## Schrems II Transfer Status\n- Non-EU transfers: \u003Clist>\n- Mechanism per transfer: adequacy \u002F SCCs \u002F derogation\n- TIA on file: yes\u002Fno per transfer\n- Supplementary measures where needed: \u003Clist>\n\n## Article 33-34 Breach Discipline\n- Breach log last 12 months: N\n- Article 33 notification timing: ≤ 72h ratio\n- Article 34 data subject notification (where high risk): on-time ratio\n\n## Cross-Framework Impact\n- ISO 27001 Article 32 alignment: clean \u002F gaps\n- EU AI Act Article 27 FRIA integration: applicable \u002F not\n- SOC 2 Privacy TSC alignment (if scope): clean \u002F gaps\n\n## Verdict\n🟢 DPA-READY | 🟡 GAPS-IDENTIFIED | 🔴 NOT-READY\n\n## Top 3 Actions\n[3 concrete next steps with owner + Article-cited timeline]\n\n## Outside Counsel Required\n[Article-level ambiguities flagged: Schrems II supplementary measure adequacy, EU AI Act ↔ GDPR interaction, sectoral derogation interpretation, novel DPA enforcement]\n```\n\n## Routing\n\n- `\u002Fcs:compliance-readiness` — for multi-framework view\n- `\u002Fcs:iso27001-audit-prep` — for Article 32 organizational measures\n- `\u002Fcs:ai-act-readiness` — for EU AI Act Article 27 FRIA integration\n- `\u002Fcs:soc2-audit-prep` — for SOC 2 Privacy TSC overlap\n- `\u002Fcs:gc-review` — for novel-case legal review\n\n## Related\n\n- Agent: [`cs-dpo-gdpr`](..\u002F..\u002Fagents\u002Fcs-dpo-gdpr.md)\n- Skill: [`gdpr-dsgvo-expert`](..\u002F..\u002F..\u002Fra-qm-team\u002Fskills\u002Fgdpr-dsgvo-expert\u002FSKILL.md)\n- Playbook: [gdpr_audit_playbook.md](..\u002F..\u002F..\u002Fra-qm-team\u002Fskills\u002Fgdpr-dsgvo-expert\u002Freferences\u002Fgdpr_audit_playbook.md)\n- Adjacent: `..\u002Fiso27001-audit-prep\u002F`, `..\u002Fai-act-readiness\u002F`, `..\u002Fsoc2-audit-prep\u002F`, `..\u002Fcompliance-readiness\u002F`\n\n---\n\n**Version:** 1.0.0\n","","imported","https:\u002F\u002Fgithub.com\u002Falirezarezvani\u002Fclaude-skills","user_system_seed","SkillOPIC",true,178,1771,"2026-05-16 13:52:44",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"编程开发","coding","mdi-code-braces","代码生成、调试、审查，提升开发效率",2,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"代码审查","review","mdi-magnify-scan","代码质量分析、安全审查",4,145,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"55cbb3d7-e767-4017-9b5b-962d7b6afe15","1.0.0","gdpr-audit-prep.zip",2940,"uploads\u002Fskills\u002F89810f5f-e44a-42f5-bfc9-a5cfb6b4ab46\u002Fgdpr-audit-prep.zip","2185bf4decd4323e87e5ff84dea56df172d795b41f97edb0295e4e3ca3d5ca0b","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":6821}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]