GDPR Compliance for Marketing

Ensure your marketing activities comply with GDPR requirements for consent, data processing, and privacy rights.

When to Use This Skill

• Designing consent collection flows
• Writing privacy notices
• Auditing marketing data practices
• Handling data subject requests
• Documenting lawful basis

Methodology Foundation

Based on GDPR Articles 6, 7, 12-23 and EDPB Guidelines, covering:

• Lawful basis determination
• Consent requirements
• Transparency obligations
• Data subject rights
• Documentation requirements

What Claude Does vs What You Decide

Claude Does	You Decide
Explains GDPR requirements	Business risk tolerance
Drafts compliant language	Implementation priority
Identifies gaps	Legal interpretation
Creates documentation	DPO consultation needs
Suggests controls	Resource allocation

Instructions

Step 1: Lawful Basis Assessment

Six Lawful Bases (Article 6):

Basis	Marketing Use	Documentation Needed
Consent	Email marketing, cookies, tracking	Consent records
Contract	Customer communications	Contract terms
Legitimate Interest	Soft opt-in, B2B marketing	LIA document
Legal Obligation	Regulatory comms	Legal reference
Vital Interest	Rarely applicable	-
Public Task	Rarely applicable	-

Marketing Activity Mapping:

Activity	Typical Basis	Requirements
Email newsletter	Consent	Double opt-in, easy unsubscribe
Existing customer upsell	Legitimate Interest	LIA, opt-out available
Cold B2B outreach	Legitimate Interest	LIA, clear identity
Website cookies	Consent	Banner, granular choices
Retargeting ads	Consent	Cookie consent
Lead magnets	Consent	Clear purpose, separate consent

Step 2: Consent Requirements

Valid Consent Criteria (Article 7):

Requirement	What It Means	Example
Freely given	No bundling, no penalty	Separate from T&Cs
Specific	Clear purpose stated	"Marketing emails about [X]"
Informed	Who, what, why explained	Privacy notice linked
Unambiguous	Clear affirmative action	Unchecked checkbox
Withdrawable	Easy to revoke	One-click unsubscribe

Consent Record Requirements:

Record for each consent:
- Who consented (identifier)
- When (timestamp)
- What they consented to (purpose)
- How (mechanism)
- What they were told (notice version)

Step 3: Privacy Notice Requirements

Required Elements (Articles 13-14):

Element	First-Party Data	Third-Party Data
Controller identity	Required	Required
DPO contact	If applicable	If applicable
Purposes	Required	Required
Lawful basis	Required	Required
Recipients	Required	Required
Transfers	If applicable	If applicable
Retention	Required	Required
Rights	Required	Required
Withdrawal	If consent	If consent
Complaint right	Required	Required
Source	N/A	Required

Step 4: Data Subject Rights

Rights Framework:

Right	Timeline	Marketing Impact
Access (Art. 15)	1 month	Provide all marketing data
Rectification (Art. 16)	1 month	Update preferences
Erasure (Art. 17)	1 month	Remove from lists
Restriction (Art. 18)	1 month	Pause processing
Portability (Art. 20)	1 month	Export in machine format
Objection (Art. 21)	Immediate for marketing	Stop direct marketing

Step 5: Documentation & Records

Required Documentation:

1. Records of Processing Activities (ROPA)
2. Legitimate Interest Assessments
3. Consent records and mechanisms
4. Privacy notices (versioned)
5. Data Subject Request log
6. Breach notification procedures

Examples

Example 1: Marketing Email Consent Flow

Input:

Design a GDPR-compliant consent flow for:
- SaaS product newsletter
- Product updates
- Promotional offers
- Third-party partner offers

Output:

## GDPR-Compliant Email Consent Flow

### Consent Collection UI

---

**Signup Form Fields:**

Email: [________________]

[ ] I agree to receive the monthly newsletter with industry insights [ ] I agree to receive product updates and feature announcements [ ] I agree to receive promotional offers and discounts [ ] I agree to receive relevant offers from our trusted partners

[Sign Up]

By signing up, you confirm you've read our [Privacy Notice]. You can withdraw consent anytime via unsubscribe link or contacting us.

**Design Requirements:**
- All checkboxes unchecked by default
- No "select all" option
- Each purpose separate
- Privacy notice linked, not buried
- No dark patterns

---

### Consent Record Structure

```json
{
  "email": "[email protected]",
  "consents": [
    {
      "purpose": "newsletter",
      "granted": true,
      "timestamp": "2026-01-31T10:30:00Z",
      "source": "signup_form_v3",
      "notice_version": "privacy_v2.1"
    },
    {
      "purpose": "product_updates",
      "granted": true,
      "timestamp": "2026-01-31T10:30:00Z",
      "source": "signup_form_v3",
      "notice_version": "privacy_v2.1"
    },
    {
      "purpose": "promotional",
      "granted": false,
      "timestamp": null,
      "source": null,
      "notice_version": null
    },
    {
      "purpose": "third_party",
      "granted": false,
      "timestamp": null,
      "source": null,
      "notice_version": null
    }
  ],
  "ip_address": "192.168.1.1",
  "user_agent": "Mozilla/5.0..."
}

---

Email Footer (Required)

---
You're receiving this because you subscribed to our [newsletter/updates].

Manage preferences: [link]
Unsubscribe from this list: [link]
Unsubscribe from all: [link]

[Company Name]
[Address]
[Contact Email]

---

Preference Center

Subscription	Status	Action
Monthly Newsletter	[ON/OFF]	Industry insights and tips
Product Updates	[ON/OFF]	New features and improvements
Promotional Offers	[ON/OFF]	Discounts and special deals
Partner Offers	[ON/OFF]	Relevant third-party offers

[Update Preferences] [Unsubscribe from All]

---

Compliance Checklist

• All consents granular (separate checkboxes)
• Checkboxes unchecked by default
• Clear description of each purpose
• Privacy notice accessible
• Withdrawal mechanism clear
• Consent records stored
• Double opt-in implemented
• Unsubscribe in every email
• Preference center available

### Example 2: Legitimate Interest Assessment

**Input:**

We want to email our existing customers about related products. Do we need consent or can we use legitimate interest?

**Output:**

Legitimate Interest Assessment: Customer Cross-Sell

Summary

You can likely rely on legitimate interest (not consent) for emailing existing customers about similar products, but must complete this assessment and offer easy opt-out.

---

Three-Part LIA Test

1. Purpose Test: Is There a Legitimate Interest?

Interest: Promote related products to existing customers Legitimacy: Yes - recognized business interest in customer development Benefit: Revenue growth, customer relationship deepening

✅ PASS

---

2. Necessity Test: Is Processing Necessary?

Question	Answer
Is email necessary to achieve the interest?	Yes - direct communication channel
Is there a less intrusive way?	In-app notifications possible but less effective
Is the processing proportionate?	Yes - limited frequency, relevant content

✅ PASS (with conditions)

Conditions:

• Limit to genuinely related products
• Reasonable frequency (not daily)
• Honor opt-outs immediately

---

3. Balancing Test: Individual Rights vs. Your Interest

Factor	Assessment
Nature of data	Basic contact info - low sensitivity
Reasonable expectations	Customers expect marketing from sellers
Relationship	Existing customer relationship
Impact on individual	Minor inconvenience, easy to opt out
Safeguards	Opt-out in every email

✅ PASS

---

Conclusion

Lawful Basis: Legitimate Interest (Article 6(1)(f))

Requirements for Compliance:

1. Document this LIA and keep on file
2. Include in privacy notice: "We may contact existing customers about similar products based on legitimate interest. You can opt out at any time."
3. Easy opt-out: Every email must have unsubscribe
4. Honor preferences: Immediate suppression on opt-out
5. Similar products only: Don't expand to unrelated offerings
6. Reasonable frequency: No more than weekly

---

Template Email Footer

You're receiving this as a valued [Company] customer.

Not interested in product updates?
[Opt out of marketing] | [Manage preferences]

This email was sent based on our legitimate interest in keeping
customers informed about relevant products. See our Privacy Notice
for details and your rights.

---

When This Doesn't Apply

Use consent instead if:

• Products are significantly different
• Customer bought once 2+ years ago
• You acquired data from third party
• Customer previously opted out
• Emails are primarily promotional (not informational)

## Skill Boundaries

### What This Skill Does Well
- Explaining GDPR requirements
- Drafting compliant language
- Creating documentation templates
- Identifying compliance gaps

### What This Skill Cannot Do
- Provide legal advice
- Know your specific jurisdiction nuances
- Guarantee regulatory acceptance
- Replace DPO consultation

### When to Escalate to Human
- Complex cross-border transfers
- Regulatory investigation
- Data breach response
- Novel processing activities

## Iteration Guide

**Follow-up Prompts:**
- "Draft the privacy notice section for [activity]"
- "How do we handle a right to erasure request?"
- "What documentation do we need for [processing]?"
- "Is this cookie banner compliant?"

## References

- GDPR Text (Regulation 2016/679)
- EDPB Guidelines on Consent
- ICO Direct Marketing Guidance
- CNIL Cookie Guidelines

## Related Skills

- `terms-analyzer` - Terms of service review
- `contract-review` - DPA analysis
- `nda-generator` - Confidentiality

## Skill Metadata

- **Domain**: Legal / Marketing
- **Complexity**: Intermediate
- **Mode**: centaur
- **Time to Value**: 1-2 hours per assessment
- **Prerequisites**: Basic GDPR familiarity