gdpr-dsgvo-expert

What this skill does

# Senior GDPR/DSGVO Expert and Auditor

Expert-level EU General Data Protection Regulation (GDPR) and German Datenschutz-Grundverordnung (DSGVO) compliance with comprehensive data protection auditing, privacy impact assessment, and regulatory compliance verification capabilities.

## Core GDPR/DSGVO Competencies

### 1. GDPR/DSGVO Compliance Framework Implementation
Design and implement comprehensive data protection compliance programs ensuring systematic GDPR/DSGVO adherence.

**GDPR Compliance Framework:**
```
GDPR/DSGVO COMPLIANCE IMPLEMENTATION
├── Legal Basis and Lawfulness
│   ├── Lawful basis identification (Art. 6)
│   ├── Special category data processing (Art. 9)
│   ├── Criminal conviction data (Art. 10)
│   └── Consent management and documentation
├── Individual Rights Implementation
│   ├── Right to information (Art. 13-14)
│   ├── Right of access (Art. 15)
│   ├── Right to rectification (Art. 16)
│   ├── Right to erasure (Art. 17)
│   ├── Right to restrict processing (Art. 18)
│   ├── Right to data portability (Art. 20)
│   └── Right to object (Art. 21)
├── Accountability and Governance
│   ├── Data protection policies and procedures
│   ├── Records of processing activities (Art. 30)
│   ├── Data protection impact assessments (Art. 35)
│   └── Data protection by design and default (Art. 25)
└── International Data Transfers
    ├── Adequacy decisions (Art. 45)
    ├── Standard contractual clauses (Art. 46)
    ├── Binding corporate rules (Art. 47)
    └── Derogations (Art. 49)
```

### 2. Privacy Impact Assessment (DPIA) Implementation
Conduct systematic Data Protection Impact Assessments ensuring comprehensive privacy risk identification and mitigation.

**DPIA Process Framework:**
1. **DPIA Threshold Assessment**
   - Systematic large-scale processing evaluation
   - Special category data processing assessment
   - High-risk processing activity identification
   - **Decision Point**: Determine DPIA necessity per Article 35

2. **DPIA Execution Process**
   - **Processing Description**: Comprehensive data processing analysis
   - **Necessity and Proportionality**: Legal basis and purpose limitation assessment
   - **Privacy Risk Assessment**: Risk identification, analysis, and evaluation
   - **Mitigation Measures**: Risk reduction and residual risk management

3. **DPIA Documentation and Review**
   - DPIA report preparation and stakeholder consultation
   - Data Protection Officer (DPO) consultation and advice
   - Supervisory authority consultation (if required)
   - DPIA monitoring and review processes

### 3. Data Subject Rights Management
Implement comprehensive data subject rights fulfillment processes ensuring timely and effective rights exercise.

**Data Subject Rights Framework:**
```
DATA SUBJECT RIGHTS IMPLEMENTATION
├── Rights Request Management
│   ├── Request receipt and verification
│   ├── Identity verification procedures
│   ├── Request assessment and classification
│   └── Response timeline management
├── Rights Fulfillment Processes
│   ├── Information provision (privacy notices)
│   ├── Data access and copy provision
│   ├── Data rectification and correction
│   ├── Data erasure and deletion
│   ├── Processing restriction implementation
│   ├── Data portability and transfer
│   └── Objection handling and opt-out
├── Complex Rights Scenarios
│   ├── Conflicting rights balancing
│   ├── Third-party rights considerations
│   ├── Legal obligation conflicts
│   └── Legitimate interest assessments
└── Rights Response Documentation
    ├── Decision rationale documentation
    ├── Technical implementation evidence
    ├── Timeline compliance verification
    └── Appeal and complaint procedures
```

### 4. German DSGVO Specific Requirements
Address German-specific implementation of GDPR including national derogations and additional requirements.

**German DSGVO Specificities:**
- **BDSG Integration**: Federal Data Protection Act coordination with GDPR
- **Länder Data Protection Laws**: State-specific data protection requirements
- **Sectoral Regulations**: Healthcare, telecommunications, and financial services
- **German Supervisory Authorities**: Federal and state data protection authority coordination

## Advanced GDPR Applications

### Healthcare Data Protection (Medical Device Context)
Implement specialized data protection measures for healthcare data processing in medical device environments.

**Healthcare GDPR Compliance:**
1. **Health Data Processing Framework**
   - Health data classification and special category handling
   - Medical research and clinical trial data protection
   - Patient consent management and documentation
   - **Decision Point**: Determine appropriate legal basis for health data processing

2. **Medical Device Data Protection**
   - **For Connected Devices**: Follow references/device-data-protection.md
   - **For Clinical Systems**: Follow references/clinical-data-protection.md
   - **For Research Platforms**: Follow references/research-data-protection.md
   - Cross-border health data transfer management

3. **Healthcare Stakeholder Coordination**
   - Healthcare provider data processing agreements
   - Medical device manufacturer responsibilities
   - Clinical research organization compliance
   - Patient rights exercise in healthcare context

### International Data Transfer Compliance
Manage complex international data transfer scenarios ensuring GDPR Chapter V compliance.

**International Transfer Framework:**
1. **Transfer Mechanism Assessment**
   - Adequacy decision availability and scope
   - Standard Contractual Clauses (SCCs) implementation
   - Binding Corporate Rules (BCRs) development
   - Certification and code of conduct utilization

2. **Transfer Risk Assessment**
   - Third country data protection law analysis
   - Government access and surveillance risk evaluation
   - Data subject rights enforceability assessment
   - Additional safeguard necessity determination

3. **Supplementary Measures Implementation**
   - Technical measures: encryption, pseudonymization, access controls
   - Organizational measures: data minimization, purpose limitation, retention
   - Contractual measures: additional processor obligations, audit rights
   - Procedural measures: transparency, redress mechanisms

## GDPR Audit and Assessment

### GDPR Compliance Auditing
Conduct systematic GDPR compliance audits ensuring comprehensive data protection verification.

**GDPR Audit Methodology:**
1. **Audit Planning and Scope**
   - Data processing inventory and risk assessment
   - Audit scope definition and stakeholder identification
   - Audit criteria and methodology selection
   - **Audit Team Assembly**: Technical and legal competency requirements

2. **Audit Execution Process**
   - **Legal Compliance Assessment**: GDPR article-by-article compliance verification
   - **Technical Measures Review**: Data protection by design and default implementation
   - **Organizational Measures Evaluation**: Policies, procedures, and training effectiveness
   - **Documentation Review**: Records of processing, DPIAs, and data subject communications

3. **Audit Finding and Reporting**
   - Non-compliance identification and risk assessment
   - Improvement recommendation development
   - Regulatory reporting obligation assessment
   - Remediation planning and timeline development

### Privacy Risk Assessment
Conduct comprehensive privacy risk assessments ensuring systematic privacy risk management.

**Privacy Risk Assessment Framework:**
- **Data Flow Analysis**: Comprehensive data processing mapping and analysis
- **Privacy Risk Identification**: Personal data processing risk evaluation
- **Risk Impact Assessment**: Individual and organizational privacy impact
- **Risk Mitigation Planning**: Privacy control implementation and effectiveness

### External Audit Preparation
Prepare organization for supervisory authority investigations and external privacy audits.

**External Audit Readiness:**
1. **Supervisory Authority