GDPR Compliance for Marketing

Ensure your marketing activities comply with GDPR requirements for consent, data processing, and privacy rights.

When to Use This Skill

• Designing consent collection flows

• Writing privacy notices

• Auditing marketing data practices

• Handling data subject requests

• Documenting lawful basis

Methodology Foundation

Based on GDPR Articles 6, 7, 12-23 and EDPB Guidelines, covering:

• Lawful basis determination

• Consent requirements

• Transparency obligations

• Data subject rights

• Documentation requirements

What Claude Does vs What You Decide

Claude Does You Decide

Explains GDPR requirements Business risk tolerance

Drafts compliant language Implementation priority

Identifies gaps Legal interpretation

Creates documentation DPO consultation needs

Suggests controls Resource allocation

Instructions

Step 1: Lawful Basis Assessment

Six Lawful Bases (Article 6):

Basis Marketing Use Documentation Needed

Consent Email marketing, cookies, tracking Consent records

Contract Customer communications Contract terms

Legitimate Interest Soft opt-in, B2B marketing LIA document

Legal Obligation Regulatory comms Legal reference

Vital Interest Rarely applicable

Public Task Rarely applicable

Marketing Activity Mapping:

Activity Typical Basis Requirements

Email newsletter Consent Double opt-in, easy unsubscribe

Existing customer upsell Legitimate Interest LIA, opt-out available

Cold B2B outreach Legitimate Interest LIA, clear identity

Website cookies Consent Banner, granular choices

Retargeting ads Consent Cookie consent

Lead magnets Consent Clear purpose, separate consent

Step 2: Consent Requirements

Valid Consent Criteria (Article 7):

Requirement What It Means Example

Freely given No bundling, no penalty Separate from T&Cs

Specific Clear purpose stated "Marketing emails about [X]"

Informed Who, what, why explained Privacy notice linked

Unambiguous Clear affirmative action Unchecked checkbox

Withdrawable Easy to revoke One-click unsubscribe

Consent Record Requirements:

Record for each consent:

• Who consented (identifier)
• When (timestamp)
• What they consented to (purpose)
• How (mechanism)
• What they were told (notice version)

Step 3: Privacy Notice Requirements

Required Elements (Articles 13-14):

Element First-Party Data Third-Party Data

Controller identity Required Required

DPO contact If applicable If applicable

Purposes Required Required

Lawful basis Required Required

Recipients Required Required

Transfers If applicable If applicable

Retention Required Required

Rights Required Required

Withdrawal If consent If consent

Complaint right Required Required

Source N/A Required

Step 4: Data Subject Rights

Rights Framework:

Right Timeline Marketing Impact

Access (Art. 15) 1 month Provide all marketing data

Rectification (Art. 16) 1 month Update preferences

Erasure (Art. 17) 1 month Remove from lists

Restriction (Art. 18) 1 month Pause processing

Portability (Art. 20) 1 month Export in machine format

Objection (Art. 21) Immediate for marketing Stop direct marketing

Step 5: Documentation & Records

Required Documentation:

• Records of Processing Activities (ROPA)

• Legitimate Interest Assessments

• Consent records and mechanisms

• Privacy notices (versioned)

• Data Subject Request log

• Breach notification procedures

Examples

Example 1: Marketing Email Consent Flow

Input:

Design a GDPR-compliant consent flow for:

• SaaS product newsletter
• Product updates
• Promotional offers
• Third-party partner offers

Output:

GDPR-Compliant Email Consent Flow

Consent Collection UI

Signup Form Fields:

Email: [________________]

[ ] I agree to receive the monthly newsletter with industry insights [ ] I agree to receive product updates and feature announcements [ ] I agree to receive promotional offers and discounts [ ] I agree to receive relevant offers from our trusted partners

[Sign Up]

By signing up, you confirm you've read our [Privacy Notice]. You can withdraw consent anytime via unsubscribe link or contacting us.

Design Requirements:

• All checkboxes unchecked by default
• No "select all" option
• Each purpose separate
• Privacy notice linked, not buried
• No dark patterns

Consent Record Structure

{
  "email": "user@example.com",
  "consents": [
    {
      "purpose": "newsletter",
      "granted": true,
      "timestamp": "2026-01-31T10:30:00Z",
      "source": "signup_form_v3",
      "notice_version": "privacy_v2.1"
    },
    {
      "purpose": "product_updates",
      "granted": true,
      "timestamp": "2026-01-31T10:30:00Z",
      "source": "signup_form_v3",
      "notice_version": "privacy_v2.1"
    },
    {
      "purpose": "promotional",
      "granted": false,
      "timestamp": null,
      "source": null,
      "notice_version": null
    },
    {
      "purpose": "third_party",
      "granted": false,
      "timestamp": null,
      "source": null,
      "notice_version": null
    }
  ],
  "ip_address": "192.168.1.1",
  "user_agent": "Mozilla/5.0..."
}

Email Footer (Required)

---
You're receiving this because you subscribed to our [newsletter/updates].

Manage preferences: [link]
Unsubscribe from this list: [link]
Unsubscribe from all: [link]

[Company Name]
[Address]
[Contact Email]

Preference Center

Subscription
Status
Action

Monthly Newsletter
[ON/OFF]
Industry insights and tips

Product Updates
[ON/OFF]
New features and improvements

Promotional Offers
[ON/OFF]
Discounts and special deals

Partner Offers
[ON/OFF]
Relevant third-party offers

[Update Preferences] [Unsubscribe from All]

Compliance Checklist

-  All consents granular (separate checkboxes)

-  Checkboxes unchecked by default

-  Clear description of each purpose

-  Privacy notice accessible

-  Withdrawal mechanism clear

-  Consent records stored

-  Double opt-in implemented

-  Unsubscribe in every email

-  Preference center available

### Example 2: Legitimate Interest Assessment

**Input:**

We want to email our existing customers about related products.
Do we need consent or can we use legitimate interest?

**Output:**

Legitimate Interest Assessment: Customer Cross-Sell

Summary

You can likely rely on legitimate interest (not consent) for
emailing existing customers about similar products, but must
complete this assessment and offer easy opt-out.

Three-Part LIA Test

1. Purpose Test: Is There a Legitimate Interest?

Interest: Promote related products to existing customers
Legitimacy: Yes - recognized business interest in customer development
Benefit: Revenue growth, customer relationship deepening

✅ PASS

2. Necessity Test: Is Processing Necessary?

Question
Answer

Is email necessary to achieve the interest?
Yes - direct communication channel

Is there a less intrusive way?
In-app notifications possible but less effective

Is the processing proportionate?
Yes - limited frequency, relevant content

✅ PASS (with conditions)

Conditions:

- Limit to genuinely related products

- Reasonable frequency (not daily)

- Honor opt-outs immediately

3. Balancing Test: Individual Rights vs. Your Interest

Factor
Assessment

Nature of data
Basic contact info - low sensitivity

Reasonable expectations
Customers expect marketing from sellers

Relationship
Existing customer relationship

Impact on individual
Minor inconvenience, easy to opt out

Safeguards
Opt-out in every email

✅ PASS

Conclusion

Lawful Basis: Legitimate Interest (Article 6(1)(f))

Requirements for Compliance:

- Document this LIA and keep on file

- Include in privacy notice:
"We may contact existing customers about similar products
based on legitimate interest. You can opt out at any time."

- Easy opt-out: Every email must have unsubscribe

- Honor preferences: Immediate suppression on opt-out

- Similar products only: Don't expand to unrelated offerings

- Reasonable frequency: No more than weekly

Template Email Footer

You're receiving this as a valued [Company] customer.

Not interested in product updates?
[Opt out of marketing] | [Manage preferences]

This email was sent based on our legitimate interest in keeping
customers informed about relevant products. See our Privacy Notice
for details and your rights.

When This Doesn't Apply

Use consent instead if:

- Products are significantly different

- Customer bought once 2+ years ago

- You acquired data from third party

- Customer previously opted out

- Emails are primarily promotional (not informational)

## Skill Boundaries

### What This Skill Does Well
- Explaining GDPR requirements
- Drafting compliant language
- Creating documentation templates
- Identifying compliance gaps

### What This Skill Cannot Do
- Provide legal advice
- Know your specific jurisdiction nuances
- Guarantee regulatory acceptance
- Replace DPO consultation

### When to Escalate to Human
- Complex cross-border transfers
- Regulatory investigation
- Data breach response
- Novel processing activities

## Iteration Guide

**Follow-up Prompts:**
- "Draft the privacy notice section for [activity]"
- "How do we handle a right to erasure request?"
- "What documentation do we need for [processing]?"
- "Is this cookie banner compliant?"

## References

- GDPR Text (Regulation 2016/679)
- EDPB Guidelines on Consent
- ICO Direct Marketing Guidance
- CNIL Cookie Guidelines

## Related Skills

- `terms-analyzer` - Terms of service review
- `contract-review` - DPA analysis
- `nda-generator` - Confidentiality

## Skill Metadata

- **Domain**: Legal / Marketing
- **Complexity**: Intermediate
- **Mode**: centaur
- **Time to Value**: 1-2 hours per assessment
- **Prerequisites**: Basic GDPR familiarity