Reviews, drafts, and redlines controller-processor contracts under Art. 28 GDPR and joint-controller arrangements under Art. 26. Quick Art. 28(3)(a)–(h) coverage check, negotiation-grade clause scoring, greenfield drafting, counterparty redlining, and joint-controller arrangements — bilingual DE / EN, controller- or processor-side.
Each capability is documented separately, tested separately, and called by the workflow at the right moment. Compose them or invoke individually.
Twelve structured steps. The human stays accountable; the skill carries the structure, the citations, and the document trail.
Match the workflow to the situation. The skill router picks automatically; you can override.
Single-folder skill. SKILL.md is the runtime spec; references hold the knowledge corpus; evals hold the proof.
dpa-art28/ ├── evals # Test cases + assertions │ └── evals.json # 8 cases, 72 assertions ├── references # Reference corpus │ ├── 2021-915-commission-text-de.md │ ├── 2021-915-commission-text-en.md │ ├── art26-joint-controller.md │ ├── art28-3-checklist.md │ ├── common-defects.md │ ├── negotiation-fallbacks.md │ ├── sccs-module-guide.md │ └── tier-selection.md ├── templates │ ├── dpa-commercial-de.md │ ├── dpa-commercial-en.md │ ├── dpa-hybrid-de.md │ ├── dpa-hybrid-en.md │ ├── dpa-strict-de.md │ ├── dpa-strict-en.md │ ├── jca-de.md │ └── jca-en.md ├── workflows │ ├── draft.md │ ├── joint-controller.md │ ├── redline.md │ ├── review-negotiation.md │ └── review-quick.md ├── CHANGELOG.md # Version history ├── README.md # Deployment guide └── SKILL.md # Main skill instructions
Two deployment surfaces. The skill auto-triggers on relevant keywords once installed.
dpa-art28/ foldercp -r dpa-art28/ \ ~/.claude/skills/user/
Every output is documented, version-pinned, and traceable to its source citation.
Every release runs against a fixed test suite. Assertions check numeric consistency, citation accuracy, and decision-tree branches.
Every legal verdict resolves to one of these instruments. No invented articles, no synthetic recitals.
The trace is the product. Nothing happens off the record — no hidden tool calls, no silent retrieval, no opaque chain-of-thought.
See CHANGELOG.md for version history.
DPA Art. 28 GDPR — review, drafting, and redlining of Data Processing Agreements (AVV / Auftragsverarbeitungsvertrag) and Art. 26 Joint Controller Arrangements:
dpa-art28/
├── SKILL.md # Main skill instructions (deploy this)
├── CHANGELOG.md # Version history
├── references/
│ ├── 2021-915-commission-text-en.md # Commission Implementing Decision (EU) 2021/915 — EN
│ ├── 2021-915-commission-text-de.md # Commission Implementing Decision (EU) 2021/915 — DE
│ ├── art28-3-checklist.md # Art. 28(3)(a)–(h) coverage checklist
│ ├── art26-joint-controller.md # Art. 26 JCA framework
│ ├── common-defects.md # Vendor-DPA defect catalog
│ ├── negotiation-fallbacks.md # Fallback positions for contentious clauses
│ ├── sccs-module-guide.md # International-transfer SCC integration
│ └── tier-selection.md # Commercial / hybrid / strict tier helper
├── templates/
│ ├── dpa-commercial-de.md # Commercial DPA — DE
│ ├── dpa-commercial-en.md # Commercial DPA — EN
│ ├── dpa-hybrid-de.md # Hybrid DPA — DE
│ ├── dpa-hybrid-en.md # Hybrid DPA — EN
│ ├── dpa-strict-de.md # Strict DPA — DE
│ ├── dpa-strict-en.md # Strict DPA — EN
│ ├── jca-de.md # JCA template — DE
│ └── jca-en.md # JCA template — EN
└── workflows/
├── review-quick.md # REVIEW_QUICK procedure
├── review-negotiation.md # REVIEW_NEG procedure
├── draft.md # DRAFT procedure
├── redline.md # REDLINE procedure
└── joint-controller.md # JOINT_CONTROLLER procedure
dpa-art28/ folder structuredpa-art28/ folder to your skills directory:
bash
cp -r dpa-art28/ /path/to/your/skills/user/dpa-art28/Paste a DPA or ask for one:
"Review this DPA from a vendor — we're the controller. Quick check first, then tell me what's missing under Art. 28(3) and what I should push back on."
Or:
"Draft a strict-tier DPA in German for an EU-based processor handling employee data, including SCCs Module 2 for our US subsidiary."
| Mode | When |
|---|---|
| REVIEW_QUICK | Fast Art. 28(3)(a)–(h) coverage check |
| REVIEW_NEG | Negotiation-grade clause-by-clause risk scoring |
| DRAFT | Produce a new DPA from a chosen template tier |
| REDLINE | Mark up an existing draft with proposed changes |
| JOINT_CONTROLLER | Art. 26 Joint Controller Arrangement workflow |
| Feature | Description |
|---|---|
| Bilingual (DE/EN) | Parallel quality across both languages |
| Dual Perspective | Controller-side and processor-side review |
| Commission SCC | Built on Implementing Decision (EU) 2021/915 |
| Template Library | 3 DPA tiers × 2 languages + JCA × 2 languages |
| Defect Catalog | Common vendor-DPA defects with diagnostic signals |
| Negotiation Fallbacks | Pre-drafted alternative language for contested clauses |
| SCC Integration | International-transfer module guidance (Modules 1–4) |
| Tier Selection | Commercial / hybrid / strict matched to deal context |
| Quality Gates | Verified Art. 28(3) coverage before delivery |
| Document | Reference |
|---|---|
| GDPR Art. 28 | Controller-processor relationship |
| GDPR Art. 28(3)(a)–(h) | Mandatory DPA content |
| GDPR Art. 26 | Joint controller arrangements |
| Commission Implementing Decision (EU) 2021/915 | EU-wide DPA standard contractual clauses |
| Commission Implementing Decision (EU) 2021/914 | International transfer SCCs (Modules 1–4) |
This skill provides structured GDPR Art. 28 / Art. 26 contracting guidance. It is not legal advice. Negotiated DPAs and JCAs should be reviewed by qualified data protection counsel before signing.
Licensed under AGPL-3.0 — see LICENSE at the repo root.
Created by Oliver Schmidt-Prietz — OneZero Legal