LIVE · v1.1 STABLE
BUILD 2026.05.27
ART. 13 · 14
AGPL-3.0 · 4 EVAL CASES · 40 ASSERTIONS

PRIVACY
NOTICES
by JURISDICTION
& TYPE.

Drafts GDPR/DSGVO-compliant privacy notices as professional .docx. type-driven intake, Art. 13/14 completeness, jurisdiction-aware wording, AI Act transparency overlay, multi-language output, and structured compliance verification — in a single guided workflow.

GDPR ART. 13   ·   GDPR ART. 14   ·   GDPR ART. 21(4)   ·   GDPR ART. 22   ·   GDPR ART. 35   ·   EU AI ACT ART. 50   ·   BDSG § 26   ·   TDDDG   ·   CNIL   ·   RGPD + LIL + LCEN   ·   UK GDPR   ·   nFADP   ·   GDPR ART. 13   ·   GDPR ART. 14   ·   GDPR ART. 21(4)   ·   GDPR ART. 22   ·   GDPR ART. 35   ·   EU AI ACT ART. 50   ·   BDSG § 26   ·   TDDDG   ·   CNIL   ·   RGPD + LIL + LCEN   ·   UK GDPR   ·   nFADP
§ 01 · CAPABILITIES

SIX PRIMITIVES.
One SKILL.

Each capability is documented separately, tested separately, and called by the workflow at the right moment. Compose them or invoke individually.

01
TYPE-DRIVEN INTAKE
Five notice types — Website/App, Applicant, Employee, B2B Partner, B2C Customer. Each carries its own section map, data profile, legal bases, and retention defaults.
02
ART. 13/14 COMPLETENESS
Every mandatory disclosure checked against the EU_COMMON checklist before delivery. Each item is present or explicitly marked not-applicable with a reason.
03
JURISDICTION AWARENESS
DE (DSGVO+BDSG+TDDDG), FR (RGPD+LIL+LCEN), AT, IT, ES, NL, BE, IE, UK GDPR. Correct supervisory authority, validated wording blocks, statutory retention citations.
04
AI ACT TRANSPARENCY
Art. 50 AI Act overlay. Flags AI interaction disclosure, AI-generated content, and the link between Art. 22 GDPR rights and the AI system.
05
DPIA INDICATOR SCREEN
Eight Art. 35 indicators screened during intake. Two or more triggers a DPIA recommendation as a separate deliverable, cross-checked against DSK / CNIL lists.
06
DOCX GENERATION
A4, numbered headings, TOC, purposes/retention and cookie tables, a prominent Art. 21 objection box, and a post-generation review checklist.
§ 02 · WORKFLOW

FROM INPUT
to ARTEFACT.

Twelve structured steps. The human stays accountable; the skill carries the structure, the citations, and the document trail.

01
Determine notice type
First question. Website/App, Applicant, Employee, B2B, B2C, or Combined. The type fixes the section map and intake profile.
02
Determine jurisdiction
Which markets the service targets. Load DE / FR / OTHER_EU references, always plus EU_COMMON. Note where requirements differ.
03
Template & language
Use the user's existing .docx as base, or a pre-built template. Resolve single vs bilingual vs pan-EU language strategy and the governing version.
04
Controller identity
Group A intake: name, legal form, registration, address, legal representative, contact, DPO appointment and functional email.
05
Data inventory
Group B: data per collection point, mandatory vs optional, source. Art. 9 special categories trigger the dual-basis protocol.
06
Purposes & legal bases
Group C: a confirmed table mapping each processing activity to a precise Art. 6 basis and its data categories.
07
Recipients & transfers
Group D: processors, locations, transfer mechanism (adequacy, SCCs, DPF, BCRs). Art. 28 DPA cross-reference flags gaps.
08
Cookies, AI & DPIA
Groups E–G: cookie categories and CMP, AI/automated processing and AI Act class, then the eight DPIA indicators.
09
Summary confirmation
Structured pre-draft summary: type, controller, jurisdictions, data, bases, processors, transfers, sections to include and skip. User confirms.
10
Draft the notice
Build from template plus type section map. Art. 21 prominent and separate, precise article citations, specific retention with legal justification.
11
Compliance verification
Re-read jurisdiction references, verify Art. 13/14 checklist, run additional, type-specific, and AI Act checks.
12
Deliver as .docx
Generate via the docx skill with confirmation, assumptions, a legal-review recommendation, and the post-generation approval workflow.
§ 03 · MODES

SIX PATHS.
One OUTCOME.

Match the workflow to the situation. The skill router picks automatically; you can override.

WEBSITE / APP
Visitors, users, subscribers. Sub-types: brochure, e-commerce, SaaS, mobile, marketplace, AI platform — each anticipating its own data categories.
APPLICANT
Job applicants and candidates. § 26 BDSG basis (DE), separate talent-pool consent, ≤ 6-month post-rejection retention, Art. 14 when data comes from recruiters.
EMPLOYEE
Employees, contractors, interns. § 26 BDSG primary basis, works council, IT monitoring disclosure, complex retention chain.
B2B PARTNER
Contact persons at vendors, suppliers, clients. Art. 14 disclosure when data is not from the data subject; contact-person vs contracting-entity distinction.
B2C CUSTOMER
End consumers in a purchase/service relationship. Soft opt-in conditions (§ 7(3) UWG), payment processor, loyalty terms, profiling disclosure.
COMBINED
Multiple audiences in one or several linked notices. Structural options: single comprehensive, separate, or layered.
§ 04 · ANATOMY

WHAT'S
IN the SKILL.

Single-folder skill. SKILL.md is the runtime spec; references hold the knowledge corpus; evals hold the proof. 

privacy-notice-eu/
├── evals  # Test cases + assertions
│   └── evals.json  # 4 cases, 40 assertions
├── references  # Reference corpus
│   ├── DE.md
│   ├── EU_COMMON.md
│   ├── FR.md
│   ├── NOTICE_TYPES.md
│   ├── OTHER_EU.md
│   └── templates.md
├── CHANGELOG.md  # Version history
├── README.md  # Deployment guide
└── SKILL.md  # Main skill instructions
§ 05 · DEPLOYMENT

INSTALL
and INVOKE.

Two deployment surfaces. The skill auto-triggers on relevant keywords once installed.

CLAUDE.AI USER SKILLS

  1. Settings → Profile → Custom Skills
  2. Upload the entire privacy-notice-eu/ folder
  3. Skill auto-triggers on relevant keywords

CLAUDE CODE / MCP

  1. Copy folder to your skills directory:
cp -r privacy-notice-eu/ \
   ~/.claude/skills/user/
§ 06 · OUTPUTS

WHAT YOU
get BACK.

Every output is documented, version-pinned, and traceable to its source citation.

Privacy notice (.docx)
A4 professional document: numbered sections, TOC, purposes/retention and cookie tables, header/footer with page numbers — in DE, FR, or EN.
Pre-draft summary
Structured confirmation view: notice type, controller, jurisdictions, data categories, purposes and bases, processors, transfers, sections to include and skip.
Art. 21 objection box
The right to object rendered prominently and separately on every output, per Art. 21(4) GDPR.
Compliance verification report
Art. 13/14 checklist result plus type-specific, jurisdiction, and AI Act checks completed before delivery.
DPIA recommendation
Issued when two or more Art. 35 indicators are flagged, naming the relevant national mandatory list (DSK, CNIL).
Post-generation checklist
Legal, technical, translation-QA, and publication review steps plus ongoing review triggers.
§ 07 · EVALS

TESTED
before SHIPPED.

Every release runs against a fixed test suite. Assertions check numeric consistency, citation accuracy, and decision-tree branches.

04
Test Cases
40
Assertions
100%
Coverage Required
01
Draft a privacy notice for our SaaS product in English
10 ASSERTS
02
Erstelle eine Datenschutzerklärung auf Deutsch für unseren Personalbereich (Bewe...
10 ASSERTS
03
Here is our existing English privacy notice [imagined attached]
10 ASSERTS
04
We're a Swiss company — SwissCo AG, Zurich — selling consumer fitness apps in bo...
10 ASSERTS
§ 08 · REGULATORY BASIS

WHAT IT
cites.

Every legal verdict resolves to one of these instruments. No invented articles, no synthetic recitals.

GDPR Articles 13 & 14
Information duties to data subjects.
GDPR Article 21(4)
Prominent, separate presentation of the right to object.
GDPR Articles 22 & 35
Automated decision-making transparency and DPIA screening.
EU AI Act Article 50
AI transparency obligations.
BDSG § 26 & TDDDG (Germany)
Employee/applicant data basis and Telemedien/cookie requirements.
CNIL Recommendations (France)
2020 privacy notice guidance; RGPD + LIL + LCEN framework.
§ 09 · TRUST

EVERY STEP,
auditable.

The trace is the product. Nothing happens off the record — no hidden tool calls, no silent retrieval, no opaque chain-of-thought.

§
Source-anchored output.
Every legal basis, retention period, and supervisory authority traces back to the loaded jurisdiction reference, cited precisely.
VERIFIED
Reproducible drafting.
Pin a build; recreate the same notice from the same intake for audit trail or version archiving.
IMMUTABLE
Verification before delivery.
Art. 13/14 completeness, type-specific, and AI Act checks all run before any .docx ships.
ENFORCED
**
EU-native.
Built around DSGVO+BDSG, RGPD+LIL+LCEN, UK GDPR, and nFADP wording — not a translated US policy.
NATIVE
§ 10 · README.MD

Privacy Notice EU — Deployment Guide

Overview

Pan-EU GDPR Privacy Notice Generator — a comprehensive drafting skill for Claude that produces jurisdiction-aware, GDPR-compliant privacy notices as professional .docx documents:

  • Five notice types: Website/App, Applicant, Employee, Business Partner (B2B), B2C Customer
  • Multi-jurisdiction coverage: DE (DSGVO+BDSG+TDDDG), FR (RGPD+LIL+LCEN), AT, IT, ES, NL, BE, IE, UK GDPR
  • Multi-language support: German, French, English — with bilingual and pan-EU options
  • AI Act transparency integration: Art. 50 AI Act disclosure requirements
  • Type-driven intake: data categories, legal bases, and retention defaults tailored to each notice type
  • Art. 13/14 compliance verification: structured checklist before delivery
  • Cookie & tracking section: with CMP integration guidance
  • Art. 21 objection box: visually prominent, separate presentation per GDPR requirement
  • DPIA indicator screening: flags when Art. 35 assessment may be needed
  • Audit-ready .docx output with professional formatting

File Structure

privacy-notice-eu/
├── SKILL.md                              # Main skill instructions (deploy this)
└── references/
    ├── templates.md                      # Document template: structure, formatting, translations
    ├── EU_COMMON.md                      # Pan-EU GDPR requirements (Art. 13/14 checklist, legal bases)
    ├── DE.md                             # Germany-specific requirements (BDSG, TDDDG, DSK guidance)
    ├── FR.md                             # France-specific requirements (CNIL recommendations, LIL, LCEN)
    ├── OTHER_EU.md                       # AT, IT, ES, NL, BE, IE, UK GDPR specifics
    └── NOTICE_TYPES.md                   # Type profiles: section maps, data categories, intake questions

Deployment

Claude.ai (User Skills)

  1. Go to Settings → Profile → Custom Skills (or equivalent)
  2. Upload the entire privacy-notice-eu/ folder structure
  3. The skill will auto-trigger when you mention privacy notices, Datenschutzerklaerung, politique de confidentialite, Art. 13/14, or related topics

Claude Code / Custom MCP Setup

  1. Copy the privacy-notice-eu/ folder to your skills directory: bash cp -r privacy-notice-eu/ /path/to/your/skills/user/privacy-notice-eu/
  2. Ensure the skill is registered in your configuration

Usage

Quick Start

Just tell Claude what you need:

"I need a privacy notice for our SaaS platform. We're a German GmbH based in Berlin, targeting customers in Germany and France. We use Google Analytics, Stripe for payments, and OpenAI for an AI chatbot feature."

The skill will activate and walk you through the intake process.

Trigger Phrases

  • "Create a privacy notice" / "Datenschutzerklaerung erstellen" / "politique de confidentialite"
  • "Privacy policy for our website" / "Art. 13 GDPR"
  • "Bewerber-Datenschutz" / "applicant privacy notice"
  • "Employee data protection notice" / "Beschaeftigten-Datenschutz"

Workflow

Step Description
1. Scope Notice type, jurisdiction(s), language, template choice
2. Intake Type-driven collection: controller info, data inventory, legal bases, processors, cookies, AI
3. Draft Generate notice from template + type profile + collected information
4. Verify Art. 13/14 compliance check + type-specific checks + AI Act check
5. Deliver Professional .docx output with post-generation checklist

Notice Types

Type Typical Use Case
Website / App Visitors, users, subscribers — includes sub-types (brochure, e-commerce, SaaS, mobile, marketplace, AI platform)
Applicant Job applicants and candidates
Employee Employees, contractors, interns
B2B Partner Contact persons at vendors, suppliers, clients
B2C Customer End consumers in purchase/service relationships
Combined Multiple audiences in one or linked notices

Regulatory Basis

Document Reference
GDPR Articles 13 & 14 Information duties to data subjects
GDPR Article 21(4) Prominent presentation of right to object
GDPR Article 22 Automated decision-making transparency
EU AI Act Article 50 AI transparency obligations
BDSG (Germany) Sec. 26 employee data, DPO thresholds
CNIL Recommendations (France) 2020 privacy notice guidance
TDDDG (Germany) Telemedien/cookie requirements

Version History

See CHANGELOG.md.

License & Disclaimer

This skill provides drafting guidance based on publicly available GDPR regulatory materials. It does not constitute legal advice. All privacy notices should be reviewed by qualified data protection counsel and your organization's DPO before publication.

Created by Oliver Schmidt-Prietz — OneZero Legal