GDPR Compliance Prompt Templates

AI prompt templates for GDPR compliance. Create data processing agreements and consent forms.

Overview

GDPR compliance prompts help you create the documents required under the EU's General Data Protection Regulation. If you collect data from EU residents, you need proper consent mechanisms, data processing agreements, and procedures for handling data subject requests. These templates help you meet your legal obligations while keeping the paperwork manageable.

Best Practices

1

Identify your role clearly, whether you're a data controller, processor, or both

2

Document your legal basis for processing each type of personal data

3

Make consent requests specific and separate from other terms

4

Have clear procedures for responding to data subject requests within the 30-day deadline

5

Keep records of processing activities as required by Article 30

Prompt Templates

1. Data Processing Agreement Generator

Create a Data Processing Agreement (DPA) between [CONTROLLER_TYPE] (data controller) and [PROCESSOR_TYPE] (data processor).

Processing details:
- Data subjects: [DATA_SUBJECTS]
- Data categories: [DATA_CATEGORIES]
- Processing purposes: [PROCESSING_PURPOSES]
- Processing duration: [DURATION]

Sub-processors: [SUB_PROCESSOR_INFO]
Data transfer: [TRANSFER_DETAILS]

Include all GDPR Article 28 required provisions.
CONTROLLER_TYPE: e-commerce company based in Germany, PROCESSOR_TYPE: email marketing platform (SaaS), DATA_SUBJECTS: customers who opt into marketing emails, DATA_CATEGORIES: name, email address, purchase history, email engagement data, PROCESSING_PURPOSES: sending marketing emails, segmentation, analytics, DURATION: for the term of the service agreement, SUB_PROCESSOR_INFO: uses AWS for hosting, Sendgrid for email delivery, TRANSFER_DETAILS: data stored in EU, Sendgrid processes in US under SCCs
DATA PROCESSING AGREEMENT

This Data Processing Agreement ('DPA') forms part of the Service Agreement between:

Data Controller: [Company Name], [German Address] ('Controller')
Data Processor: [Platform Name], [Address] ('Processor')

1. DEFINITIONS
'Personal Data', 'Processing', 'Data Subject', and other terms have the meanings given in the GDPR.

2. SCOPE AND PURPOSE
2.1 Controller engages Processor to process Personal Data for the purpose of providing email marketing services.
2.2 Processor shall process Personal Data only on Controller's documented instructions.

3. DATA PROCESSING DETAILS
- Data Subjects: Controller's customers who have opted into marketing communications
- Categories of Personal Data: Name, email address, purchase history, email engagement metrics
- Processing Operations: Storage, email transmission, segmentation analysis, reporting
- Duration: For the term of the Service Agreement plus data retention period

4. PROCESSOR OBLIGATIONS (Article 28)
4.1 Process Personal Data only on documented instructions from Controller
4.2 Ensure persons authorized to process have committed to confidentiality
4.3 Implement appropriate technical and organizational security measures
4.4 Assist Controller with data subject requests and GDPR compliance...

5. SUB-PROCESSORS
5.1 Controller authorizes the use of sub-processors listed in Annex B
5.2 Processor shall notify Controller of any intended changes...

When you're hiring a vendor that will process personal data on your behalf, or when a customer asks you for a DPA.

  • Keep a list of your sub-processors and update it when things change
  • Include the DPA as an attachment to your main service agreement

2. GDPR Consent Form

Create GDPR-compliant consent language for [CONSENT_PURPOSE] on a [PLATFORM_TYPE].

Data being collected:
[DATA_COLLECTED]

How data will be used:
[DATA_USES]

Third parties who receive data:
[THIRD_PARTIES]

Consent requirements:
- Must be: [CONSENT_REQUIREMENTS]
- Withdrawal method: [WITHDRAWAL_METHOD]
CONSENT_PURPOSE: marketing communications, PLATFORM_TYPE: B2B software website, DATA_COLLECTED: name, email, company name, job title, DATA_USES: send product updates, promotional emails, event invitations, THIRD_PARTIES: marketing automation platform, CRM system, CONSENT_REQUIREMENTS: freely given, specific, informed, unambiguous, separate from other consents, WITHDRAWAL_METHOD: unsubscribe link in every email, account settings page
MARKETING CONSENT

We'd like to send you updates about [Company Name] products, services, and events.

[ ] Yes, I want to receive marketing emails from [Company Name]

What we'll send:
- Product updates and new feature announcements
- Industry insights and best practices
- Event invitations and webinar announcements
- Occasional promotional offers

We'll use your name, email, company, and job title to personalize communications. Our marketing platform [Platform Name] processes this data on our behalf.

You can unsubscribe anytime using the link at the bottom of our emails, or through your account settings. Unsubscribing won't affect your access to our product.

This consent is optional. You can use [Product Name] without subscribing to marketing.

---

NOTES FOR IMPLEMENTATION:
- Checkbox must be unchecked by default
- This consent should be separate from terms acceptance
- Link to full privacy policy
- Record timestamp and IP address when consent is given
- Store consent records for audit purposes

When you need to get proper consent for marketing emails, tracking, or other processing that requires consent as its legal basis.

  • Never pre-check consent boxes
  • Keep consent separate from terms of service acceptance

3. Data Subject Request Response

Draft a response to a [REQUEST_TYPE] from a data subject under GDPR.

Request details:
[REQUEST_DETAILS]

Data we hold about them:
[DATA_HELD]

Our response:
[OUR_ACTION]

Timeline: [RESPONSE_TIMELINE]
REQUEST_TYPE: data access request (Article 15), REQUEST_DETAILS: customer emailed asking for a copy of all data we have about them, DATA_HELD: account info (name, email, address), order history, support tickets, marketing preferences, website behavior analytics, OUR_ACTION: providing full data export, RESPONSE_TIMELINE: received 5 days ago, responding within 30-day deadline
RESPONSE TO DATA ACCESS REQUEST

[Date]

Dear [Customer Name],

Thank you for your request dated [Date] for access to your personal data under Article 15 of the General Data Protection Regulation (GDPR).

We have compiled all personal data we hold about you. Please find attached:

1. Account Information
- Name, email address, shipping addresses
- Account creation date and preferences

2. Order History
- Complete list of orders placed (dates, items, amounts)
- Shipping and billing information used

3. Customer Support Records
- Copies of support tickets and correspondence

4. Marketing Preferences
- Your current consent status and history
- Email engagement data

5. Website Activity
- Analytics data associated with your account
- Cookie consent preferences

The attached file is password-protected for security. The password has been sent to your verified email address in a separate message.

Additional Information:
- Purpose of processing: Order fulfillment, customer support, marketing (with consent)
- Categories of recipients: Payment processor, shipping carriers, marketing platform
- Retention period: Account data kept while account is active; order records kept for 7 years for tax purposes
- Your rights: You may request rectification, erasure, or portability of this data

If you have questions or would like to exercise additional rights, please contact [privacy email]...

When someone submits a data subject request like access, deletion, or portability under GDPR.

  • Verify the requester's identity before sending personal data
  • Keep records of requests and your responses

4. Records of Processing Activities

Create a Record of Processing Activities (ROPA) entry for [PROCESSING_ACTIVITY] conducted by [ORGANIZATION_TYPE].

Required information:
- Controller details: [CONTROLLER_INFO]
- Processing purpose: [PURPOSE]
- Data subjects: [DATA_SUBJECTS]
- Data categories: [DATA_CATEGORIES]
- Recipients: [RECIPIENTS]
- Transfers: [INTERNATIONAL_TRANSFERS]
- Retention: [RETENTION_PERIODS]
- Security measures: [SECURITY_MEASURES]
PROCESSING_ACTIVITY: employee payroll processing, ORGANIZATION_TYPE: mid-size company with EU employees, CONTROLLER_INFO: [Company Name], HR Department, DPO contact info, PURPOSE: paying employees, tax reporting, benefits administration, DATA_SUBJECTS: employees, DATA_CATEGORIES: name, address, bank details, salary, tax ID, benefits elections, RECIPIENTS: payroll provider, tax authorities, benefits providers, INTERNATIONAL_TRANSFERS: payroll provider processes in US under SCCs, RETENTION_PERIODS: employment records kept 7 years after termination per labor law, SECURITY_MEASURES: encrypted storage, access limited to HR, audit logging
RECORD OF PROCESSING ACTIVITIES - Article 30(1)

Processing Activity ID: HR-001
Last Updated: [Date]

1. CONTROLLER INFORMATION
Name: [Company Name]
Address: [Address]
DPO Contact: [DPO Name], [dpo@company.com]

2. PROCESSING ACTIVITY
Name: Employee Payroll Processing
Department: Human Resources

3. PURPOSE OF PROCESSING
- Calculate and distribute employee compensation
- Withhold and report taxes to relevant authorities
- Administer employee benefits
- Maintain employment records as required by law

Legal Basis: Contract (employment agreement), Legal obligation (tax reporting)

4. CATEGORIES OF DATA SUBJECTS
- Current employees
- Former employees (during retention period)

5. CATEGORIES OF PERSONAL DATA
- Identification: Name, address, date of birth, national ID/tax number
- Financial: Bank account details, salary information
- Employment: Job title, department, start date, work hours
- Benefits: Health insurance elections, retirement contributions

6. CATEGORIES OF RECIPIENTS
| Recipient | Purpose | Safeguards |
|-----------|---------|------------|
| [Payroll Provider] | Payroll processing | DPA, SCCs |
| Tax Authorities | Legal reporting | Legal obligation |
| Benefits Providers | Benefits administration | DPA |

7. INTERNATIONAL TRANSFERS
Payroll provider processes data in the United States. Transfer mechanism: Standard Contractual Clauses (2021).

8. RETENTION PERIODS
- Active employee records: Duration of employment
- Post-termination: 7 years (statutory requirement)
- Unsuccessful applicants: 6 months

9. SECURITY MEASURES
- Data encrypted at rest and in transit
- Access restricted to HR personnel on need-to-know basis
- Audit logging enabled for all access
- Annual security review of payroll systems

When documenting your processing activities as required by GDPR Article 30, especially for internal audits or regulator requests.

  • Review and update your ROPA at least annually
  • Include this documentation for each distinct processing activity

Common Mistakes to Avoid

Treating consent as a catch-all legal basis when other bases like contract or legitimate interest apply

Not having a process to respond to data subject requests within the 30-day deadline

Forgetting to update records when you add new processing activities or vendors

Frequently Asked Questions

GDPR compliance prompts help you create the documents required under the EU's General Data Protection Regulation. If you collect data from EU residents, you need proper consent mechanisms, data processing agreements, and procedures for handling data subject requests. These templates help you meet your legal obligations while keeping the paperwork manageable.

Related Templates

Contract Drafting Prompt Templates

AI prompt templates for drafting contracts. Create clear, comprehensive legal agreements.

Privacy Policy Prompt Templates

AI prompt templates for privacy policies. Create GDPR and CCPA compliant privacy statements.

Terms of Service Prompt Templates

AI prompt templates for terms of service. Draft clear user agreements and service terms.

Have your own prompt to optimize?

Try Prompt Optimizer More Legal Prompts