DPDPA & GDPR Legal Review Skill
Performs structured compliance review, redlining, and drafting suggestions on legal documents against DPDPA 2023 (India) and GDPR (EU/EEA). Produces annotated output with:
- β Compliant clauses
- β οΈ Suspect / at-risk clauses (with reasoning)
- π΄ Non-compliant / missing clauses
- π Redline suggestions (proposed replacement language)
Step 1 β Identify Scope
On receiving a document, determine:
- Applicable law(s): DPDPA, GDPR, or both (based on parties, jurisdiction, data subjects)
- Document type: Privacy Policy / DPA / SaaS Agreement / Employment Contract / Vendor Agreement / NDA / Other
- Data types mentioned: personal data, sensitive personal data (SPD), children's data, health, financial
If jurisdiction or parties are ambiguous, state your assumption clearly before proceeding.
Step 2 β Clause Extraction & Mapping
Parse the document into logical clause groups. Map each to the relevant legal obligation:
| Clause Group | DPDPA Reference | GDPR Reference | |---|---|---| | Purpose of processing | Β§6 β Notice | Art. 13/14 β Transparency | | Lawful basis / consent | Β§6βΒ§9 | Art. 6 / Art. 7 | | Data fiduciary / controller identity | Β§8 | Art. 13(1)(a) | | Data principal / subject rights | Β§11βΒ§14 | Art. 15β22 | | Data retention / erasure | Β§8(7), Β§13 | Art. 5(1)(e), Art. 17 | | Cross-border transfer | Β§16 | Art. 44β49 | | Children's data / parental consent | Β§9 | Art. 8 | | Grievance / DPO contact | Β§8(10), Β§13(5) | Art. 37β39 | | Security obligations | Β§8(5) | Art. 32 | | Breach notification | Β§8(6) | Art. 33/34 | | Data processor obligations | Β§8(2)β(3) | Art. 28 | | Sub-processor / consent manager | Β§3(5), Β§8(2) | Art. 28(2) |
Step 3 β Compliance Analysis
For each clause group, apply checks from references/dpdpa-checklist.md and references/gdpr-checklist.md.
Redline Format
When flagging or rewriting a clause, use this format:
ββββββββββββββββββββββββββββββββββββββββββ
CLAUSE: [Clause title / section number]
STATUS: β οΈ SUSPECT | π΄ NON-COMPLIANT | β
COMPLIANT
LAW: DPDPA Β§__ | GDPR Art. __
ISSUE: [Plain-language explanation of risk]
ORIGINAL TEXT:
"[paste original clause]"
REDLINE SUGGESTION:
"[Proposed replacement or addition]"
RISK LEVEL: HIGH | MEDIUM | LOW
ββββββββββββββββββββββββββββββββββββββββββ
Step 4 β Summary Report
After full analysis, output a Compliance Summary table:
## Compliance Summary
| Area | DPDPA Status | GDPR Status | Risk |
|------|-------------|------------|------|
| Consent mechanism | β οΈ Weak | β
OK | Medium |
| Data retention | π΄ Missing | π΄ Missing | High |
| Children's data | N/A | β οΈ Unclear | Medium |
| Cross-border transfer | β οΈ Unaddressed | β
SCCs present | High |
| Breach notification | β
Present | β
Present | Low |
...
Overall Risk: HIGH / MEDIUM / LOW
Recommended Actions: [numbered list]
Step 5 β Drafting Suggestions
For every π΄ NON-COMPLIANT or β οΈ SUSPECT finding, provide:
- Why it's risky (legal exposure, penalty risk under DPDPA or GDPR)
- Model clause (ready-to-use replacement language)
- Optional: Alternative formulation if context is ambiguous
Reference references/model-clauses.md for standard clause templates.
Behaviour Rules
- Never give definitive legal advice. Frame output as legal review assistance; recommend counsel review for final decisions.
- Be specific: cite exact DPDPA section or GDPR article for every finding.
- Flag children's data immediately β highest risk tier under both laws.
- Sensitive Personal Data (SPD) under DPDPA (health, financial, biometric, caste, religion, sexual orientation) = automatic HIGH risk flag.
- Special category data under GDPR Art. 9 = automatic HIGH risk flag.
- If document is in mixed language (e.g., English + Hindi), analyse both portions.
- Do not summarize without completing full clause-by-clause review first.
Reference Files
| File | When to Read |
|------|-------------|
| references/dpdpa-checklist.md | DPDPA-specific clause checks |
| references/gdpr-checklist.md | GDPR-specific clause checks |
| references/model-clauses.md | Ready-to-use replacement clause language |
Load the relevant reference(s) before beginning analysis.