Browse Skills

Data Privacy — AIPD (CNIL Standard)

    RGPD CNIL AIPD Privacy Data Protection France Compliance Droit à l'oubli
    Get Started with This Skill

    Overview

    Conduct a Privacy Impact Assessment (AIPD) under the CNIL standard for France (RGPD). The skill structures the assessment in three steps — Context (processing description, retention, flows), Principles (RGPD Art. 5 and measures), and Risks (identification, assessment, mitigation) — and validates data retention against CNIL “droit à l’oubli” (right to erasure). Relevant for tech, marketing, and health sectors.

    Tools

    • data_retention_limiter — Scans an AIPD or processing document for retention and storage periods. Flags: (1) indefinite or unlimited retention (incompatible with CNIL droit à l’oubli), (2) missing retention period, (3) durations exceeding a configurable maximum (default 10 years). Use after drafting or updating the AIPD. Optional parameter: maxYearsGeneral.

    Getting Started

    Add your draft AIPD or processing documentation (Markdown or text) to the project workspace, then activate the Data Privacy — AIPD (CNIL Standard) skill. The agent will use the CNIL 3-step template and run data_retention_limiter to check retention compliance.

    Example conversation

    Session where a user drafts an AIPD for a French marketing platform and validates retention.

    You: We need an AIPD for our new B2B marketing platform in France. We collect contact and usage data; retention is “until account closure” for now.

    Agent: I’ve created an AIPD from the template at docs/aipd-marketing-platform.md and filled step 1 (Contexte) with your finalities and data categories. “Until account closure” is effectively indefinite — CNIL recommends a maximum duration. I’ve set a placeholder: 3 years after last activity, with a note to confirm.

    You: Run the retention checker on the current draft.

    Agent: Running data_retention_limiter on docs/aipd-marketing-platform.md:

    • Indefinite retention: OK (no indefinite wording in current draft).
    • Retention stated: OK.
    • Durations: 3 years — OK.

    Result: OK — no retention issues detected. I’ve left a reminder in the AIPD to document retention in the register and in the privacy notice.

    Excerpt from data_retention_limiter output

    Example when the document mentions indefinite retention.

    ================================================================
Data Retention Limiter — CNIL / Droit à l'oubli
File: docs/aipd-draft.md
================================================================

--- Indefinite / unlimited retention ---
  [ERROR] Document mentions indefinite or unlimited retention. CNIL requires a defined duration.
    Excerpt: …conservation des données à durée illimitée jusqu'à…

--- Retention period stated ---
  [OK] At least one retention/conservation duration appears in the document.

================================================================
RESULT: INCOMPLETE — fix indefinite retention to comply with CNIL droit à l'oubli.
  - Indefinite or unlimited retention conflicts with CNIL 'droit à l'oubli'. Define a maximum conservation period.
================================================================

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started