lawful_basis_assessment
Evaluate lawful bases for processing personal data under GDPR Article 6, with AI-specific considerations to recommend the appropriate basis.
Instructions
Determine the appropriate lawful basis for processing under GDPR Article 6. Evaluates all 6 lawful bases with AI-specific considerations and recommends the most appropriate basis with supporting rationale.
Args:
processing_purpose: The specific purpose of data processing
data_categories: Types of personal data involved
controller_type: "private" (company), "public" (government/public body)
relationship_with_data_subject: Nature of relationship (customer/employee/patient/citizen/visitor)
ai_processing: Whether an AI/ML system is used in processing
caller: Caller identifier for rate limiting
tier: Access tier (free/pro)Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| processing_purpose | Yes | ||
| data_categories | Yes | ||
| controller_type | No | private | |
| relationship_with_data_subject | No | customer | |
| ai_processing | No | ||
| caller | No | anonymous | |
| tier | No | free | |
| api_key | No |
Output Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |
Implementation Reference
- server.py:437-569 (handler)The main handler function for the 'lawful_basis_assessment' MCP tool. Evaluates all 6 GDPR Article 6 lawful bases with AI-specific considerations and recommends the most appropriate basis with supporting rationale.
@mcp.tool() def lawful_basis_assessment( processing_purpose: str, data_categories: list[str], controller_type: str = "private", relationship_with_data_subject: str = "customer", ai_processing: bool = True, caller: str = "anonymous", tier: str = "free", api_key: str = "") -> str: """Determine the appropriate lawful basis for processing under GDPR Article 6. Evaluates all 6 lawful bases with AI-specific considerations and recommends the most appropriate basis with supporting rationale. Args: processing_purpose: The specific purpose of data processing data_categories: Types of personal data involved controller_type: "private" (company), "public" (government/public body) relationship_with_data_subject: Nature of relationship (customer/employee/patient/citizen/visitor) ai_processing: Whether an AI/ML system is used in processing caller: Caller identifier for rate limiting tier: Access tier (free/pro) """ allowed, msg, tier = check_access(api_key) if not allowed: return {"error": msg, "upgrade_url": "https://meok.ai/pricing"} if err := _check_rate_limit(caller, tier): return {"error": err} purpose_lower = processing_purpose.lower() bases_assessment = {} for basis_key, basis_info in GDPR_ARTICLES["Art.6"]["lawful_bases"].items(): suitability = "possible" score = 50 notes = [] if basis_key == "consent": if "training" in purpose_lower or "model" in purpose_lower: notes.append("AI training on personal data typically requires broad consent that may be hard to make truly specific") score = 40 if ai_processing: notes.append("Consent must cover AI-specific processing — generic consent insufficient") score = max(score - 10, 20) notes.append("Consent can be withdrawn at any time, which may complicate ongoing AI operations") elif basis_key == "contract": if relationship_with_data_subject in ("customer", "employee"): score = 60 notes.append("May apply if AI processing is genuinely necessary to deliver contracted service") else: score = 20 notes.append("No contractual relationship — this basis unlikely to apply") if "training" in purpose_lower: score = max(score - 20, 10) notes.append("AI model training is typically not necessary for contract performance") elif basis_key == "legal_obligation": compliance_keywords = ["aml", "fraud", "regulatory", "tax", "audit", "reporting"] if any(kw in purpose_lower for kw in compliance_keywords): score = 80 notes.append("Processing appears to serve a legal compliance purpose") else: score = 20 notes.append("No clear legal obligation identified for this processing") elif basis_key == "vital_interests": medical_keywords = ["emergency", "life-threatening", "triage", "critical care"] if any(kw in purpose_lower for kw in medical_keywords): score = 60 notes.append("May apply in emergency/life-threatening scenarios") else: score = 5 notes.append("Vital interests basis is extremely narrow — only for life-or-death situations") elif basis_key == "public_interest": if controller_type == "public": score = 70 notes.append("Public bodies can rely on public interest basis with legal foundation") else: score = 15 notes.append("Private organizations rarely qualify for public interest basis") elif basis_key == "legitimate_interests": if controller_type == "public": score = 10 notes.append("Not available to public authorities performing their tasks") else: score = 70 notes.append("Most common basis for commercial AI. Requires Legitimate Interest Assessment (LIA)") if ai_processing: notes.append("AI profiling requires careful balancing — enhanced LIA recommended") score = max(score - 10, 40) if score >= 70: suitability = "recommended" elif score >= 40: suitability = "possible" else: suitability = "unlikely" bases_assessment[basis_key] = { "article": basis_info["article"], "description": basis_info["description"], "suitability": suitability, "score": score, "ai_considerations": basis_info["ai_considerations"], "requirements": basis_info["requirements"], "notes": notes, } # Determine recommendation recommended = max(bases_assessment.items(), key=lambda x: x[1]["score"]) result = { "assessment_type": "GDPR Lawful Basis Assessment", "timestamp": datetime.now(timezone.utc).isoformat(), "processing_purpose": processing_purpose, "ai_processing": ai_processing, "all_bases": bases_assessment, "recommendation": { "recommended_basis": recommended[0], "article": recommended[1]["article"], "confidence": "high" if recommended[1]["score"] >= 70 else "medium" if recommended[1]["score"] >= 50 else "low", "rationale": recommended[1]["notes"], }, "additional_requirements": { "article_9_explicit_consent_needed": any("biometric" in d.lower() or "health" in d.lower() or "genetic" in d.lower() for d in data_categories), "article_22_human_review": ai_processing, "article_35_dpia_likely": ai_processing, }, } return result - server.py:434-569 (registration)Registration of the tool via the @mcp.tool() decorator on line 437, which registers 'lawful_basis_assessment' as an MCP tool.
# --------------------------------------------------------------------------- # TOOL 2: Lawful Basis Assessment # --------------------------------------------------------------------------- @mcp.tool() def lawful_basis_assessment( processing_purpose: str, data_categories: list[str], controller_type: str = "private", relationship_with_data_subject: str = "customer", ai_processing: bool = True, caller: str = "anonymous", tier: str = "free", api_key: str = "") -> str: """Determine the appropriate lawful basis for processing under GDPR Article 6. Evaluates all 6 lawful bases with AI-specific considerations and recommends the most appropriate basis with supporting rationale. Args: processing_purpose: The specific purpose of data processing data_categories: Types of personal data involved controller_type: "private" (company), "public" (government/public body) relationship_with_data_subject: Nature of relationship (customer/employee/patient/citizen/visitor) ai_processing: Whether an AI/ML system is used in processing caller: Caller identifier for rate limiting tier: Access tier (free/pro) """ allowed, msg, tier = check_access(api_key) if not allowed: return {"error": msg, "upgrade_url": "https://meok.ai/pricing"} if err := _check_rate_limit(caller, tier): return {"error": err} purpose_lower = processing_purpose.lower() bases_assessment = {} for basis_key, basis_info in GDPR_ARTICLES["Art.6"]["lawful_bases"].items(): suitability = "possible" score = 50 notes = [] if basis_key == "consent": if "training" in purpose_lower or "model" in purpose_lower: notes.append("AI training on personal data typically requires broad consent that may be hard to make truly specific") score = 40 if ai_processing: notes.append("Consent must cover AI-specific processing — generic consent insufficient") score = max(score - 10, 20) notes.append("Consent can be withdrawn at any time, which may complicate ongoing AI operations") elif basis_key == "contract": if relationship_with_data_subject in ("customer", "employee"): score = 60 notes.append("May apply if AI processing is genuinely necessary to deliver contracted service") else: score = 20 notes.append("No contractual relationship — this basis unlikely to apply") if "training" in purpose_lower: score = max(score - 20, 10) notes.append("AI model training is typically not necessary for contract performance") elif basis_key == "legal_obligation": compliance_keywords = ["aml", "fraud", "regulatory", "tax", "audit", "reporting"] if any(kw in purpose_lower for kw in compliance_keywords): score = 80 notes.append("Processing appears to serve a legal compliance purpose") else: score = 20 notes.append("No clear legal obligation identified for this processing") elif basis_key == "vital_interests": medical_keywords = ["emergency", "life-threatening", "triage", "critical care"] if any(kw in purpose_lower for kw in medical_keywords): score = 60 notes.append("May apply in emergency/life-threatening scenarios") else: score = 5 notes.append("Vital interests basis is extremely narrow — only for life-or-death situations") elif basis_key == "public_interest": if controller_type == "public": score = 70 notes.append("Public bodies can rely on public interest basis with legal foundation") else: score = 15 notes.append("Private organizations rarely qualify for public interest basis") elif basis_key == "legitimate_interests": if controller_type == "public": score = 10 notes.append("Not available to public authorities performing their tasks") else: score = 70 notes.append("Most common basis for commercial AI. Requires Legitimate Interest Assessment (LIA)") if ai_processing: notes.append("AI profiling requires careful balancing — enhanced LIA recommended") score = max(score - 10, 40) if score >= 70: suitability = "recommended" elif score >= 40: suitability = "possible" else: suitability = "unlikely" bases_assessment[basis_key] = { "article": basis_info["article"], "description": basis_info["description"], "suitability": suitability, "score": score, "ai_considerations": basis_info["ai_considerations"], "requirements": basis_info["requirements"], "notes": notes, } # Determine recommendation recommended = max(bases_assessment.items(), key=lambda x: x[1]["score"]) result = { "assessment_type": "GDPR Lawful Basis Assessment", "timestamp": datetime.now(timezone.utc).isoformat(), "processing_purpose": processing_purpose, "ai_processing": ai_processing, "all_bases": bases_assessment, "recommendation": { "recommended_basis": recommended[0], "article": recommended[1]["article"], "confidence": "high" if recommended[1]["score"] >= 70 else "medium" if recommended[1]["score"] >= 50 else "low", "rationale": recommended[1]["notes"], }, "additional_requirements": { "article_9_explicit_consent_needed": any("biometric" in d.lower() or "health" in d.lower() or "genetic" in d.lower() for d in data_categories), "article_22_human_review": ai_processing, "article_35_dpia_likely": ai_processing, }, } return result - server.py:90-129 (helper)GDPR_ARTICLES['Art.6']['lawful_bases'] knowledge base — the 6 lawful bases (consent, contract, legal_obligation, vital_interests, public_interest, legitimate_interests) with descriptions, AI considerations, and requirements used by the assessment logic.
"Art.6": { "title": "Lawfulness of processing", "lawful_bases": { "consent": { "article": "6(1)(a)", "description": "The data subject has given consent to the processing of his or her personal data for one or more specific purposes.", "ai_considerations": "For AI training: consent must be specific, informed, freely given. Must cover the specific purpose of AI processing. Consent for training data collection may not cover later model deployment. Re-consent may be needed when AI purpose changes.", "requirements": ["Freely given", "Specific", "Informed", "Unambiguous indication", "Clear affirmative action", "Easy to withdraw"], }, "contract": { "article": "6(1)(b)", "description": "Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.", "ai_considerations": "AI-powered service delivery may qualify if the AI processing is genuinely necessary to fulfil the contract. Personalization features powered by AI may not always be strictly necessary for contract performance.", "requirements": ["Genuine contract exists", "Processing objectively necessary", "Not merely useful or standard practice"], }, "legal_obligation": { "article": "6(1)(c)", "description": "Processing is necessary for compliance with a legal obligation to which the controller is subject.", "ai_considerations": "AI systems used for regulatory compliance (AML, fraud detection) may rely on this basis. The legal obligation must be sufficiently clear and precise.", "requirements": ["Legal obligation exists in EU or Member State law", "Processing genuinely necessary for compliance"], }, "vital_interests": { "article": "6(1)(d)", "description": "Processing is necessary in order to protect the vital interests of the data subject or of another natural person.", "ai_considerations": "Medical AI for emergency triage, disaster response AI. Narrow scope — only life-or-death situations. Cannot be used for general health AI services.", "requirements": ["Life-threatening situation", "No other legal basis available", "Data subject physically or legally incapable of giving consent"], }, "public_interest": { "article": "6(1)(e)", "description": "Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.", "ai_considerations": "Government AI systems, public health AI, educational AI by public institutions. Must have basis in EU or Member State law.", "requirements": ["Task in public interest or official authority", "Basis in law", "Processing necessary (not merely helpful)"], }, "legitimate_interests": { "article": "6(1)(f)", "description": "Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.", "ai_considerations": "Most common basis for commercial AI. Requires Legitimate Interest Assessment (LIA). Must balance business interest against individual rights. AI profiling requires extra scrutiny. Not available for public authorities in performance of tasks.", "requirements": ["Legitimate interest identified", "Processing is necessary", "Balance against data subject rights (LIA)", "Not overridden by data subject interests"], }, }, - server.py:62-71 (helper)FastMCP server initialization with instructions mentioning lawful basis determination under Article 6 as part of the server capabilities.
mcp = FastMCP( "gdpr-compliance-ai", instructions=( "GDPR Compliance for AI Systems server. Classify data processing activities, " "determine lawful basis under Article 6, generate Data Protection Impact " "Assessments (Article 35), handle data subject rights requests (Articles 15-22), " "assess breach notification requirements (72-hour rule), and crosswalk GDPR " "requirements to EU AI Act obligations. By MEOK AI Labs." ), )