Get the full text and context of a specific GDPR article.

List all articles within a specific GDPR chapter.

Search across GDPR articles and recitals by keywords.

Get the text of a specific GDPR recital.

Get Azure service recommendations mapped to a specific GDPR article.

Get the GDPR definition for a specific term (Art. 4).

List all GDPR definitions from Article 4.

Search GDPR definitions by keywords.

Assess whether a DPIA is required for a described processing activity.

Args: processing_description: Free-text description of the data processing

Generate a DPIA template pre-filled with guidance for the described processing activity, including risk assessment and mitigation measures.

Args: processing_description: Free-text description of the data processing

Get detailed DPIA guidance for a specific topic or processing type.

Args: topic: Topic area (e.g., 'profiling', 'large-scale monitoring', 'special categories', 'children')

Generate a Records of Processing Activities (ROPA) template per Art. 30.

Args: organization_context: Description of the organization, its role (controller/processor), and main processing activities

Validate a ROPA document against Art. 30 mandatory fields.

Args: ropa_content: The ROPA content to validate (text/JSON/markdown)

Get the mandatory ROPA fields for a given organizational role.

Args: role: 'controller' or 'processor' — determines required fields

Get guidance on handling a specific data-subject request.

Args: request_type: Type of DSR — 'access', 'rectification', 'erasure', 'restriction', 'portability', 'objection', 'automated_decision'

Generate a step-by-step DSR fulfilment workflow with Azure implementation notes.

Args: request_type: Type of DSR system_context: Optional description of the system architecture

Get GDPR-mandated response timelines and extension rules for a DSR type.

Args: request_type: Type of DSR

Analyze Bicep/Terraform/ARM code for GDPR compliance issues.

Checks data residency, encryption, access control, logging, retention, and privacy-by-design patterns.

Args: code: The IaC code content file_type: 'bicep', 'terraform', or 'arm' file_path: Optional file path for reporting context: Optional additional context

Analyze application code for GDPR compliance issues such as missing consent checks, PII logging, insecure data handling, and missing encryption.

Args: code: The application code content language: 'python', 'csharp', 'java', 'typescript', or 'javascript' file_path: Optional file path for reporting

Validate IaC configuration against GDPR mandatory requirements BEFORE deploying.

Checks for: missing encryption at rest/in transit, public endpoints without justification, insufficient log retention, missing data classification tags, non-EU data residency.

Args: code: The IaC code content file_type: 'bicep', 'terraform', or 'arm' strict_mode: If True, fail on any GDPR violation

Analyze code for Data Subject Rights (DSR) implementation capabilities.

Detects patterns indicating support for GDPR rights:

• Art. 15: Right of access

• Art. 16: Right to rectification

• Art. 17: Right to erasure

• Art. 18: Right to restriction

• Art. 20: Right to data portability

• Art. 21: Right to object

• Art. 22: Automated decision-making safeguards

Args: code: The application code content language: Programming language ('python', 'typescript', 'csharp', etc.) file_path: Optional file path for reporting

Analyze code for potential cross-border data transfers under GDPR Chapter V.

Detects:

• Third-party API calls to non-EU services (OpenAI, Stripe, Twilio, etc.)

• SDK imports for US-based services

• Webhook/integration patterns that may involve data export

Provides guidance on SCCs, DPAs, and Transfer Impact Assessments.

Args: code: The application code content language: Programming language ('python', 'typescript', 'csharp', etc.) file_path: Optional file path for reporting

Analyze code for breach notification readiness under GDPR Art. 33-34.

Assesses:

• Security logging capabilities

• Alerting mechanisms

• Incident tracking systems

• 72-hour notification process references

• Data subject notification capabilities

Args: code: The application code content language: Programming language ('python', 'typescript', 'csharp', etc.) file_path: Optional file path for reporting

Analyze code for personal data flow patterns to support ROPA documentation.

Maps the data lifecycle:

• Collection: Where PII enters the system

• Storage: Where PII is persisted

• Transmission: Where PII is sent externally

• Deletion: Where PII is removed

Helps identify GDPR compliance touchpoints for Art. 30 ROPA.

Args: code: The application code content language: Programming language ('python', 'typescript', 'csharp', etc.) file_path: Optional file path for reporting

Assess a data-retention policy against GDPR storage-limitation principle (Art. 5(1)(e)) and right to erasure (Art. 17).

Args: policy_description: Description of the retention policy

Get GDPR-aligned retention guidance for a specific data category.

Args: data_category: Category of data (e.g., 'employee records', 'customer data', 'marketing consent', 'health data', 'financial transactions')

Check what deletion/anonymization capabilities a system must support per GDPR.

Args: system_context: Description of the system and data it holds

Assess whether a service/system acts as data controller, processor, joint controller, or has a mixed role under GDPR.

Analyzes the service description against GDPR definitions and EDPB guidance to determine the likely role and associated obligations.

Args: service_description: Description of the service, data flows, business relationships, and processing activities

Get GDPR obligations specific to a controller/processor role.

Returns detailed obligations from relevant GDPR articles with optional Azure implementation guidance.

Args: role: 'controller', 'processor', 'joint_controller', or 'sub_processor' include_azure: Include Azure-specific implementation guidance

Analyze source code for patterns indicating controller vs processor role.

Detects patterns like: direct user data collection, consent mechanisms, multi-tenant isolation, webhook receivers, data forwarding, etc.

Args: code: The source code to analyze language: Programming language ('python', 'typescript', 'csharp', etc.)

Generate an Article 28 Data Processing Agreement (DPA) checklist.

Provides a comprehensive checklist of mandatory and recommended DPA clauses with Azure-specific considerations.

Args: context: Description of the processing relationship and context

Get common controller/processor scenarios and role determinations.

Returns typical scenarios (SaaS, API services, cloud infrastructure, etc.) with guidance on typical role classification and exceptions.

Args: scenario_type: Filter scenarios by type (e.g., 'saas', 'api', 'cloud') or 'all' for all scenarios

Analyze code using AST for GDPR compliance (Python, JavaScript, TypeScript).

AST analysis provides higher accuracy than regex by:

• Filtering out comments and string literals (reducing false positives)

• Tracking variable assignments and data flow

• Identifying function definitions and call sites

• Verifying semantic intent of GDPR-related code

Detects:

• Cross-border data transfers (third-party API imports)

• PII handling in function parameters

• PII logging violations

• DSR implementation patterns (Art. 15-22)

Args: code: Source code to analyze file_path: Optional file path for automatic language detection language: Override language (python, javascript, typescript) deep_analysis: Include detailed function, import, and data flow info

Get information about AST analysis capabilities.

Returns supported languages, analysis categories, detected patterns, and configuration options for the AST-based code analyzer.