← Back to MCP use cases
beginner15 min

GDPR Compliance Check

Use Claude with Moonlit to perform quick GDPR compliance checks on your data processing activities. Describe the processing scenario and Claude will identify the applicable GDPR provisions, find relevant regulatory guidance from Data Protection Authorities, locate relevant CJEU case law, and assess compliance risks. This is not a substitute for formal legal advice, but it provides a fast, source-grounded starting point for compliance assessment.

MCP Setup Required

Make sure you've added Moonlit as an MCP server in Claude Desktop.

View setup instructions →

Try these prompts

We want to use employee email data to train an internal AI model. What GDPR issues should we consider?
Can we use legitimate interest as a legal basis to send marketing emails to existing B2B customers?
What are the GDPR requirements for transferring personal data to a processor in the United States after the EU-US Data Privacy Framework?
We're deploying facial recognition for building access. What does the GDPR require?
Is our cookie consent banner compliant if it uses pre-checked boxes for analytics cookies?

Example Conversation

You

We want to use employee email metadata (sender, recipient, timestamp, subject line) to train an internal AI model that detects phishing attempts. What GDPR issues should we consider?

Claude

I'll search Moonlit for GDPR provisions and relevant case law on employee data processing and AI training. Based on my research, here are the key GDPR issues for this scenario: **1. Legal Basis (Article 6(1) GDPR)** You need a valid legal basis for processing. The most likely options are: - **Legitimate interest (Art. 6(1)(f))**: Protecting the organization against phishing attacks is a legitimate interest. However, you must conduct a Legitimate Interest Assessment (LIA) and balance it against employees' privacy rights. In Case C-252/21 Meta Platforms (ECLI:EU:C:2023:537), the CJEU emphasized that the legitimate interest must be a "real and present" interest, not merely speculative. - **Consent (Art. 6(1)(a))**: Problematic in employment contexts. The Article 29 Working Party (now EDPB) has consistently held that consent in the employment relationship is rarely "freely given" due to the power imbalance (Guidelines on Consent, WP259). **2. Purpose Limitation (Article 5(1)(b))** Email metadata was originally collected for communication purposes. Using it for AI training is a new, distinct purpose. Under Article 6(4), you must assess compatibility by considering the link between purposes, the context, the nature of the data, and possible consequences. The Raad van State has addressed similar purpose limitation questions in ECLI:NL:RVS:2023:4178. **3. Data Minimisation (Article 5(1)(c))** Assess whether subject lines are strictly necessary for phishing detection. Subject lines may contain personal or sensitive content. Consider whether sender/recipient patterns and timestamps alone would suffice. **4. Data Protection Impact Assessment (Article 35)** This processing likely triggers a DPIA requirement because it involves: - Systematic monitoring of employees (Art. 35(3)(c)) - Innovative use of technology (AI/ML) - Large-scale processing of employee data **5. Transparency (Articles 13-14)** Inform employees about this specific processing in your privacy notice. Include the purpose, legal basis, retention period for training data, and their rights. **6. Employee Representation** In the Netherlands, the Works Council (ondernemingsraad) has a right of consent for employee monitoring systems under Article 27(1)(l) of the Works Council Act (Wet op de ondernemingsraden). In Germany, similar requirements exist under the Betriebsverfassungsgesetz. **Recommendation:** Conduct a DPIA first, use legitimate interest as the legal basis with a documented LIA, minimize the data used for training (consider excluding subject lines), and ensure your employee privacy notice covers this processing.

Moonlit tools Claude uses

search_documents

Searches GDPR provisions, DPA guidance, EDPB opinions, and CJEU case law across Moonlit's EU and national databases.

get_document

Retrieves full text of GDPR articles, regulatory guidance documents, and court decisions for detailed analysis.

list_jurisdictions

Lists available jurisdictions to check coverage for national implementations of GDPR (e.g., Dutch UAVG, German BDSG).

Example Output

{
  "sources_consulted": {
    "legislation": [
      "GDPR Articles 5, 6, 13, 14, 35",
      "Dutch UAVG Articles 22, 29",
      "Wet op de ondernemingsraden Article 27"
    ],
    "case_law": [
      "ECLI:EU:C:2023:537 (Meta Platforms)",
      "ECLI:NL:RVS:2023:4178",
      "ECLI:EU:C:2019:801 (Planet49)"
    ],
    "guidance": [
      "EDPB Guidelines on Consent (WP259)",
      "EDPB Guidelines on DPIA (WP248)"
    ]
  },
  "risk_level": "medium-high",
  "key_actions": ["Conduct DPIA", "Document LIA", "Update privacy notice", "Consult Works Council"]
}

What's next

Contract Review with Legal Grounding
Legal Research Questions