{"id":"c84fee21-007b-4946-87c2-387f8d2cd39f","shortId":"xjZhL2","kind":"skill","title":"Gdpr Compliant","tagline":"Awesome Copilot skill by Github","description":"# GDPR Engineering Skill\n\nActionable GDPR reference for engineers, architects, DevOps, and tech leads.\nInspired by CNIL developer guidance and GDPR Articles 5, 25, 32, 33, 35.\n\n> **Golden Rule:** Collect less. Store less. Expose less. Retain less.\n\nFor deep dives, read the reference files in `references/`:\n- `references/data-rights.md` — user rights endpoints, DSR workflow, RoPA\n- `references/security.md` — encryption, hashing, secrets, anonymization\n- `references/operations.md` — cloud, CI/CD, incident response, architecture patterns\n\n---\n\n## 1. Core GDPR Principles (Article 5)\n\n| Principle | Engineering obligation |\n|---|---|\n| Lawfulness, fairness, transparency | Document legal basis for every processing activity in the RoPA |\n| Purpose limitation | Data collected for purpose A **MUST NOT** be reused for purpose B without a new legal basis |\n| Data minimization | Collect only fields with a documented business need today |\n| Accuracy | Provide update endpoints; propagate corrections to downstream stores |\n| Storage limitation | Define TTL at schema design time — never after |\n| Integrity & confidentiality | Encrypt at rest and in transit; restrict and audit access |\n| Accountability | Maintain evidence of compliance; RoPA ready for DPA inspection at any time |\n\n---\n\n## 2. Privacy by Design & by Default\n\n**MUST**\n- Add `CreatedAt`, `RetentionExpiresAt` to every table holding personal data at creation time.\n- Default all optional data collection to **off**. Users opt in; they never opt out of a default-on setting.\n- Conduct a **DPIA** before building high-risk processing (biometrics, health data, large-scale profiling, systematic monitoring).\n- Update the **RoPA** with every new feature that introduces a processing activity.\n- Sign a **DPA** with every sub-processor before data flows to them.\n\n**MUST NOT**\n- Ship a new data collection feature without a documented legal basis.\n- Enable analytics, tracking, or telemetry by default without explicit consent.\n- Store personal data in a system not listed in the RoPA.\n\n---\n\n## 3. Data Minimization\n\n**MUST**\n- Map every DTO/model field to a concrete business need. Remove undocumented fields.\n- Use **separate DTOs** for create, read, and update — never reuse the same object.\n- Return only what the caller is authorized to see — use response projections.\n- Mask sensitive values at the edge: return `****1234` for card numbers, never the full value.\n- Exclude sensitive fields (DOB, national ID, health) from default list/search projections.\n\n**MUST NOT**\n- Log full request/response bodies if they may contain personal data.\n- Include personal data in URL path segments or query parameters (CDN logs, browser history).\n- Collect `dateOfBirth`, national ID, or health data without an explicit legal basis.\n\n---\n\n## 4. Purpose Limitation\n\n**MUST**\n- Document the purpose of every processing activity in code comments and in the RoPA.\n- Obtain a new legal basis or perform a compatibility analysis before reusing data for a secondary purpose.\n\n**MUST NOT**\n- Share personal data collected for service delivery with advertising networks without explicit consent.\n- Use support ticket content to train ML models without a separate legal basis and user notice.\n\n---\n\n## 5. Storage Limitation & Retention\n\n**MUST**\n- Every table holding personal data **MUST** have a defined retention period.\n- Enforce retention automatically via a scheduled job (Hangfire, cron) — never a manual process.\n- Anonymize or delete data when retention expires — never leave expired data silently in production.\n\n**Recommended defaults**\n\n| Data type | Max retention |\n|---|---|\n| Auth / audit logs | 12–24 months |\n| Session / refresh tokens | 30–90 days |\n| Email / notification logs | 6 months |\n| Inactive user accounts | 12 months after last login → notify → delete |\n| Payment records | As required by tax law (7–10 years), minimized |\n| Analytics events | 13 months |\n\n**SHOULD**\n- Add `RetentionExpiresAt` column — compute at insert time.\n- Use soft-delete (`DeletedAt`) with a scheduled hard-delete after the erasure request window (30 days).\n\n**MUST NOT**\n- Retain personal data indefinitely \"in case it becomes useful later.\"\n\n---\n\n## 6. API Design Rules\n\n**MUST**\n- MUST NOT include personal data in URL paths or query parameters.\n  - `GET /users/{userId}`\n- Authenticate all endpoints that return or accept personal data.\n- Extract the acting user's identity from the JWT — never from the request body.\n- Validate ownership on every resource: `if (resource.OwnerId != currentUserId) return 403`.\n- Use UUIDs or opaque identifiers — never sequential integers as public resource IDs.\n\n**SHOULD**\n- Rate-limit sensitive endpoints (login, data export, password reset).\n- Set `Referrer-Policy: no-referrer` and an explicit `CORS` allowlist.\n\n**MUST NOT**\n- Return stack traces, internal paths, or database errors in API responses.\n- Use `Access-Control-Allow-Origin: *` on authenticated APIs.\n\n---\n\n## 7. Logging Rules\n\n**MUST**\n- Anonymize IPs in application logs — mask last octet (IPv4) or last 80 bits (IPv6).\n  - `192.168.1.xxx`\n- MUST NOT log: passwords, tokens, session IDs, credentials, card numbers, national IDs, health data.\n- MUST NOT log full request/response bodies where PII may be present.\n- Enforce log retention — purge automatically after the defined period.\n\n**SHOULD**\n- Log **events** not data: `\"User {UserId} updated email\"` not `\"Email changed from a@b.com to c@d.com\"`.\n- Use structured logging (JSON) with `userId` as an internal identifier, not the email address.\n- Separate audit logs (sensitive access, admin actions) from application logs — different retention and ACLs.\n\n---\n\n## 8. Error Handling\n\n**MUST**\n- Return generic error messages — never expose stack traces, internal paths, or DB errors.\n  - `\"Column 'email' violates unique constraint on table 'users'\"`\n  - `\"A user with this email address already exists.\"`\n- Use **Problem Details (RFC 7807)** for all error responses.\n- Log the full error server-side with a correlation ID; return only the correlation ID to the client.\n\n**MUST NOT**\n- Include file paths, class names, or line numbers in error responses.\n- Include personal data in error messages (e.g., \"User john@example.com not found\").\n\n---\n\n## 9. Encryption (summary — see `references/security.md` for full detail)\n\n| Scope | Minimum standard |\n|---|---|\n| Standard personal data | AES-256 disk/volume encryption |\n| Sensitive data (health, financial, biometric) | AES-256 **column-level** + envelope encryption via KMS |\n| In transit | TLS 1.2+ (prefer 1.3); HSTS enforced |\n| Keys | HSM-backed KMS; rotate DEKs annually |\n\n**MUST NOT** allow TLS 1.0/1.1, null cipher suites, or hardcoded encryption keys.\n\n---\n\n## 10. Password Hashing\n\n**MUST**\n- Use **Argon2id** (recommended) or **bcrypt** (cost ≥ 12). Never MD5, SHA-1, or SHA-256.\n- Use a unique salt per password. Store only the hash.\n\n**MUST NOT**\n- Log passwords in any form. Transmit passwords in URLs. Store reset tokens in plaintext.\n\n---\n\n## 11. Secrets Management\n\n**MUST**\n- Store all secrets in a KMS: Azure Key Vault, AWS Secrets Manager, GCP Secret Manager, or HashiCorp Vault.\n- Use pre-commit hooks (`gitleaks`, `detect-secrets`) to prevent secret commits.\n- Rotate secrets on developer offboarding, annual schedule, or suspected compromise.\n\n**`.gitignore` MUST include:** `.env`, `.env.*`, `*.pem`, `*.key`, `*.pfx`, `*.p12`, `secrets/`\n\n**MUST NOT**\n- Commit secrets to source code. Store secrets as plain-text environment variable defaults.\n\n---\n\n## 12. Anonymization & Pseudonymization (summary — see `references/security.md`)\n\n- **Anonymization** = irreversible → falls outside GDPR scope. Use for retained records after erasure.\n- **Pseudonymization** = reversible with a key → still personal data, reduced risk.\n- When erasing a user, anonymize records that must be retained (financial, audit) rather than deleting them.\n- Store the pseudonymization key in the KMS — never in the same database as the pseudonymized data.\n\n**MUST NOT** call data \"anonymized\" if re-identification is possible through linkage attacks.\n\n---\n\n## 13. Testing with Fake Data\n\n**MUST**\n- MUST NOT use production personal data in dev, staging, or CI environments.\n- MUST NOT restore production DB backups to non-production without scrubbing PII first.\n- Use synthetic data generators: `Bogus` (.NET), `Faker` (JS/Python/Ruby).\n- Use `@example.com` for all test email addresses.\n\n---\n\n## 14. Anti-Patterns\n\n| Anti-pattern | Correct approach |\n|---|---|\n| PII in URLs | Opaque UUIDs as public identifiers |\n| Logging full request bodies | Log structured event metadata only |\n| \"Keep forever\" schema | TTL defined at design time |\n| Production data in dev/test | Synthetic data + scrubbing pipeline |\n| Shared credentials across teams | Individual accounts + RBAC |\n| Hardcoded secrets | KMS + secret manager |\n| `Access-Control-Allow-Origin: *` on auth APIs | Explicit CORS allowlist |\n| Storing consent with profile data | Dedicated consent store |\n| PII in GET query params | POST body or authenticated session |\n| Sequential integer IDs in public URLs | UUIDs |\n| \"Anonymized\" data with quasi-identifiers | Apply k-anonymity, test linkage resistance |\n| Mixing backup regions outside EEA | Explicit region lockdown on backup jobs |\n\n---\n\n## 15. PR Review Checklist\n\n### Data model\n- Every new PII column has a documented purpose and retention period.\n- Sensitive fields (health, financial, national ID) use column-level encryption.\n- No sequential integer PKs as public-facing identifiers.\n\n### API\n- No PII in URL paths or query parameters.\n- All endpoints returning personal data are authenticated.\n- Ownership checks present — user cannot access another user's resource.\n- Rate limiting applied to sensitive endpoints.\n\n### Logging\n- No passwords, tokens, or credentials logged.\n- IPs anonymized (last octet masked).\n- No full request/response bodies logged where PII may be present.\n\n### Infrastructure\n- No public storage buckets or public-IP databases.\n- New cloud resources tagged with `DataClassification`.\n- Encryption at rest enabled for new storage resources.\n- New geographic regions for data storage are EEA-compliant or covered by SCCs.\n\n### Secrets & CI/CD\n- No secrets in source code or committed config files.\n- New secrets added to KMS and secrets inventory document.\n- CI/CD secrets masked in pipeline logs.\n\n### Retention & erasure\n- Retention enforcement job or policy covers new data store or field.\n- Erasure pipeline updated to cover new data store.\n\n### User rights & governance\n- Data export endpoint includes any new personal data field.\n- RoPA updated if a new processing activity is introduced.\n- New sub-processors have a signed DPA and a RoPA entry.\n- DPIA triggered if the change involves high-risk processing.\n\n---\n\n> **Golden Rule:** Collect less. Store less. Expose less. Retain less.\n>\n> Every byte of personal data you do not collect is a byte you cannot lose,\n> cannot breach, and cannot be held liable for.\n\n---\n\n*Inspired by CNIL developer GDPR guidance, GDPR Articles 5, 25, 32, 33, 35,\nENISA, OWASP, and NIST engineering best practices.*","tags":["gdpr","compliant","awesome","copilot","github"],"capabilities":["skill","source-github","category-awesome-copilot"],"categories":["awesome-copilot"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/github/awesome-copilot/gdpr-compliant","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"install_from":"skills.sh"}},"qualityScore":"0.300","qualityRationale":"deterministic score 0.30 from registry signals: · indexed on skills.sh · published under github/awesome-copilot","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T03:40:34.798Z","embedding":null,"createdAt":"2026-04-18T20:34:43.082Z","updatedAt":"2026-04-22T03:40:34.798Z","lastSeenAt":"2026-04-22T03:40:34.798Z","tsv":"'-1':950 '-256':890,899,953 '/1.1':928 '/users':601 '1':72 '1.0':927 '1.2':910 '1.3':912 '10':539,936 '11':980 '12':507,524,946,1051 '1234':332 '13':544,1125 '14':1172 '15':1286 '192.168.1.xxx':711 '2':168 '24':508 '25':30,1547 '3':284 '30':513,570 '32':31,1548 '33':32,1549 '35':33,1550 '4':389 '403':635 '5':29,77,455,1546 '6':519,584 '7':538,693 '7807':827 '8':790 '80':708 '9':875 '90':514 'a@b.com':759 'accept':609 'access':154,686,780,1227,1344 'access-control-allow-origin':685,1226 'account':155,523,1219 'accuraci':124 'acl':789 'across':1216 'act':614 'action':11,782 'activ':90,236,399,1480 'ad':1428 'add':175,547 'address':775,820,1171 'admin':781 'advertis':434 'ae':889,898 'allow':688,925,1229 'allowlist':670,1236 'alreadi':821 'analysi':416 'analyt':264,542 'annual':922,1020 'anonym':64,484,697,1052,1057,1083,1115,1262,1271,1363 'anoth':1345 'anti':1174,1177 'anti-pattern':1173,1176 'api':585,682,692,1233,1323 'appli':1268,1351 'applic':700,784 'approach':1180 'architect':16 'architectur':70 'argon2id':941 'articl':28,76,1545 'attack':1124 'audit':153,505,777,1090 'auth':504,1232 'authent':603,691,1253,1338 'author':319 'automat':473,741 'aw':993 'awesom':3 'azur':990 'b':107 'back':918 'backup':1148,1276,1284 'basi':86,112,262,388,411,451 'bcrypt':944 'becom':581 'best':1556 'biometr':216,897 'bit':709 'bodi':356,625,731,1192,1251,1370 'bogus':1161 'breach':1531 'browser':375 'bucket':1381 'build':211 'busi':121,295 'byte':1516,1526 'c@d.com':761 'call':1113 'caller':317 'cannot':1343,1528,1530,1533 'card':334,720 'case':579 'category-awesome-copilot' 'cdn':373 'chang':757,1499 'check':1340 'checklist':1289 'ci':1141 'ci/cd':67,1416,1435 'cipher':930 'class':856 'client':850 'cloud':66,1388 'cnil':23,1540 'code':401,1041,1421 'collect':36,97,115,191,256,377,429,1507,1523 'column':549,807,901,1295,1311 'column-level':900,1310 'comment':402 'commit':1005,1014,1037,1423 'compat':415 'complianc':159 'compliant':2,1410 'compromis':1024 'comput':550 'concret':294 'conduct':207 'confidenti':144 'config':1424 'consent':272,438,1238,1243 'constraint':811 'contain':360 'content':442 'control':687,1228 'copilot':4 'cor':669,1235 'core':73 'correct':129,1179 'correl':841,846 'cost':945 'cover':1412,1448,1458 'creat':304 'createdat':176 'creation':185 'credenti':719,1215,1360 'cron':479 'currentuserid':633 'data':96,113,183,190,218,246,255,275,285,362,365,383,419,428,464,487,494,500,576,593,611,655,725,750,866,888,894,1076,1110,1114,1129,1136,1159,1207,1211,1241,1263,1290,1336,1405,1450,1460,1465,1472,1519 'databas':679,1106,1386 'dataclassif':1392 'dateofbirth':378 'day':515,571 'db':805,1147 'dedic':1242 'deep':45 'default':173,187,204,269,348,499,1050 'default-on':203 'defin':135,468,744,1202 'dek':921 'delet':486,530,557,564,1093 'deletedat':558 'deliveri':432 'design':139,171,586,1204 'detail':825,882 'detect':1009 'detect-secret':1008 'dev':1138 'dev/test':1209 'develop':24,1018,1541 'devop':17 'differ':786 'disk/volume':891 'dive':46 'dob':343 'document':84,120,260,393,1298,1434 'downstream':131 'dpa':163,239,1490 'dpia':209,1495 'dsr':57 'dto/model':290 'dtos':302 'e.g':870 'edg':330 'eea':1279,1409 'eea-compli':1408 'email':516,754,756,774,808,819,1170 'enabl':263,1396 'encrypt':61,145,876,892,904,934,1313,1393 'endpoint':56,127,605,653,1333,1354,1467 'enforc':471,737,914,1444 'engin':9,15,79,1555 'enisa':1551 'entri':1494 'env':1028,1029 'envelop':903 'environ':1048,1142 'eras':1080 'erasur':567,1068,1442,1454 'error':680,791,796,806,830,835,862,868 'event':543,748,1195 'everi':88,179,229,241,289,397,460,629,1292,1515 'evid':157 'example.com':1166 'exclud':340 'exist':822 'expir':490,493 'explicit':271,386,437,668,1234,1280 'export':656,1466 'expos':40,799,1511 'extract':612 'face':1321 'fair':82 'fake':1128 'faker':1163 'fall':1059 'featur':231,257 'field':117,291,299,342,1304,1453,1473 'file':50,854,1425 'financi':896,1089,1306 'first':1156 'flow':247 'forev':1199 'form':970 'found':874 'full':338,354,729,834,881,1190,1368 'gcp':996 'gdpr':1,8,12,27,74,1061,1542,1544 'generat':1160 'generic':795 'geograph':1402 'get':600,1247 'github':7 'gitignor':1025 'gitleak':1007 'golden':34,1505 'govern':1464 'guidanc':25,1543 'handl':792 'hangfir':478 'hard':563 'hard-delet':562 'hardcod':933,1221 'hash':62,938,963 'hashicorp':1000 'health':217,346,382,724,895,1305 'held':1535 'high':213,1502 'high-risk':212,1501 'histori':376 'hold':181,462 'hook':1006 'hsm':917 'hsm-back':916 'hsts':913 'id':345,380,647,718,723,842,847,1257,1308 'ident':617 'identif':1119 'identifi':640,771,1188,1267,1322 'inact':521 'incid':68 'includ':363,591,853,864,1027,1468 'indefinit':577 'individu':1218 'infrastructur':1377 'insert':552 'inspect':164 'inspir':21,1538 'integ':643,1256,1316 'integr':143 'intern':676,770,802 'introduc':233,1482 'inventori':1433 'involv':1500 'ip':698,1362,1385 'ipv4':705 'ipv6':710 'irrevers':1058 'job':477,1285,1445 'john@example.com':872 'js/python/ruby':1164 'json':765 'jwt':620 'k':1270 'k-anonym':1269 'keep':1198 'key':915,935,991,1031,1073,1098 'kms':906,919,989,1101,1223,1430 'larg':220 'large-scal':219 'last':527,703,707,1364 'later':583 'law':81,537 'lead':20 'leav':492 'legal':85,111,261,387,410,450 'less':37,39,41,43,1508,1510,1512,1514 'level':902,1312 'liabl':1536 'limit':95,134,391,457,651,1350 'line':859 'linkag':1123,1273 'list':280 'list/search':349 'lockdown':1282 'log':353,374,506,518,694,701,714,728,738,747,764,778,785,832,966,1189,1193,1355,1361,1371,1440 'login':528,654 'lose':1529 'maintain':156 'manag':982,995,998,1225 'manual':482 'map':288 'mask':325,702,1366,1437 'max':502 'may':359,734,1374 'md5':948 'messag':797,869 'metadata':1196 'minim':114,286,541 'minimum':884 'mix':1275 'ml':445 'model':446,1291 'monitor':224 'month':509,520,525,545 'must':101,174,250,287,351,392,424,459,465,572,588,589,671,696,712,726,793,851,923,939,964,983,1026,1035,1086,1111,1130,1131,1143 'name':857 'nation':344,379,722,1307 'need':122,296 'net':1162 'network':435 'never':141,198,308,336,480,491,621,641,798,947,1102 'new':110,230,254,409,1293,1387,1398,1401,1426,1449,1459,1470,1478,1483 'nist':1554 'no-referr':663 'non':1151 'non-product':1150 'notic':454 'notif':517 'notifi':529 'null':929 'number':335,721,860 'object':312 'oblig':80 'obtain':407 'octet':704,1365 'offboard':1019 'opaqu':639,1184 'opt':195,199 'option':189 'origin':689,1230 'outsid':1060,1278 'owasp':1552 'ownership':627,1339 'p12':1033 'param':1249 'paramet':372,599,1331 'password':657,715,937,959,967,972,1357 'path':368,596,677,803,855,1328 'pattern':71,1175,1178 'payment':531 'pem':1030 'per':958 'perform':413 'period':470,745,1302 'person':182,274,361,364,427,463,575,592,610,865,887,1075,1135,1335,1471,1518 'pfx':1032 'pii':733,1155,1181,1245,1294,1325,1373 'pipelin':1213,1439,1455 'pks':1317 'plain':1046 'plain-text':1045 'plaintext':979 'polici':662,1447 'possibl':1121 'post':1250 'pr':1287 'practic':1557 'pre':1004 'pre-commit':1003 'prefer':911 'present':736,1341,1376 'prevent':1012 'principl':75,78 'privaci':169 'problem':824 'process':89,215,235,398,483,1479,1504 'processor':244,1486 'product':497,1134,1146,1152,1206 'profil':222,1240 'project':324,350 'propag':128 'provid':125 'pseudonym':1053,1069,1097,1109 'public':645,1187,1259,1320,1379,1384 'public-fac':1319 'public-ip':1383 'purg':740 'purpos':94,99,106,390,395,423,1299 'quasi':1266 'quasi-identifi':1265 'queri':371,598,1248,1330 'rate':650,1349 'rate-limit':649 'rather':1091 'rbac':1220 're':1118 're-identif':1117 'read':47,305 'readi':161 'recommend':498,942 'record':532,1066,1084 'reduc':1077 'refer':13,49,52 'references/data-rights.md':53 'references/operations.md':65 'references/security.md':60,879,1056 'referr':661,665 'referrer-polici':660 'refresh':511 'region':1277,1281,1403 'remov':297 'request':568,624,1191 'request/response':355,730,1369 'requir':534 'reset':658,976 'resist':1274 'resourc':630,646,1348,1389,1400 'resource.ownerid':632 'respons':69,323,683,831,863 'rest':147,1395 'restor':1145 'restrict':151 'retain':42,574,1065,1088,1513 'retent':458,469,472,489,503,739,787,1301,1441,1443 'retentionexpiresat':177,548 'return':313,331,607,634,673,794,843,1334 'reus':104,309,418 'revers':1070 'review':1288 'rfc':826 'right':55,1463 'risk':214,1078,1503 'ropa':59,93,160,227,283,406,1474,1493 'rotat':920,1015 'rule':35,587,695,1506 'salt':957 'scale':221 'sccs':1414 'schedul':476,561,1021 'schema':138,1200 'scope':883,1062 'scrub':1154,1212 'secondari':422 'secret':63,981,986,994,997,1010,1013,1016,1034,1038,1043,1222,1224,1415,1418,1427,1432,1436 'see':321,878,1055 'segment':369 'sensit':326,341,652,779,893,1303,1353 'separ':301,449,776 'sequenti':642,1255,1315 'server':837 'server-sid':836 'servic':431 'session':510,717,1254 'set':206,659 'sha':949,952 'share':426,1214 'ship':252 'side':838 'sign':237,1489 'silent':495 'skill':5,10 'soft':556 'soft-delet':555 'sourc':1040,1420 'source-github' 'stack':674,800 'stage':1139 'standard':885,886 'still':1074 'storag':133,456,1380,1399,1406 'store':38,132,273,960,975,984,1042,1095,1237,1244,1451,1461,1509 'structur':763,1194 'sub':243,1485 'sub-processor':242,1484 'suit':931 'summari':877,1054 'support':440 'suspect':1023 'synthet':1158,1210 'system':278 'systemat':223 'tabl':180,461,813 'tag':1390 'tax':536 'team':1217 'tech':19 'telemetri':267 'test':1126,1169,1272 'text':1047 'ticket':441 'time':140,167,186,553,1205 'tls':909,926 'today':123 'token':512,716,977,1358 'trace':675,801 'track':265 'train':444 'transit':150,908 'transmit':971 'transpar':83 'trigger':1496 'ttl':136,1201 'type':501 'undocu':298 'uniqu':810,956 'updat':126,225,307,753,1456,1475 'url':367,595,974,1183,1260,1327 'use':300,322,439,554,582,636,684,762,823,940,954,1002,1063,1133,1157,1165,1309 'user':54,194,453,522,615,751,814,816,871,1082,1342,1346,1462 'userid':602,752,767 'uuid':637,1185,1261 'valid':626 'valu':327,339 'variabl':1049 'vault':992,1001 'via':474,905 'violat':809 'window':569 'without':108,258,270,384,436,447,1153 'workflow':58 'year':540","prices":[{"id":"ca573fc0-910c-4b9b-8949-2bbbca7c6459","listingId":"c84fee21-007b-4946-87c2-387f8d2cd39f","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"github","category":"awesome-copilot","install_from":"skills.sh"},"createdAt":"2026-04-18T20:34:43.082Z"}],"sources":[{"listingId":"c84fee21-007b-4946-87c2-387f8d2cd39f","source":"github","sourceId":"github/awesome-copilot/gdpr-compliant","sourceUrl":"https://github.com/github/awesome-copilot/tree/main/skills/gdpr-compliant","isPrimary":false,"firstSeenAt":"2026-04-18T21:49:30.220Z","lastSeenAt":"2026-04-22T00:52:09.683Z"},{"listingId":"c84fee21-007b-4946-87c2-387f8d2cd39f","source":"skills_sh","sourceId":"github/awesome-copilot/gdpr-compliant","sourceUrl":"https://skills.sh/github/awesome-copilot/gdpr-compliant","isPrimary":true,"firstSeenAt":"2026-04-18T20:34:43.082Z","lastSeenAt":"2026-04-22T03:40:34.798Z"}],"details":{"listingId":"c84fee21-007b-4946-87c2-387f8d2cd39f","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"github","slug":"gdpr-compliant","source":"skills_sh","category":"awesome-copilot","skills_sh_url":"https://skills.sh/github/awesome-copilot/gdpr-compliant"},"updatedAt":"2026-04-22T03:40:34.798Z"}}