Build DSGVO eDiscovery Lawfulness Assessment (Art. 6 / Art. 49 — Structured)

Q: What does the Build DSGVO eDiscovery Lawfulness Assessment (Art. 6 / Art. 49 — Structured) skill do?

Wandeln Sie ein US-/UK-Discovery-Ersuchen samt deutschem Datenbestand in eine strukturierte DSGVO-Rechtmäßigkeitsbewertung (JSON/PDF) um — Rechtsgrundlage nach Art. 6 mit Abwägung, Übermittlungsmechanismus nach Kapitel V einschließlich der Ausnahmen nach Art. 49 (insb. 49(1)(e) Rechtsansprüche), Datenminimierung, Custodian-Umfang, Betroffenenrechte und Löschkonzept (BDSG 2018). Mittlere Zuverlässigkeit; ersetzt keine Rechtsberatung

Q: How do I run the Build DSGVO eDiscovery Lawfulness Assessment (Art. 6 / Art. 49 — Structured) skill?

Copy the skill and paste it into your own Claude or ChatGPT, then provide your source data. FinchContext skills run inside your own AI assistant, so your financial data never leaves your control.

Q: Which region does the Build DSGVO eDiscovery Lawfulness Assessment (Art. 6 / Art. 49 — Structured) skill cover?

Germany. It targets the local tax authority / e-invoicing format described on this page.

Skill: Convert a foreign discovery request into a DSGVO lawfulness assessment

Region: Germany (Deutschland) Category: Legal / eDiscovery Does: Takes a US/UK discovery (or regulatory production) request plus a German data inventory and assembles a structured DSGVO lawfulness assessment (JSON/PDF) that documents the Art. 6 legal basis, Art. 49 transfer derogations, data-minimisation scope and custodian list — supporting defensible cross-border production. Medium confidence: this is a structuring aid, not legal advice. Spec: DSGVO (GDPR) Art. 6, Art. 44–49 · BDSG 2018 (current consolidated version)

When a German entity must produce personal data for foreign litigation/discovery, the DSGVO requires a lawful processing basis (Art. 6) and a lawful international-transfer mechanism (Chapter V, including the Art. 49 derogations). This skill captures that analysis in a structured record — purpose, basis, transfer route, minimisation, retention, and custodian/data-subject scope. Produced per request/matter. Field names follow the assessment template, not a statutory schema.

When this applies

A US/UK court order, FRCP Rule 34 request, or regulator demands production of documents that contain personal data held in Germany/EU.
You must reconcile the discovery obligation with the DSGVO before exporting data, and document the balancing/derogation rationale (a blocking-statute and proportionality analysis).
Use to scope custodians and data categories, apply minimisation/redaction, and record the chosen transfer mechanism; escalate genuinely contested questions to counsel.

Structure (FORM → JSON/PDF)

matter            case ref, requesting forum, jurisdiction, scope of request
controller        German entity, role (controller/processor), DPO contact
legalBasis (Art. 6)
   basis          e.g. 6(1)(f) legitimate interests / 6(1)(c) legal obligation
   balancingTest  interests vs. data-subject rights, necessity
transferMechanism (Chapter V)
   route          adequacy / SCC (Art. 46) / Art. 49 derogation
   art49Basis     49(1)(e) legal claims, 49(1)(c) contract, explicit consent, etc.
dataScope         categories, special categories (Art. 9), custodians, date range
minimisation      redaction, pseudonymisation, filtering, volume reduction
dataSubjects      notice/rights handling, retention & deletion plan
risks             blocking statutes, conflicting obligations, residual risk

Data rules

State a specific Art. 6 basis (not just "legitimate interests" by default) and record the balancing test; for special-category data (Art. 9) identify an additional Art. 9 condition.
For the transfer, prefer an adequacy/SCC route; rely on Art. 49 derogations (esp. 49(1)(e) establishment/exercise/defence of legal claims) only where appropriate and document why they apply and that they are not the routine channel.
Apply data minimisation: scope custodians and date ranges tightly, redact/pseudonymise irrelevant personal data before production, and record volumes.
Document data-subject information/rights handling and a retention/deletion plan once the matter ends; note any German Sperrwirkung / blocking-statute or professional-secrecy constraints.
Mark confidence: this is medium confidence structuring; final sign-off is a legal decision — flag unresolved conflicts to counsel/DPO.

Worked example (outline)

Matter: SDNY 25-cv-1234, FRCP 34 production from "Beispiel GmbH" (controller)
Art. 6 basis: 6(1)(f) legitimate interest in defending litigation; balancing documented
Special category: none in scope (Art. 9 N/A after filtering)
Transfer: Art. 49(1)(e) derogation — necessary for establishment/defence of legal claims
Scope: 4 custodians, 2023-01..2024-12, email + contracts; minimised, third parties redacted
Data subjects: notice deferred per court order; deletion at matter close
Risk: potential conflict with EU blocking concerns — escalated to external counsel

The assessment is exported as JSON (case file) and a PDF memo; production proceeds only after counsel/DPO sign-off.

Validation checklist

Matter, forum, controller role, and DPO contact recorded
Specific Art. 6 basis with documented balancing test; Art. 9 condition if special-category data
Transfer mechanism chosen (adequacy/SCC vs. Art. 49 derogation) with justification
Minimisation applied: custodian/date scoping, redaction/pseudonymisation, volumes recorded
Data-subject notice/rights and retention/deletion plan documented
Blocking-statute / secrecy conflicts identified; medium-confidence caveat noted
Counsel/DPO sign-off before any cross-border production

Last updated: 2026-06-04 — confirm the current schema/version, identifiers, rounding, and deadline against current authority (DSGVO/BDSG, relevant authority and counsel) guidance before use.