Metadata-Version: 2.4
Name: gdpr-compliance-ai-mcp
Version: 1.0.8
Summary: MCP server for gdpr compliance ai. Features classify processing, lawful basis assessment, dpia generator. From MEOK AI Labs.
Project-URL: Homepage, https://meok.ai
Project-URL: Repository, https://github.com/CSOAI-ORG/gdpr-compliance-ai-mcp
Author-email: MEOK AI Labs <nicholas@meok.ai>
License: MIT License
        
        Copyright (c) 2026 MEOK AI Labs
        
        Permission is hereby granted, free of charge, to any person obtaining a copy
        of this software and associated documentation files (the "Software"), to deal
        in the Software without restriction, including without limitation the rights
        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
        copies of the Software, and to permit persons to whom the Software is
        furnished to do so, subject to the following conditions:
        
        The above copyright notice and this permission notice shall be included in all
        copies or substantial portions of the Software.
        
        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
        SOFTWARE.
License-File: LICENSE
Keywords: ai-governance,compliance,mcp,meok
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Topic :: Software Development :: Libraries
Requires-Python: >=3.10
Requires-Dist: mcp>=1.0.0
Description-Content-Type: text/markdown

mcp-name: io.github.CSOAI-ORG/gdpr-compliance-ai-mcp

# GDPR Compliance AI MCP

> Full GDPR compliance assessment for AI/ML systems — data processing classification, lawful basis determination, DPIA generation, data subject rights handling, breach notification, and EU AI Act crosswalks.

[![PyPI](https://img.shields.io/pypi/v/meok-gdpr-compliance-ai-mcp)](https://pypi.org/project/meok-gdpr-compliance-ai-mcp/)
[![npm](https://img.shields.io/npm/v/meok-gdpr-compliance-ai-mcp)](https://www.npmjs.com/package/meok-gdpr-compliance-ai-mcp)
[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
[![smithery](https://img.shields.io/badge/Smithery-MCP-orange)](https://smithery.ai)

## What This Does

The General Data Protection Regulation (EU 2016/679) governs how organizations process personal data of EU residents — with fines up to **€20M or 4% of global annual turnover**. For AI systems, GDPR is especially demanding: Article 22 restricts purely automated decisions, Article 35 mandates DPIAs for high-risk processing, and the right to erasure (Art. 17) raises hard questions about machine unlearning.

This MCP server gives your AI assistant the ability to classify processing activities, determine lawful basis under all six Article 6 bases, generate DPIAs, guide data subject rights responses, assess breach notification obligations (the 72-hour rule), and map GDPR requirements to the EU AI Act.

## Quick Start

```bash
npx meok-setup --pack governance
```

## Tools

| Tool | Description | Parameters |
|------|-------------|------------|
| `classify_processing` | Determines which GDPR articles apply to a data processing activity, whether a DPIA is required, and what obligations are triggered. Classifies risk level (LOW → VERY HIGH) based on special categories, children's data, automated decision-making, and scale. | `processing_description`, `data_categories`, `data_subjects`, `processing_purposes`, `automated_decision_making`, `large_scale` |
| `lawful_basis_assessment` | Evaluates all 6 lawful bases under Article 6 (consent, contract, legal obligation, vital interests, public interest, legitimate interests) and recommends the best fit with AI-specific considerations and supporting rationale. | `processing_purpose`, `data_categories`, `controller_type`, `relationship_with_data_subject`, `ai_processing` |
| `dpia_generator` | Produces a structured Data Protection Impact Assessment per Article 35. Includes necessity assessment, risk evaluation across 7 risk factors, technical/organisational mitigation measures, and consultation requirements. | `system_name`, `system_description`, `processing_purposes`, `data_categories`, `data_subjects`, `data_volume`, `retention_period`, `third_party_sharing`, `international_transfers` |
| `rights_request_handler` | Guides responses to data subject rights requests (Articles 15–22): access, rectification, erasure, restriction, portability, objection, and automated decision-making. Provides step-by-step procedures with AI-specific implications. | `right_invoked`, `data_subject_description`, `processing_context`, `ai_system_involved`, `request_details` |
| `breach_notification` | Assesses breach severity and determines notification requirements under Articles 33–34. Calculates the 72-hour deadline, decides whether supervisory authority and data subject notification is required, and generates notification content. | `breach_description`, `data_categories_affected`, `number_of_records`, `breach_type`, `detection_timestamp`, `ai_system_involved` |
| `crosswalk_to_eu_ai_act` | Maps GDPR requirements to EU AI Act obligations. Shows where GDPR compliance satisfies, complements, or creates tension with EU AI Act requirements. Essential for dual-compliance programmes. | `gdpr_articles`, `focus_area` |

## Usage Examples

### Classify an AI system's data processing

```
Use the classify_processing tool with:
  processing_description: "ML-based credit scoring system that analyzes transaction history, employment data, and social media activity to generate credit risk scores"
  data_categories: ["financial transactions", "employment history", "social media activity", "name", "address"]
  data_subjects: ["loan applicants", "customers"]
  processing_purposes: ["credit risk assessment", "automated lending decisions"]
  automated_decision_making: true
  large_scale: true
```

**Expected output:** Risk level HIGH/VERY HIGH, DPIA required (Art. 35 triggered by automated decision-making + large scale), Art. 22 obligations apply, Art. 9 may apply if social media reveals political opinions or religious beliefs.

### Determine lawful basis for AI training

```
Use the lawful_basis_assessment tool with:
  processing_purpose: "Training a fraud detection ML model on historical transaction data"
  data_categories: ["transaction amounts", "merchant IDs", "timestamps", "IP addresses"]
  controller_type: "private"
  relationship_with_data_subject: "customer"
  ai_processing: true
```

**Expected output:** Legitimate interests (Art. 6(1)(f)) recommended with score ~60. Consent scored lower due to AI training complexity. Requires Legitimate Interest Assessment (LIA) with enhanced scrutiny for AI profiling.

### Handle an erasure request for AI training data

```
Use the rights_request_handler tool with:
  right_invoked: "erasure"
  data_subject_description: "Former customer who closed account 6 months ago"
  processing_context: "Customer data used to train recommendation engine model"
  ai_system_involved: true
  request_details: "Requesting complete deletion of all personal data including from ML model training data"
```

**Expected output:** 6-step response procedure including verification, checking Art. 17(3) exceptions, machine unlearning considerations, model retraining assessment, and notification to downstream recipients.

### Assess a data breach involving an AI system

```
Use the breach_notification tool with:
  breach_description: "Unauthorized access to training data repository containing patient health records used for diagnostic AI model"
  data_categories_affected: ["health records", "diagnostic data", "patient IDs", "biometric data"]
  number_of_records: 50000
  breach_type: "confidentiality"
  detection_timestamp: "now"
  ai_system_involved: true
```

**Expected output:** Severity CRITICAL, notify supervisory authority within 72 hours (Art. 33), notify affected data subjects (Art. 34), assess model compromise risk, consider EU AI Act Art. 62 serious incident reporting.

## Installation

### Claude Desktop

Add to `claude_desktop_config.json`:

```json
{
  "mcpServers": {
    "gdpr-compliance-ai": {
      "command": "npx",
      "args": ["-y", "meok-gdpr-compliance-ai-mcp"]
    }
  }
}
```

Or install via Smithery:
```bash
npx smithery mcp add nicholastempleman/gdpr-compliance-ai-mcp
```

### Cursor

Add to `.cursor/mcp.json`:

```json
{
  "mcpServers": {
    "gdpr-compliance-ai": {
      "command": "npx",
      "args": ["-y", "meok-gdpr-compliance-ai-mcp"]
    }
  }
}
```

### VS Code

Add to `.vscode/mcp.json`:

```json
{
  "servers": {
    "gdpr-compliance-ai": {
      "command": "npx",
      "args": ["-y", "meok-gdpr-compliance-ai-mcp"]
    }
  }
}
```

### pip

```bash
pip install meok-gdpr-compliance-ai-mcp
```

## Related Servers

| Server | Purpose |
|--------|---------|
| [eu-ai-act-compliance](../eu-ai-act-compliance-ai-mcp/) | EU AI Act risk classification and Annex IV documentation |
| [iso-27001-ai](../iso-27001-ai-mcp/) | Information security management (93 Annex A controls) |
| [iso-42001-ai](../iso-42001-ai-mcp/) | AI management system — Annex A controls and Annex B risk |
| [nis2-compliance](../nis2-compliance-ai-mcp/) | NIS2 entity classification and Article 21 measures |
| [csoai-governance-crosswalk](../csoai-governance-crosswalk-ai-mcp/) | 12 compliance frameworks mapped through 52 articles |

## Pricing

- **Free tier:** 10 calls/day per tool
- **Pro:** £79/mo — unlimited calls + cryptographically signed compliance attestations

## License

MIT © [MEOK AI Labs](https://meok.ai)

<!-- BUY-LADDER:START -->

## 💸 Try MEOK in 30 seconds — instant buy ladder

| Tier | Price | What you get | Stripe |
|---|---|---|---|
| Smoke test | **£1** | Signed sample MCP-Hardening report + Article 50 PDF | <https://buy.stripe.com/dRmcN75ScdQS7oh1Uc8k90U> |
| Quick Kit | **£9** | EU AI Act Article 50 implementation guide (C2PA + EU-Icon) | <https://buy.stripe.com/cNi00la8s1460ZT0Q88k90V> |
| Founder Call | **£29** | 30-min 1-on-1 with the founder | <https://buy.stripe.com/8x228ta8s6oqbExaqI8k90W> |

> Refundable. UK Stripe — VAT-clean. Builds on the 81-MCP MEOK fleet.
> Verify any signed report at <https://meok.ai/verify>.

<!-- BUY-LADDER:END -->