gdpr-compliance-ai-mcp 1.0.9

MCP server for gdpr compliance ai. Features classify processing, lawful basis assessment, dpia generator. From MEOK AI Labs.

mcp-name: io.github.CSOAI-ORG/gdpr-compliance-ai-mcp

GDPR Compliance AI MCP

Full GDPR compliance assessment for AI/ML systems — data processing classification, lawful basis determination, DPIA generation, data subject rights handling, breach notification, and EU AI Act crosswalks.

What This Does

The General Data Protection Regulation (EU 2016/679) governs how organizations process personal data of EU residents — with fines up to €20M or 4% of global annual turnover. For AI systems, GDPR is especially demanding: Article 22 restricts purely automated decisions, Article 35 mandates DPIAs for high-risk processing, and the right to erasure (Art. 17) raises hard questions about machine unlearning.

This MCP server gives your AI assistant the ability to classify processing activities, determine lawful basis under all six Article 6 bases, generate DPIAs, guide data subject rights responses, assess breach notification obligations (the 72-hour rule), and map GDPR requirements to the EU AI Act.

Quick Start

npx meok-setup --pack governance

Tools

Tool	Description	Parameters
classify_processing	Determines which GDPR articles apply to a data processing activity, whether a DPIA is required, and what obligations are triggered. Classifies risk level (LOW → VERY HIGH) based on special categories, children's data, automated decision-making, and scale.	processing_description, data_categories, data_subjects, processing_purposes, automated_decision_making, large_scale
lawful_basis_assessment	Evaluates all 6 lawful bases under Article 6 (consent, contract, legal obligation, vital interests, public interest, legitimate interests) and recommends the best fit with AI-specific considerations and supporting rationale.	processing_purpose, data_categories, controller_type, relationship_with_data_subject, ai_processing
dpia_generator	Produces a structured Data Protection Impact Assessment per Article 35. Includes necessity assessment, risk evaluation across 7 risk factors, technical/organisational mitigation measures, and consultation requirements.	system_name, system_description, processing_purposes, data_categories, data_subjects, data_volume, retention_period, third_party_sharing, international_transfers
rights_request_handler	Guides responses to data subject rights requests (Articles 15–22): access, rectification, erasure, restriction, portability, objection, and automated decision-making. Provides step-by-step procedures with AI-specific implications.	right_invoked, data_subject_description, processing_context, ai_system_involved, request_details
breach_notification	Assesses breach severity and determines notification requirements under Articles 33–34. Calculates the 72-hour deadline, decides whether supervisory authority and data subject notification is required, and generates notification content.	breach_description, data_categories_affected, number_of_records, breach_type, detection_timestamp, ai_system_involved
crosswalk_to_eu_ai_act	Maps GDPR requirements to EU AI Act obligations. Shows where GDPR compliance satisfies, complements, or creates tension with EU AI Act requirements. Essential for dual-compliance programmes.	gdpr_articles, focus_area

Usage Examples

Classify an AI system's data processing

Use the classify_processing tool with:
  processing_description: "ML-based credit scoring system that analyzes transaction history, employment data, and social media activity to generate credit risk scores"
  data_categories: ["financial transactions", "employment history", "social media activity", "name", "address"]
  data_subjects: ["loan applicants", "customers"]
  processing_purposes: ["credit risk assessment", "automated lending decisions"]
  automated_decision_making: true
  large_scale: true

Expected output: Risk level HIGH/VERY HIGH, DPIA required (Art. 35 triggered by automated decision-making + large scale), Art. 22 obligations apply, Art. 9 may apply if social media reveals political opinions or religious beliefs.

Determine lawful basis for AI training

Use the lawful_basis_assessment tool with:
  processing_purpose: "Training a fraud detection ML model on historical transaction data"
  data_categories: ["transaction amounts", "merchant IDs", "timestamps", "IP addresses"]
  controller_type: "private"
  relationship_with_data_subject: "customer"
  ai_processing: true

Expected output: Legitimate interests (Art. 6(1)(f)) recommended with score ~60. Consent scored lower due to AI training complexity. Requires Legitimate Interest Assessment (LIA) with enhanced scrutiny for AI profiling.

Handle an erasure request for AI training data

Use the rights_request_handler tool with:
  right_invoked: "erasure"
  data_subject_description: "Former customer who closed account 6 months ago"
  processing_context: "Customer data used to train recommendation engine model"
  ai_system_involved: true
  request_details: "Requesting complete deletion of all personal data including from ML model training data"

Expected output: 6-step response procedure including verification, checking Art. 17(3) exceptions, machine unlearning considerations, model retraining assessment, and notification to downstream recipients.

Assess a data breach involving an AI system

Use the breach_notification tool with:
  breach_description: "Unauthorized access to training data repository containing patient health records used for diagnostic AI model"
  data_categories_affected: ["health records", "diagnostic data", "patient IDs", "biometric data"]
  number_of_records: 50000
  breach_type: "confidentiality"
  detection_timestamp: "now"
  ai_system_involved: true

Expected output: Severity CRITICAL, notify supervisory authority within 72 hours (Art. 33), notify affected data subjects (Art. 34), assess model compromise risk, consider EU AI Act Art. 62 serious incident reporting.

Installation

Claude Desktop

Add to claude_desktop_config.json:

{
  "mcpServers": {
    "gdpr-compliance-ai": {
      "command": "npx",
      "args": ["-y", "meok-gdpr-compliance-ai-mcp"]
    }
  }
}

Or install via Smithery:

npx smithery mcp add nicholastempleman/gdpr-compliance-ai-mcp

Cursor

Add to .cursor/mcp.json:

{
  "mcpServers": {
    "gdpr-compliance-ai": {
      "command": "npx",
      "args": ["-y", "meok-gdpr-compliance-ai-mcp"]
    }
  }
}

VS Code

Add to .vscode/mcp.json:

{
  "servers": {
    "gdpr-compliance-ai": {
      "command": "npx",
      "args": ["-y", "meok-gdpr-compliance-ai-mcp"]
    }
  }
}

pip

pip install meok-gdpr-compliance-ai-mcp

Related Servers

Server	Purpose
eu-ai-act-compliance	EU AI Act risk classification and Annex IV documentation
iso-27001-ai	Information security management (93 Annex A controls)
iso-42001-ai	AI management system — Annex A controls and Annex B risk
nis2-compliance	NIS2 entity classification and Article 21 measures
csoai-governance-crosswalk	12 compliance frameworks mapped through 52 articles

Pricing

• Free tier: 10 calls/day per tool
• Pro: £79/mo — unlimited calls + cryptographically signed compliance attestations

License

MIT © MEOK AI Labs

💸 Try MEOK in 30 seconds — instant buy ladder

Tier	Price	What you get	Stripe
Smoke test	£1	Signed sample MCP-Hardening report + Article 50 PDF	https://buy.stripe.com/dRmcN75ScdQS7oh1Uc8k90U
Quick Kit	£9	EU AI Act Article 50 implementation guide (C2PA + EU-Icon)	https://buy.stripe.com/cNi00la8s1460ZT0Q88k90V
Founder Call	£29	30-min 1-on-1 with the founder	https://buy.stripe.com/8x228ta8s6oqbExaqI8k90W

Refundable. UK Stripe — VAT-clean. Builds on the 81-MCP MEOK fleet. Verify any signed report at https://meok.ai/verify.