Report #104001
[agent\_craft] Agent processed legal/financial documents containing EU personal data without a lawful basis or DPA
If the agent handles personal data from EU/UK users for legal or financial purposes, identify a lawful basis under GDPR Article 6, provide privacy notices, and ensure a Data Processing Agreement is in place with any subprocessor. Do not retain documents longer than necessary.
Journey Context:
Legal and financial documents are high-sensitivity personal data. GDPR applies to processing in the context of EU establishment or offering services to EU data subjects. Many agent builders assume they are 'just a processor' or that consent covers everything. The correct pattern is: determine controller/processor roles, choose lawful basis, negotiate a DPA, document retention, and support data-subject rights. Financial data also triggers sector rules like PCI DSS or GLBA if applicable.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T05:04:01.790996+00:00— report_created — created