Reorganize brain: projects/ top level, rename filenames, update homepage
- Moved everything from ideas/passepartout/ to projects/passepartout/ - Moved legal structures to projects/flags/ - Created missing _index.org files for all subdirectories - Stripped redundant passepartout- prefix from filenames - Rewrote root _index.org as generalized brain index (projects + concepts) - Updated Hugo nav to Projects/Concepts - Updated build script section descriptions - Deleted stale ideas/passepartout-economics.md orphan
This commit is contained in:
Hermes
55
projects/passepartout/strategy/compliance/gdpr.org
Normal file
55
projects/passepartout/strategy/compliance/gdpr.org
Normal file
@@ -0,0 +1,55 @@
|
||||
:PROPERTIES:
|
||||
:ID: 513d5996-4ac7-4567-a992-18fc01599104
|
||||
:ID: auto-gdpr
|
||||
:CREATED: [2026-05-23 Sat]
|
||||
:END:
|
||||
#+title: GDPR (General Data Protection Regulation)
|
||||
#+filetags: :passepartout:compliance:framework:gdpr:
|
||||
|
||||
* GDPR (General Data Protection Regulation)
|
||||
|
||||
** What it is
|
||||
|
||||
EU regulation (effective May 2018) governing the processing of personal data of
|
||||
natural persons in the EU. Extraterritorial — applies to any organization
|
||||
processing EU personal data regardless of where the organization is based.
|
||||
|
||||
Key requirements:
|
||||
- Lawful basis for processing (consent, contract, legal obligation, vital
|
||||
interests, public task, legitimate interests)
|
||||
- Data minimization — collect only what is necessary
|
||||
- Purpose limitation — do not reuse data for incompatible purposes
|
||||
- Storage limitation — delete when no longer needed
|
||||
- Right of access, rectification, erasure (right to be forgotten),
|
||||
data portability, restriction, objection
|
||||
- Data Protection Impact Assessment (DPIA) for high-risk processing
|
||||
- Breach notification within 72 hours to supervisory authority
|
||||
- Data Protection Officer (DPO) appointment for certain controllers/processors
|
||||
- Data Processing Agreements (DPAs) between controllers and processors
|
||||
|
||||
** Who must comply
|
||||
|
||||
Any organization that processes personal data of EU residents. Includes
|
||||
controllers (determine purposes and means) and processors (process on behalf
|
||||
of controller). Non-EU organizations with EU data subjects are in scope.
|
||||
|
||||
** Penalties
|
||||
|
||||
Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered
|
||||
system. Supervisory authorities in each member state enforce. Private right
|
||||
of action for damages.
|
||||
|
||||
** Why it matters for Passepartout
|
||||
|
||||
GDPR is the most extraterritorial and aggressively enforced privacy framework.
|
||||
The gate stack's principle of least privilege maps naturally to GDPR's data
|
||||
minimization requirement. Every data access is gated by a verified rule that
|
||||
states the purpose — the proof log is a built-in DPIA artifact. For the
|
||||
[[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]]: a provider processing proofs on EU users' gate data must
|
||||
maintain DPAs with all clients. Proof logs themselves may constitute personal
|
||||
data if they reference natural persons (names in access rules, etc.), creating
|
||||
a demand for privacy-preserving proof techniques. This is why the
|
||||
[[id:c34940cc-090e-57c4-8020-e78b1d32b96c][GDPR gate package]] includes data-processing agreement templates and
|
||||
purpose-boundary gate rules that are independently verified by the provider's
|
||||
[[id:45258a2d-1675-562c-9024-5d1eb2f1ea56][evaluation harness]].
|
||||
|
||||
Reference in New Issue
Block a user