:PROPERTIES: :ID: 513d5996-4ac7-4567-a992-18fc01599104 :ID: auto-gdpr :CREATED: [2026-05-23 Sat] :END: #+title: GDPR (General Data Protection Regulation) #+filetags: :passepartout:compliance:framework:gdpr: * GDPR (General Data Protection Regulation) ** What it is EU regulation (effective May 2018) governing the processing of personal data of natural persons in the EU. Extraterritorial — applies to any organization processing EU personal data regardless of where the organization is based. Key requirements: - Lawful basis for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests) - Data minimization — collect only what is necessary - Purpose limitation — do not reuse data for incompatible purposes - Storage limitation — delete when no longer needed - Right of access, rectification, erasure (right to be forgotten), data portability, restriction, objection - Data Protection Impact Assessment (DPIA) for high-risk processing - Breach notification within 72 hours to supervisory authority - Data Protection Officer (DPO) appointment for certain controllers/processors - Data Processing Agreements (DPAs) between controllers and processors ** Who must comply Any organization that processes personal data of EU residents. Includes controllers (determine purposes and means) and processors (process on behalf of controller). Non-EU organizations with EU data subjects are in scope. ** Penalties Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered system. Supervisory authorities in each member state enforce. Private right of action for damages. ** Why it matters for Passepartout GDPR is the most extraterritorial and aggressively enforced privacy framework. The gate stack's principle of least privilege maps naturally to GDPR's data minimization requirement. Every data access is gated by a verified rule that states the purpose — the proof log is a built-in DPIA artifact. For the [[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]]: a provider processing proofs on EU users' gate data must maintain DPAs with all clients. Proof logs themselves may constitute personal data if they reference natural persons (names in access rules, etc.), creating a demand for privacy-preserving proof techniques. This is why the [[id:c34940cc-090e-57c4-8020-e78b1d32b96c][GDPR gate package]] includes data-processing agreement templates and purpose-boundary gate rules that are independently verified by the provider's [[id:45258a2d-1675-562c-9024-5d1eb2f1ea56][evaluation harness]].