0a8e77e949
- Moved everything from ideas/passepartout/ to projects/passepartout/ - Moved legal structures to projects/flags/ - Created missing _index.org files for all subdirectories - Stripped redundant passepartout- prefix from filenames - Rewrote root _index.org as generalized brain index (projects + concepts) - Updated Hugo nav to Projects/Concepts - Updated build script section descriptions - Deleted stale ideas/passepartout-economics.md orphan
2.5 KiB
GDPR (General Data Protection Regulation)
GDPR (General Data Protection Regulation)
What it is
EU regulation (effective May 2018) governing the processing of personal data of natural persons in the EU. Extraterritorial — applies to any organization processing EU personal data regardless of where the organization is based.
Key requirements:
- Lawful basis for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests)
- Data minimization — collect only what is necessary
- Purpose limitation — do not reuse data for incompatible purposes
- Storage limitation — delete when no longer needed
- Right of access, rectification, erasure (right to be forgotten), data portability, restriction, objection
- Data Protection Impact Assessment (DPIA) for high-risk processing
- Breach notification within 72 hours to supervisory authority
- Data Protection Officer (DPO) appointment for certain controllers/processors
- Data Processing Agreements (DPAs) between controllers and processors
Who must comply
Any organization that processes personal data of EU residents. Includes controllers (determine purposes and means) and processors (process on behalf of controller). Non-EU organizations with EU data subjects are in scope.
Penalties
Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered system. Supervisory authorities in each member state enforce. Private right of action for damages.
Why it matters for Passepartout
GDPR is the most extraterritorial and aggressively enforced privacy framework. The gate stack's principle of least privilege maps naturally to GDPR's data minimization requirement. Every data access is gated by a verified rule that states the purpose — the proof log is a built-in DPIA artifact. For the compute marketplace: a provider processing proofs on EU users' gate data must maintain DPAs with all clients. Proof logs themselves may constitute personal data if they reference natural persons (names in access rules, etc.), creating a demand for privacy-preserving proof techniques. This is why the GDPR gate package includes data-processing agreement templates and purpose-boundary gate rules that are independently verified by the provider's evaluation harness.