amr/hermes-brain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
348f2736a8283dd2fbd0268f729715fa6aa456e0
hermes-brain/projects/passepartout/strategy/compliance/gdpr.org
Hermes 0a8e77e949 Reorganize brain: projects/ top level, rename filenames, update homepage 
- Moved everything from ideas/passepartout/ to projects/passepartout/
- Moved legal structures to projects/flags/
- Created missing _index.org files for all subdirectories
- Stripped redundant passepartout- prefix from filenames
- Rewrote root _index.org as generalized brain index (projects + concepts)
- Updated Hugo nav to Projects/Concepts
- Updated build script section descriptions
- Deleted stale ideas/passepartout-economics.md orphan
2026-05-24 18:54:14 +00:00

56 lines
2.5 KiB
Org Mode
Raw Blame History

:PROPERTIES:
:ID: 513d5996-4ac7-4567-a992-18fc01599104
:ID: auto-gdpr
:CREATED: [2026-05-23 Sat]
:END:
#+title: GDPR (General Data Protection Regulation)
#+filetags: :passepartout:compliance:framework:gdpr:
* GDPR (General Data Protection Regulation)
** What it is
EU regulation (effective May 2018) governing the processing of personal data of
natural persons in the EU. Extraterritorial — applies to any organization
processing EU personal data regardless of where the organization is based.
Key requirements:
- Lawful basis for processing (consent, contract, legal obligation, vital
interests, public task, legitimate interests)
- Data minimization — collect only what is necessary
- Purpose limitation — do not reuse data for incompatible purposes
- Storage limitation — delete when no longer needed
- Right of access, rectification, erasure (right to be forgotten),
data portability, restriction, objection
- Data Protection Impact Assessment (DPIA) for high-risk processing
- Breach notification within 72 hours to supervisory authority
- Data Protection Officer (DPO) appointment for certain controllers/processors
- Data Processing Agreements (DPAs) between controllers and processors
** Who must comply
Any organization that processes personal data of EU residents. Includes
controllers (determine purposes and means) and processors (process on behalf
of controller). Non-EU organizations with EU data subjects are in scope.
** Penalties
Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered
system. Supervisory authorities in each member state enforce. Private right
of action for damages.
** Why it matters for Passepartout
GDPR is the most extraterritorial and aggressively enforced privacy framework.
The gate stack's principle of least privilege maps naturally to GDPR's data
minimization requirement. Every data access is gated by a verified rule that
states the purpose — the proof log is a built-in DPIA artifact. For the
[[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]]: a provider processing proofs on EU users' gate data must
maintain DPAs with all clients. Proof logs themselves may constitute personal
data if they reference natural persons (names in access rules, etc.), creating
a demand for privacy-preserving proof techniques. This is why the
[[id:c34940cc-090e-57c4-8020-e78b1d32b96c][GDPR gate package]] includes data-processing agreement templates and
purpose-boundary gate rules that are independently verified by the provider's
[[id:45258a2d-1675-562c-9024-5d1eb2f1ea56][evaluation harness]].
Reference in New Issue View Git Blame Copy Permalink