55 lines
2.5 KiB
Org Mode
55 lines
2.5 KiB
Org Mode
:PROPERTIES:
|
|
:ID: auto-gdpr
|
|
:CREATED: [2026-05-23 Sat]
|
|
:END:
|
|
#+title: GDPR (General Data Protection Regulation)
|
|
#+filetags: :passepartout:compliance:framework:gdpr:
|
|
|
|
* GDPR (General Data Protection Regulation)
|
|
|
|
** What it is
|
|
|
|
EU regulation (effective May 2018) governing the processing of personal data of
|
|
natural persons in the EU. Extraterritorial — applies to any organization
|
|
processing EU personal data regardless of where the organization is based.
|
|
|
|
Key requirements:
|
|
- Lawful basis for processing (consent, contract, legal obligation, vital
|
|
interests, public task, legitimate interests)
|
|
- Data minimization — collect only what is necessary
|
|
- Purpose limitation — do not reuse data for incompatible purposes
|
|
- Storage limitation — delete when no longer needed
|
|
- Right of access, rectification, erasure (right to be forgotten),
|
|
data portability, restriction, objection
|
|
- Data Protection Impact Assessment (DPIA) for high-risk processing
|
|
- Breach notification within 72 hours to supervisory authority
|
|
- Data Protection Officer (DPO) appointment for certain controllers/processors
|
|
- Data Processing Agreements (DPAs) between controllers and processors
|
|
|
|
** Who must comply
|
|
|
|
Any organization that processes personal data of EU residents. Includes
|
|
controllers (determine purposes and means) and processors (process on behalf
|
|
of controller). Non-EU organizations with EU data subjects are in scope.
|
|
|
|
** Penalties
|
|
|
|
Up to 20M EUR or 4% of annual global turnover, whichever is higher. Tiered
|
|
system. Supervisory authorities in each member state enforce. Private right
|
|
of action for damages.
|
|
|
|
** Why it matters for the triad
|
|
|
|
GDPR is the most extraterritorial and aggressively enforced privacy framework.
|
|
The gate stack's principle of least privilege maps naturally to GDPR's data
|
|
minimization requirement. Every data access is gated by a verified rule that
|
|
states the purpose — the proof log is a built-in DPIA artifact. For the
|
|
[[file:compute-marketplace.org][compute marketplace]]: a provider processing proofs on EU users' gate data must
|
|
maintain DPAs with all clients. Proof logs themselves may constitute personal
|
|
data if they reference natural persons (names in access rules, etc.), creating
|
|
a demand for privacy-preserving proof techniques. This is why the
|
|
[[file:domain-gate-packages.org][GDPR gate package]] includes data-processing agreement templates and
|
|
purpose-boundary gate rules that are independently verified by the provider's
|
|
[[file:evaluation-harness.org][evaluation harness]].
|
|
|