EU General Data Protection Regulation (GDPR)
GDPR (Regulation (EU) 2016/679, effective 2018-05-25) governs the processing of personal data of persons in the EU. Ledgix evidences integrity, accountability, DSR fulfilment (Arts. 15–22), Records of Processing Activities (Art. 30), security (Art. 32), and DPIA obligations (Art. 35) via signed DSR records, processing registers, impact assessments, and the cryptographic ledger.
Status: Full — every control resolves to an artifact Ledgix produces today following the Phase 4 DPIA and Phase 5 DSR/ROPA shipping.
Scope
GDPR applies to controllers and processors of personal data of EU residents, regardless of where the controller or processor is established. Coverage spans the Art. 5 principles (integrity, accountability), the Art. 15–22 data-subject rights (access, rectification, erasure, restriction, portability, objection, automated decision-making), the Art. 25 data-protection-by-design obligation, the Art. 30 records of processing activities, the Art. 32 security obligations, and the Art. 35 DPIA.
Controls covered
| Field | Type | Required | Description |
|---|---|---|---|
| GDPR-Art-5(1)(f) | events_jsonl / checkpoint_chain / key_history | Integrity and confidentiality | Every processing decision cryptographically signed; Merkle checkpoints prove the ledger is untampered. |
| GDPR-Art-5(2) | framework_mapping / signatures | Accountability | Evidence export itself is the demonstrable record of compliance. |
| GDPR-Art-25 | policy_snapshots / events_jsonl | Data protection by design and by default | Versioned policies reflect privacy-by-design posture; decisions bound to the policy version at evaluation. |
| GDPR-Art-30 | processing_registers | Records of processing activities | Signed Art. 30 Records of Processing Activities with controller, purposes, subject categories, data categories, recipients, retention, safeguards. |
| GDPR-Art-32 | signatures / key_history / checkpoint_chain | Security of processing | Ed25519-signed manifest, key-rotation history, and checkpoint chain. |
| GDPR-Art-35(1) | impact_assessments | Data protection impact assessment required for high-risk processing | Signed DPIA (ia_type=dpia_gdpr) per high-risk processing activity. |
| GDPR-Art-35(7)(a) | impact_assessments | DPIA contents — description of processing | assessment_json.processing_description and purpose fields. |
| GDPR-Art-35(7)(b) | impact_assessments | DPIA contents — necessity and proportionality | assessment_json.necessity_assessment field. |
| GDPR-Art-35(7)(c) | impact_assessments | DPIA contents — risks to data subjects | risk_categories and data_categories fields. |
| GDPR-Art-35(7)(d) | impact_assessments | DPIA contents — measures to address the risks | mitigation_steps and residual_risk fields. |
| GDPR-Art-35(11) | impact_assessments | Periodic DPIA review | next_review_at and approved_at evidence periodic review cycle. |
| GDPR-Art-12 | dsr_records | Transparent intake and response to data-subject requests | Signed DSR intake records under GDPR with 30-day deadline tracking. |
| GDPR-Art-15 | dsr_records / events_jsonl | Right of access by the data subject | Access-request records plus subject_id-indexed ledger query. |
| GDPR-Art-16 | dsr_records | Right to rectification | Signed rectification-request records. |
| GDPR-Art-17 | dsr_records | Right to erasure ('right to be forgotten') | Signed erasure records with redaction_mapping for immutable-ledger compatibility. |
| GDPR-Art-18 | dsr_records | Right to restriction of processing | Signed restriction-request records. |
| GDPR-Art-20 | dsr_records | Right to data portability | Signed portability records with response_uri pointing to JSON export. |
| GDPR-Art-21 | dsr_records | Right to object | Signed objection-request records. |
Evidence types referenced
- events_jsonl — per-decision processing record, subject_id-indexed for DSR responses.
- checkpoint_chain — Merkle checkpoints proving ledger integrity.
- key_history — Ed25519 signing-key history supporting Art. 32(1)(d) testing.
- signatures — manifest signature for controller accountability.
- policy_snapshots — privacy-by-design policy text, versioned.
- processing_registers — Art. 30 Records of Processing Activities.
- impact_assessments — signed DPIAs for high-risk processing.
- dsr_records — signed data-subject-request records for Arts. 15–22.
- framework_mapping — accountability mapping demonstrating coverage.
Known gaps (if any)
None — every control resolves to an artifact Ledgix produces today. Tenants must populate subject_id on events for DSR subject-indexing; the DSR regime automatically applies a 30-day deadline for GDPR-regime records.
Audit pack workflow
Export an evidence ZIP for this framework from the admin console's Evidence Exports panel by selecting EU General Data Protection Regulation (GDPR) and a time window. Each control's evidence_locators[] in the included framework_mapping.json points to the corresponding file in the ZIP.
References
- Framework mapping JSON:
vault/internal/compliance/frameworks/gdpr.json - Canonical source: Regulation (EU) 2016/679 (General Data Protection Regulation) — EUR-Lex