FRAMEWORK

GDPR

General Data Protection Regulation — rights of data subjects, lawful basis, minimisation, erasure, portability.

100%

Version : Regulation (EU) 2016/679

Autorité : European Parliament & Council (EU)

Dernier audit : 2026-04-15

Principes (7)

Every processing operation rests on a documented lawful basis (Art. 6).

—

✓ 0 pass✗ 0 fail? 500 unknown

test : memory.processing_basis_documented_ratio == 1.0

Only data strictly necessary for the declared purpose is retained (Art. 5.1.c).

—

✓ 0 pass✗ 0 fail? 500 unknown

test : kidneys.pruning.weekly_purged_ratio >= 0.02

Data subjects can obtain a full export of their data within 30 days (Art. 15).

—

✓ 0 pass✗ 0 fail? 500 unknown

test : dsr.access_requests.p95_days <= 30

Data subjects can request deletion with cryptographic proof of erasure (Art. 17).

—

✓ 0 pass✗ 0 fail? 500 unknown

test : dsr.erasure.completion_ratio == 1.0

Data is exportable in a structured, commonly used, machine-readable format (Art. 20).

—

✓ 0 pass✗ 0 fail? 500 unknown

test : export.format ∈ {json, csv, jsonl}

Data breaches are notified to the supervisory authority within 72h (Art. 33).

—

✓ 0 pass✗ 0 fail? 500 unknown

test : breaches.notified_within_72h_ratio == 1.0

Data is kept only as long as necessary. Default: 24 months for conversational data, 12 months for metadata.

—

✓ 0 pass✗ 0 fail? 500 unknown

test : memory.age_p99_months <= 24