GDPR (General Data Protection Regulation)

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law, enacted in 2018, establishing stringent requirements for how organizations collect, process, store, and delete personal data of EU residents.

Definition

The General Data Protection Regulation (GDPR) is the European Union’s data protection framework, adopted on April 14, 2016, and enforced from May 25, 2018. It replaced the 1995 Data Protection Directive and established a unified legal standard across all EU member states for the processing of personal data. GDPR applies to any organization—regardless of geographic location—that processes the personal data of individuals within the European Economic Area.

The regulation is built on seven principles: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. It grants data subjects enforceable rights including access, rectification, erasure, portability, and the right to object to processing. Non-compliance carries penalties of up to 4% of annual worldwide turnover or EUR 20 million, whichever is greater.

Why It Matters

Between 2018 and 2025, EU data protection authorities imposed over EUR 4.5 billion in GDPR fines. The regulation’s extraterritorial reach—applying to any entity processing EU residents’ data, regardless of the entity’s location—has made it the de facto global standard. Over 160 countries have modeled national data protection laws on GDPR principles, including Brazil’s LGPD, South Africa’s POPIA, and elements of California’s CCPA.

GDPR fundamentally altered the economics of data collection. Article 5(1)(c) codifies data minimization—organizations may collect only the personal data strictly necessary for a stated purpose. Article 25 mandates privacy by design and by default. Article 17 establishes the right to erasure. These provisions collectively shift the burden of proof: organizations must demonstrate they have a lawful basis for every data processing operation, and must be capable of deleting that data completely upon request.

For AI applications, GDPR creates specific challenges. Article 22 restricts automated decision-making, including profiling, that produces legal or similarly significant effects. The European Data Protection Board’s 2024 guidance on generative AI clarified that organizations using LLMs must ensure training data was lawfully obtained and that user prompts are processed with an appropriate legal basis.

How It Works

GDPR operates through a framework of rights, obligations, and enforcement:

Legal basis for processing: Every processing activity requires one of six legal bases: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests. “We want the data” is not a legal basis.
Data subject rights: Individuals can request access to their data (Article 15), correction of inaccurate data (Article 16), deletion of data (Article 17), restriction of processing (Article 18), data portability (Article 20), and objection to processing (Article 21). Organizations must respond within one month.
Data processor obligations: Organizations that process data on behalf of others must do so only under documented instructions, implement appropriate security measures, and notify the controller of any data breach without undue delay.
Cross-border transfer restrictions: Personal data may only be transferred outside the EEA to countries with an adequate level of protection, or under appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).
Enforcement: National supervisory authorities (DPAs) investigate complaints, conduct audits, and impose fines. The European Data Protection Board coordinates cross-border enforcement.

Stealth Cloud Relevance

Stealth Cloud approaches GDPR not as a compliance exercise but as an architectural premise. Every GDPR obligation maps to a technical guarantee in the Stealth Cloud stack:

Article 5(1)(c) requires data minimization. Ghost Chat’s PII stripping engine enforces it at the protocol level—personal data is removed before processing, not after. Article 17 demands the right to erasure. Cryptographic shredding delivers it automatically at session end—no deletion request required, no data to locate, no compliance gap. Article 25 mandates privacy by design. Stealth Cloud is privacy by design—the zero-persistence architecture makes violation architecturally impossible.

Domiciled under Swiss law in Zug, Stealth Cloud benefits from Switzerland’s adequacy determination under GDPR, while also complying with the FADP, which imposes comparable data protection standards. The three paradigms framework illustrates the difference: public cloud complies with GDPR through contracts and policies; Stealth Cloud complies through mathematics and architecture.

The Stealth Cloud Perspective

GDPR asks organizations to prove they handle data responsibly. Stealth Cloud answers with architecture that makes irresponsible data handling structurally impossible—zero persistence, zero knowledge, and cryptographic destruction by default.