GDPR Compliance¶

How a2p enables GDPR compliance for AI agents.

Overview¶

a2p is designed with GDPR principles at its core:

GDPR Principle	a2p Implementation
Lawfulness	Purpose and legal basis required
Purpose limitation	Purpose declared in every request
Data minimization	Scope-based access control
Accuracy	User-controlled profiles
Storage limitation	Retention policies
Integrity	Cryptographic signatures
Accountability	Audit logs, consent receipts

Purpose Limitation (Article 5)¶

Every access request must declare purpose:

{
  "purpose": {
    "type": "personalization",
    "description": "To tailor responses to preferences",
    "legalBasis": "consent",
    "retention": "session_only"
  }
}

Users can restrict access by purpose:

{
  "purposeRequirements": {
    "allowedPurposes": ["personalization", "support"],
    "deniedPurposes": ["research", "marketing"]
  }
}

Legal Basis (Article 6)¶

Agents must declare legal basis:

Basis	When to Use
`consent`	User explicitly agreed
`contract`	Necessary for service
`legal_obligation`	Required by law
`legitimate_interests`	Business need (balanced)

{
  "legalBasis": "consent",
  "consentDetails": {
    "method": "explicit_click",
    "timestamp": "2025-12-25T10:00:00Z",
    "withdrawable": true
  }
}

Data Subject Rights¶

Right of Access (Article 15)¶

// User exports all their data
const data = await userClient.exportProfile();

Right to Rectification (Article 16)¶

// User corrects data
await userClient.updateMemory('mem_001', {
  content: 'Corrected information'
});

Right to Erasure (Article 17)¶

// User deletes data
await userClient.deleteMemory('mem_001');

// Delete all data from agent
await userClient.deleteMemoriesFrom('did:a2p:agent:local:xxx');

Right to Portability (Article 20)¶

// Export in machine-readable format
const portable = await userClient.exportProfile({
  format: 'json',
  include: ['memories', 'preferences']
});

Every access generates a receipt:

{
  "receiptId": "rcpt_xxx",
  "userDid": "did:a2p:user:local:alice",
  "agentDid": "did:a2p:agent:local:assistant",
  "grantedScopes": ["a2p:preferences"],
  "purpose": "personalization",
  "legalBasis": "consent",
  "grantedAt": "2025-12-25T10:00:00Z",
  "proof": { ... }
}

// Revoke consent for agent
await userClient.revokeAccess('did:a2p:agent:local:xxx');

// Immediate effect
// Agent loses access
// Receipt marked revoked

Data Breach Notification (Article 33)¶

Detection¶

{
  "breachDetection": {
    "monitoredEvents": [
      "unauthorized_access",
      "bulk_export",
      "unusual_pattern"
    ]
  }
}

Overview¶

Purpose Limitation (Article 5)¶

Legal Basis (Article 6)¶

Data Subject Rights¶

Right of Access (Article 15)¶

Right to Rectification (Article 16)¶

Right to Erasure (Article 17)¶

Right to Portability (Article 20)¶

Data Breach Notification (Article 33)¶

Detection¶

Notification¶

Implementation Checklist¶

Next Steps¶

GDPR Compliance¶

Overview¶

Purpose Limitation (Article 5)¶

Legal Basis (Article 6)¶

Data Subject Rights¶

Right of Access (Article 15)¶

Right to Rectification (Article 16)¶

Right to Erasure (Article 17)¶

Right to Portability (Article 20)¶

Consent Management¶

Consent Receipts¶

Consent Withdrawal¶

Data Breach Notification (Article 33)¶

Detection¶

Notification¶

Implementation Checklist¶

Next Steps¶