GDPR (Whistleblowing) — Special-Category & Data-Minimisation in Reports
GDPR (Whistleblowing) — Special-Category & Data-Minimisation in Reports — 67% covered.
3 requirements · 2 enforced · 0 designed · 0 advisory · 0 deferred.
Source: The General Data Protection Regulation (Regulation (EU) 2016/679) applies to the personal data processed within a whistleblowing report. Article 5(1)(c) requires data minimisation; Article 9 restricts the processing of special-category data (which a report may contain — health, criminal allegations under Art. 10, trade-union membership); access to a reporter's and an accused person's identity must be limited to authorised staff on a need-to-know basis; and Articles 15 and 21 give data subjects rights of access and objection. KYE Protocol™ governs whether an AI-assisted access to the personal / special-category data in a report may PROCEED — on a recorded need-to-know authority, with data-minimisation evidence captured, a signed Evidence Pack, and a contestability record so a data-subject access or objection can be reconstructed. KYE does not perform the lawful-basis assessment for the underlying processing or adjudicate the data-subject claim. · License: EU Regulations are published by the Publications Office of the European Union; KYE registry paraphrases each requirement's intent and cites the official article identifier for mapping purposes only.
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Need-to-know access & data-minimisation evidence for special-category report data | 1 | 1 | 0 | 0 | 0 | 100% |
| Data-subject contestability (access / objection) reconstruction | 1 | 1 | 0 | 0 | 0 | 100% |
| Lawful-basis assessment, DPIA & data-subject adjudication | 1 | 0 | 0 | 0 | 0 | 0% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
gdpr-whistleblower.special-category-need-to-know-access |
Access to the personal / special-category data in a report proceeds only under a recorded need-to-know authority with data-minimisation evidence | enforced | audit_events: kye.purpose.request.v1, kye.purpose.admissibility.v1, kye.evidence.decision_map.v1engines: internal, internalrule_packs: kye:rule-pack:whistleblower-speakupdictionaries: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
gdpr-whistleblower.data-subject-contestability |
Data-subject contestability (access / objection) reconstruction of the AI-assisted handling | enforced | audit_events: kye.evidence.pack.v1, kye.replay.context_seal.v1, kye.replay.proof.v1engines: internal, internalrule_packs: kye:rule-pack:whistleblower-speakupconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/21-DELEGATED-AUDITABILITY.md |
gdpr-whistleblower.lawful-basis-and-dpia |
Lawful-basis assessment of the underlying processing, the DPIA, and data-subject adjudication | out-of-scope | (no enforcement cited) |