ACF® × GDPR
Mapping of the 17 ACF® cards to the GDPR articles pivotal for agentic systems — notably Art. 22 (automated individual decisions), Art. 30 (records), Art. 35 (DPIA), Art. 37-39 (DPO).
!Warning
GDPR Art. 22 prohibits, in principle, individual decisions made entirely by automated means that produce legal or similarly significant effects. Any agentic architecture that approaches this must demonstrate (a) explicit consent, OR (b) contractual necessity, OR (c) authorisation by Member-State law — and in every case, the right to human intervention is non-negotiable. Card ACF-01 (Decision Map) is designed precisely for this test.
Regulation (EU) 2016/679 — General Data Protection Regulation ↗
GDPR — Regulation (EU) 2016/679. The European data protection regulation. For agentic systems, three articles are pivotal: Art. 22 (automated individual decision-making), Art. 30 (records of processing activities), Art. 35 (DPIA).
ACF® mapping → GDPR
Each row below is an ACF® methodological card and the principal article of the standard it maps to. The mapping is deliberately conservative — when a card covers several articles, only the principal article is cited here. The full multi-standard view is on the matrix.
| Card | Title | GDPR |
|---|---|---|
ACF-00 | ACF Sovereignty Score | Art. 35 |
ACF-01 | Decision Map | Art. 22 |
ACF-02 | Criticality Matrix | Art. 35 |
ACF-03 | Agentic Constitution | Art. 25 |
ACF-04 | Agent Card | Art. 30 |
ACF-05 | Supervision & Governance | Art. 22 + 37-39 |
ACF-06 | Kill Switch | Art. 22(3) |
ACF-07 | First Agent Dossier | Art. 30 + 35 |
ACF-08 | Agentic Decision Register | Art. 30 |
ACF-09 | Action & Improvement Plan | Art. 24 + 32 |
ACF-10 | 30-Day Governance Audit | Art. 32 |
ACF-11 | Agentic Risk Assessment | Art. 35 |
ACF-12 | Agent Mandate | Art. 28 + 24 |
ACF-13 | Guided Practical Case | Art. 22 |
ACF-14 | Teacher Guide | Art. 39 |
ACF-15 | Governance Simulation | Art. 32 |
ACF-16 | Accountability by Design | Art. 5(2) + 24 + 25 |