SID-ARCH-02 — Operator-Scope Compliance Obligations
| Property | Value |
|---|---|
| Owner | operator |
| Category | technical |
| CSF Function | govern |
| Group | Architecture Decision Controls |
Description
Identifies compliance obligations that fall to the wallet operator rather than the platform. The platform provides technical controls and documentation, but certain regulatory, HR, and organizational requirements must be implemented by each operator in their own context. Includes: data protection impact assessments, DPO appointment, GDPR data subject rights (access/rectification/restriction/portability/automated-decision), HR disciplinary processes, asset return, information labelling, remote working policies, and external certification of PID providers.
Framework Requirements
EUDI Security Requirements: WIN-8.4.3-Sec-01, CS-I.5-PID
ISO 27001 Annex A: A.5.11, A.5.13, A.6.4, A.6.5, A.6.7
GDPR Checklist: Know when to conduct a data protection impact, organization is outside the EU, Appoint a Data Protection Officer, request and receive all the information, correct or update inaccurate, ask you to stop processing, receive a copy of their personal data, automated processes