MYDATA PASSPORT
Home Product Whitepaper Early Access
Whitepaper Concept draft · v1.1

Personal Data Control
in the EU AI Era

MyData Passport is a user-centric personal data rights intermediary. It turns abstract EU data rights into practical, one-click actions – aligned with GDPR, the Data Act, the AI Act, eIDAS 2.0 and the Data Governance Act.

Reading time: ~18 minutes Audience: citizens · DPOs · architects · policymakers
This page is the full web edition of the concept whitepaper. The PDF is suitable for sharing in boards, architecture councils or policy discussions.
Section 1

The societal problem: information asymmetry & AI risks

01

Modern digital life leaves behind an enormous trail of personal data. Every online purchase, social interaction, location ping, search query and interaction with public services contributes to distributed data profiles. These profiles are held by hundreds of independent organisations.

In theory, European citizens enjoy extensive rights under GDPR and related legislation. In practice, they face a structural information asymmetry: organisations hold deep insight into individuals, while individuals lack tools to discover who processes what, for which purposes and with what consequences.

The rise of large-scale AI systems amplifies this imbalance. Personal data is routinely used to train models, power profiling and enable automated decision-making. Without transparency and user control, these systems may reinforce bias, entrench power asymmetries or simply make mistakes that go unchallenged.

MyData Passport responds by proposing a personal control panel where people can see which organisations hold their data, understand the role of AI and exercise their rights as one-click actions rather than legal paperwork.

The goal is not to replace existing organisational processes, but to provide a user-side orchestration layer that makes rights usable and auditable across many controllers.

Section 2

Legal framework & regulatory alignment

02
GDPR Data Act AI Act eIDAS 2.0 Data Governance Act

GDPR – turning rights into flows

The General Data Protection Regulation grants data subjects rights of access, rectification, erasure, restriction, portability and objection. MyData Passport operationalises these rights at scale: users can send standardised, identity-verified requests to many controllers, track statutory deadlines and keep cryptographic evidence.

Data Act – enabling fair access & portability

The EU Data Act focuses on fair access to data and interoperability, especially for IoT and service-generated data. MyData Passport supports Data Act objectives by:

  • making it easier for individuals to request access to and port their data;
  • encouraging the use of interoperable formats for exports;
  • acting as a neutral user-side intermediary rather than a new gatekeeper.

AI Act – transparency & contestability of AI

The forthcoming AI Act introduces a risk-based regime for AI systems. High-risk systems must implement robust data governance, risk management and transparency. MyData Passport helps individuals understand when their data feeds AI models, request information about automated decisions, and exercise relevant rights (including contestation), complementing providers’ compliance obligations.

eIDAS 2.0 & European Digital Identity Wallet

Under eIDAS 2.0, every Member State will provide a European Digital Identity Wallet. MyData Passport integrates with eIDAS-compliant eID and wallets to enable:

  • high-assurance authentication for data subjects;
  • digital signatures on rights requests;
  • verifiable mandates (e.g. guardians, attorneys, DPOs).

Data Governance Act – trusted intermediaries

The DGA creates a framework for trusted data intermediaries and data altruism. MyData Passport fits this landscape as a user-centric intermediary that does not monetise data, but instead provides rights orchestration and evidence services aligned with European data sovereignty goals.

Section 3

Reference architecture: components, roles & trust zones

03

MyData Passport follows a federated, modular architecture that avoids centralising raw personal data. It orchestrates rights requests between individuals and many independent controllers. The architecture is API-first, privacy-by-design and aligned with modern EU cloud reference models.

Core components

Component map
Identity & Mandates
Integrates with eIDAS / EUDI to authenticate users and verify delegations. Issues signed assertions that accompany outgoing requests.
Rights Orchestrator
Central engine that creates, routes and tracks GDPR / Data Act / AI-related requests to data controllers using APIs, secure email or portals.
Footprint Discovery
Helps individuals build an inventory of controllers likely holding their data using catalogues, user input and optional signal-based suggestions.
Evidence Vault & KMS
Encrypted storage for proofs of all requests and responses, backed by a strong key management service so only authorised parties can decrypt.
User Applications
Web and mobile clients that present an accessible dashboard and guided flows in the same visual style as the MyData Passport site.

Roles & stakeholders

The architecture supports multiple roles:

  • Data subjects (citizens): use the Passport to exercise rights.
  • Controllers/providers: receive structured, authenticated requests.
  • Platform operator: runs the infrastructure under strict governance.
  • Delegates: act on behalf of others with verifiable mandates.
  • Regulators / DPOs: use evidence and logs for oversight.

Trust zones & zero-trust principles

Trust zones
Identity Zone
Handles authentication, signatures and mandates. Highly restricted access, hardened interfaces.
Processing Zone
Runs rights orchestration and minimal data transformation. Follows zero-trust principles for all internal calls.
Encrypted Storage Zone
Stores evidence and metadata encrypted with user-specific keys; separate from identity and processing layers.
Section 4

Security, privacy & evidence model

04

Security is central to MyData Passport: it must protect individuals’ privacy while providing credible evidence for regulators and organisations. The design follows defence-in-depth, encryption by default and privacy-by-design.

Cryptography & key management

  • All sensitive data is encrypted at rest and in transit with modern cryptography.
  • User-specific keys protect vault contents; operational keys are separated by purpose.
  • Hardware-backed key storage or equivalent high-assurance KMS is recommended.

Logging & auditability

  • All relevant events are recorded in append-only logs using pseudonymous identifiers.
  • Logs support security monitoring, incident response and regulatory audits.
  • Logs are designed to avoid becoming a new source of excessive personal data.

Evidence vault

For each rights interaction, the platform stores proofs such as request payloads, timestamps, acknowledgements and, where appropriate, hashes or encrypted copies of exports. This enables:

  • users to prove they exercised their rights;
  • controllers to demonstrate they responded correctly and on time;
  • regulators to verify compliance patterns.

Privacy by design & minimisation

The platform minimises the data it processes and retains. It avoids behavioural profiling and allows users to purge exports from their vault entirely. Internally, identity data is separated from transaction logs, reducing correlation risk.

Section 5

Persona-based interaction model

05

MyData Passport serves different personas with a shared platform. The value proposition is tailored, but the underlying infrastructure, security and legal alignment are the same.

Citizen / Consumer
Primary user

Gains one place to see where data lives, launch access or deletion requests in plain language and track progress. No legal jargon required: the platform guides and explains.

DPO / Lawyer
Compliance owner

Receives authenticated, structured requests via a predictable channel. This reduces manual effort, avoids identity mistakes and supports compliance reporting to supervisory authorities.

Technical Architect / CTO
System integrator

Gains a reference architecture with clean interfaces, microservice boundaries and security patterns aligned with EU cloud reference architectures and zero-trust principles.

Policymaker / Regulator
Ecosystem steward

Sees a practical lever that makes legal rights usable at scale and generates aggregated indicators about friction and compliance across sectors, informing future guidance and policy.

Section 6

Implementation estimate: skills, effort & hosting

06

Team composition

  • Back-end and front-end engineers (API-first, secure web UIs).
  • Security specialist / architect (threat modelling, key management, audits).
  • Identity / eIDAS expert (integration with EUDI, signature flows, mandates).
  • UX / product designer (rights flows that non-lawyers can understand).
  • Privacy / legal advisor (GDPR, Data Act, AI Act, DGA alignment).

Effort for an MVP

A realistic estimate for a first production-grade MVP is in the range of 20–30 full-time-equivalent person-months. This covers:

  • core identity & rights orchestration services;
  • integrations with an initial set of controllers;
  • web UI and basic mobile-friendly flows;
  • security hardening and operational tooling.

Hosting & operations

A pilot deployment for a few thousand users can run on a modest, redundant cloud footprint in the low four-figure euro range per month. Costs scale primarily with encrypted vault storage and desired availability/SLA levels.

Additional investments for external security audits, potential certification and continuous legal monitoring are recommended as the Data Act, AI Act and eIDAS 2.0 roll out across Member States.

This whitepaper is intended as a high-level but actionable blueprint for stakeholders interested in building or piloting a MyData Passport–like service in alignment with European digital sovereignty objectives.