Dekimu · anchored receipts docs

AIR — Anchored Impact-Assessment Receipts

Cryptographic proof of a DPIA lifecycle event — threshold trigger, scope lock, DPO advice, completion, review, or prior consultation.

← All families

Purpose

An AIR anchors each stage of a Data Protection Impact Assessment (DPIA): from the initial threshold determination (is a DPIA required?) through scope definition, DPO consultation, completion, periodic review, and where necessary, prior consultation with the supervisory authority.

AIR receipts also support AI Act Art. 9 fundamental-rights impact assessments for high-risk AI systems, which share structural overlap with GDPR DPIAs and are expected to be conducted jointly in many deployments.

Event types

KindLabelDescription
dpia.threshold_triggeredThreshold triggeredProcessing meets DPIA criteria.
dpia.scope_lockedScope lockedAssessment scope finalised.
dpia.dpo_advisedDPO advisedData Protection Officer consulted.
dpia.stakeholders_consultedStakeholders consultedRelevant parties engaged.
dpia.completedCompletedAssessment finished.
dpia.reviewedReviewedPeriodic review conducted.
dpia.prior_consultation_initiatedPrior consultation initiatedArt. 36 consultation started.
dpia.prior_consultation_resolvedPrior consultation resolvedDPA response received.
dpia.processing_authorisedProcessing authorisedCleared to proceed.
dpia.processing_blockedProcessing blockedHigh risk, cannot proceed.
dpia.terminatedTerminatedAssessment cancelled.

Key fields

processing_description — structured description of the processing activities assessed, including purposes, data categories, recipient categories, and retention periods.

necessity_assessment — documented evaluation of whether the processing is necessary and proportionate relative to the purposes pursued.

risk_matrix — structured risk register with identified risks, likelihood, severity, and the technical and organisational measures adopted to mitigate each risk.

Regulatory context

GDPR Art. 35 mandates a DPIA before processing that is likely to result in a high risk to natural persons — particularly systematic profiling, large-scale processing of special categories, or systematic monitoring of publicly accessible areas. Art. 35(7) defines the minimum content of a DPIA. Art. 36 requires prior consultation with the supervisory authority when residual risk remains high after mitigation; the dpia.prior_consultation_initiated and dpia.prior_consultation_resolved events document this path.

Anchored Receipts are cryptographic provenance and privacy-lifecycle protocols; verify.dekimu.com is a reference implementation, not a qualified trust service under Regulation (EU) No 910/2014 (eIDAS) or successor.