Dekimu · anchored receipts docs
AIR — Anchored Impact-Assessment Receipts
Cryptographic proof of a DPIA lifecycle event — threshold trigger, scope lock, DPO advice, completion, review, or prior consultation.
Purpose
An AIR anchors each stage of a Data Protection Impact Assessment (DPIA): from the initial threshold determination (is a DPIA required?) through scope definition, DPO consultation, completion, periodic review, and where necessary, prior consultation with the supervisory authority.
AIR receipts also support AI Act Art. 9 fundamental-rights impact assessments for high-risk AI systems, which share structural overlap with GDPR DPIAs and are expected to be conducted jointly in many deployments.
Event types
| Kind | Label | Description |
|---|---|---|
dpia.threshold_triggered | Threshold triggered | Processing meets DPIA criteria. |
dpia.scope_locked | Scope locked | Assessment scope finalised. |
dpia.dpo_advised | DPO advised | Data Protection Officer consulted. |
dpia.stakeholders_consulted | Stakeholders consulted | Relevant parties engaged. |
dpia.completed | Completed | Assessment finished. |
dpia.reviewed | Reviewed | Periodic review conducted. |
dpia.prior_consultation_initiated | Prior consultation initiated | Art. 36 consultation started. |
dpia.prior_consultation_resolved | Prior consultation resolved | DPA response received. |
dpia.processing_authorised | Processing authorised | Cleared to proceed. |
dpia.processing_blocked | Processing blocked | High risk, cannot proceed. |
dpia.terminated | Terminated | Assessment cancelled. |
Key fields
processing_description — structured description of the processing activities assessed, including purposes, data categories, recipient categories, and retention periods.
necessity_assessment — documented evaluation of whether the processing is necessary and proportionate relative to the purposes pursued.
risk_matrix — structured risk register with identified risks, likelihood, severity, and the technical and organisational measures adopted to mitigate each risk.
Regulatory context
GDPR Art. 35 mandates a DPIA before processing that is likely to result in a high risk to natural persons — particularly systematic profiling, large-scale processing of special categories, or systematic monitoring of publicly accessible areas. Art. 35(7) defines the minimum content of a DPIA. Art. 36 requires prior consultation with the supervisory authority when residual risk remains high after mitigation; the dpia.prior_consultation_initiated and dpia.prior_consultation_resolved events document this path.