GDPR Evidence Mapping

How hummbl-governance primitives produce technical evidence for GDPR compliance across 6 articles. Generated via compliance_mapper.generate_gdpr_report(). HUMMBL provides technical evidence artifacts — not legal opinions.

Article Mappings

Article 30 — Records of Processing Activities

DCTX (Delegation Context), CONTRACT, and ATTEST tuples map to RoPA evidence. Each governance event records: who processed what, under whose authority, with what constraints.

DCTX tuples CONTRACT tuples ATTEST tuples

test_compliance_mapper.py → test_dctx_maps_to_art30, test_contract_maps_to_art30

Article 5 — Principles (lawfulness, fairness, transparency)

INTENT tuples capture stated objectives, purpose, and agent identity. Each governance entry records the purpose and scope of processing, supporting transparency and purpose limitation requirements.

INTENT tuples

test_compliance_mapper.py → test_intent_maps_to_art5

Article 6 — Lawfulness of Processing

CONTRACT tuples prove the legal basis for processing. Each contract entry records the issuer, operations, and binding terms that establish consent, contractual necessity, or legitimate interest.

CONTRACT tuples

test_compliance_mapper.py → test_contract_maps_to_art6

Article 25 — Data Protection by Design and by Default

DCT ops_allowed fields and CapabilityFence enforce minimum-necessary access. Every delegation token restricts operations to the minimum scope required, proving data protection is built-in, not bolted-on.

DelegationTokenManager CapabilityFence

test_compliance_mapper.py → test_dct_maps_to_art25

Article 28 — Processor Obligations

DCTX delegation chains prove processor binding. Each delegation context records the delegator and delegatee, establishing a cryptographically verifiable processor relationship.

DelegationTokenManager DCTX tuples

test_compliance_mapper.py → test_dctx_maps_to_art28

Article 30 — Records of Processing Activities

DCTX, CONTRACT, ATTEST, and EVIDENCE tuples map to RoPA evidence. Each governance event records: who processed what, under whose authority, with what constraints.

DCTX tuples CONTRACT tuples ATTEST tuples

test_compliance_mapper.py → test_dctx_maps_to_art30, test_contract_maps_to_art30

Article 32 — Security of Processing

Signed governance entries with HMAC-SHA256 signatures provide cryptographic evidence of processing integrity. Unsigned entries are excluded from Art. 32 evidence.

DelegationTokenManager AuditLog

test_compliance_mapper.py → test_signed_maps_to_art32

Current Gaps (GDPR Articles Not Yet Mapped)

  • Article 7 — Conditions for consent (requires UI/legal workflow, not code-level)
  • Article 35 — Data Protection Impact Assessment (DPIA) (requires organizational risk assessment)
  • Articles 12–23 — Data subject rights (require operational processes beyond library scope)

Boundary Disclaimer

  • HUMMBL is not a Data Protection Authority (DPA) and does not provide legal advice on GDPR compliance.
  • The primitives produce technical evidence (signed logs, identity records, access traces) that can support a GDPR compliance program. They do not constitute a legal determination of compliance.
  • 6 articles (5, 6, 25, 28, 30, 32) are mapped with code-level governance primitives. The remaining technically relevant articles (7, 35) require organizational controls, legal determinations, and process documentation beyond a software library.
  • This mapping covers the v0.8.0 public snapshot. Re-verify after any major version upgrade.
  • No automated RoPA template or DPIA generator is provided at this version. The primitives produce the raw evidence records; assembly into regulatory templates is the operator's responsibility.

Evaluated: hummbl-governance v0.8.0 | Last updated: 2026-05-14 | CLI: python -m hummbl_governance.compliance_mapper --framework gdpr