GDPR Evidence Mapping
How hummbl-governance primitives produce technical evidence for GDPR
compliance across 6 articles. Generated via
compliance_mapper.generate_gdpr_report(). HUMMBL
provides technical evidence artifacts — not legal opinions.
Article Mappings
Article 30 — Records of Processing Activities
DCTX (Delegation Context), CONTRACT, and ATTEST tuples map to RoPA evidence. Each governance event records: who processed what, under whose authority, with what constraints.
DCTX tuples CONTRACT tuples ATTEST tuplestest_compliance_mapper.py → test_dctx_maps_to_art30, test_contract_maps_to_art30
Article 5 — Principles (lawfulness, fairness, transparency)
INTENT tuples capture stated objectives, purpose, and agent identity. Each governance entry records the purpose and scope of processing, supporting transparency and purpose limitation requirements.
INTENT tuplestest_compliance_mapper.py → test_intent_maps_to_art5
Article 6 — Lawfulness of Processing
CONTRACT tuples prove the legal basis for processing. Each contract entry records the issuer, operations, and binding terms that establish consent, contractual necessity, or legitimate interest.
CONTRACT tuplestest_compliance_mapper.py → test_contract_maps_to_art6
Article 25 — Data Protection by Design and by Default
DCT ops_allowed fields and CapabilityFence enforce minimum-necessary access. Every delegation token restricts operations to the minimum scope required, proving data protection is built-in, not bolted-on.
DelegationTokenManager CapabilityFencetest_compliance_mapper.py → test_dct_maps_to_art25
Article 28 — Processor Obligations
DCTX delegation chains prove processor binding. Each delegation context records the delegator and delegatee, establishing a cryptographically verifiable processor relationship.
DelegationTokenManager DCTX tuplestest_compliance_mapper.py → test_dctx_maps_to_art28
Article 30 — Records of Processing Activities
DCTX, CONTRACT, ATTEST, and EVIDENCE tuples map to RoPA evidence. Each governance event records: who processed what, under whose authority, with what constraints.
DCTX tuples CONTRACT tuples ATTEST tuplestest_compliance_mapper.py → test_dctx_maps_to_art30, test_contract_maps_to_art30
Article 32 — Security of Processing
Signed governance entries with HMAC-SHA256 signatures provide cryptographic evidence of processing integrity. Unsigned entries are excluded from Art. 32 evidence.
DelegationTokenManager AuditLogtest_compliance_mapper.py → test_signed_maps_to_art32
Current Gaps (GDPR Articles Not Yet Mapped)
- Article 7 — Conditions for consent (requires UI/legal workflow, not code-level)
- Article 35 — Data Protection Impact Assessment (DPIA) (requires organizational risk assessment)
- Articles 12–23 — Data subject rights (require operational processes beyond library scope)
Boundary Disclaimer
- HUMMBL is not a Data Protection Authority (DPA) and does not provide legal advice on GDPR compliance.
- The primitives produce technical evidence (signed logs, identity records, access traces) that can support a GDPR compliance program. They do not constitute a legal determination of compliance.
- 6 articles (5, 6, 25, 28, 30, 32) are mapped with code-level governance primitives. The remaining technically relevant articles (7, 35) require organizational controls, legal determinations, and process documentation beyond a software library.
- This mapping covers the v0.8.0 public snapshot. Re-verify after any major version upgrade.
- No automated RoPA template or DPIA generator is provided at this version. The primitives produce the raw evidence records; assembly into regulatory templates is the operator's responsibility.
Evaluated: hummbl-governance v0.8.0 | Last updated: 2026-05-14 | CLI:
python -m hummbl_governance.compliance_mapper --framework
gdpr