Privacy pillar · v0.16.0
gdpr-processing-record GdprProcessingRecord
One record of processing activity.
$id · https://corpospec.com/schemas/v0.16.0/gdpr-processing-record.schema.json
Fields
| Field | Type | Required | Description |
|---|---|---|---|
| activity_name | string | yes | Activity short name (e.g. "Payroll processing"). |
| confidentiality | Confidentiality | yes | Cross-cutting confidentiality classification used across privacy, security, knowledge, IR pillars. Default rendering rule: `corpospec-report` excludes `Restricted | BoardOnly | InvestorOnly` records from public output unless an explicit audience parameter overrides. See BDR 0076 §1. |
| created_at | IsoDate | yes | ISO 8601 date (YYYY-MM-DD). |
| data_categories | string[] | yes | Categories of personal data (e.g. ["identity", "financial", "health"]). |
| data_subject_categories | string[] | yes | Categories of data subjects (e.g. ["employees", "candidates", "customers"]). |
| entity | PathRef | yes | Path-based cross-reference relative to .corpospec/ root. Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$` |
| id | PathRef | yes | Path-based cross-reference relative to .corpospec/ root. Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$` |
| last_reviewed | IsoDate | yes | ISO 8601 date (YYYY-MM-DD). |
| lawful_basis | LawfulBasis | yes | Lawful basis under Art. 6(1). |
| next_review_due | IsoDate | yes | ISO 8601 date (YYYY-MM-DD). |
| purpose | string | yes | Processing purpose narrative. |
| recipients | Recipient[] | yes | Recipients (Art. 30(1)(d)+(e)). |
| retention_policy | string | yes | Retention period narrative (e.g. "10 years after employment ends per HGB § 257"). |
| role | GdprRole | yes | Role under GDPR. |
| security_measures | SecurityMeasure[] | yes | Security measures (Art. 30(1)(g) + Art. 32). |
| special_category_basis | SpecialCategoryBasis | yes | Special-category basis if Art. 9 data is processed. |
| dpia_ref | PathRef? | — | PathRef into the DPIA if Art. 35 triggered. |
| dpo_contact | PathRef? | — | PathRef into the controller's DPO contact. |
| eu_representative | PathRef? | — | PathRef into the controller's representative (Art. 27) when outside EU. |
Definitions
Shared types referenced within this schema.
Confidentiality
Cross-cutting confidentiality classification used across privacy,
security, knowledge, IR pillars. Default rendering rule: `corpospec-report`
excludes `Restricted | BoardOnly | InvestorOnly` records from public output
unless an explicit audience parameter overrides. See BDR 0076 §1.
GdprRole
Role under GDPR.
IsoCountry
ISO 3166-1 alpha-2 country code.
pattern: ^[A-Z]{2}$
IsoDate
ISO 8601 date (YYYY-MM-DD).
type: string
LawfulBasis
Lawful basis under Art. 6(1).
PathRef
Path-based cross-reference relative to .corpospec/ root.
Pattern: `^[a-z0-9_-]+(/[a-z0-9_.-]+)+$`
pattern: ^[a-z0-9_-]+(/[a-z0-9_.-]+)+$
Recipient
Recipient (internal or third-party).
type: object
SecurityMeasure
Security measure (Art. 32) reference.
type: object
SpecialCategoryBasis
Special-category basis under Art. 9(2).
TransferMechanism
International-transfer instrument (Art. 44–49).
Reference in your YAML
# yaml-language-server: $schema=https://corpospec.com/schemas/v0.16.0/gdpr-processing-record.schema.json