D4.4 Data protection assessment report


This report presents the continuous Data Protection Impact Assessment (DPIA) process in RAYUELA and its findings. 

Section 1 introduces the process, terminology, context and scope of the DPIA, as well as the parties involved in the two main data processing activities that are considered in this report: 

  • The data processing as part of the RAYUELA serious game, including the registration of a player to the game and during the gameplay; 
  • The data processing carried out in WP6 analysing the data obtained from the game with the use of AI to produce models and distil high level findings from the game data. 

Section 2 provides for some details on the methodology used, the theoretical framework, practical execution and iterations of the DPIA. The methodology used is based on the CNIL guidelines and the iterations mainly followed the three phases of the pilots, as well as developments in the game design. 

Section 3 provides the descriptive analysis, containing the context of the processing activities, the categories of data processed and the supporting assets. This section sets the stage for the analysis in section 4 by providing details of the situation to be assessed in the DPIA against the rules and principles of the GDPR. The outcome of this section is that the processing activities of the serious game and the separate activity of the data analysis in WP6 are well-defined and allowing appropriate analysis in section 4. 

Section 4 contains the appreciative analysis, which is real evaluation of the compliance of the data processing activities that are in scope for the DPIA with the principles and rules of the GDPR. It contains the following: 

  • An assessment of compliance of the serious game and the analysis in WP6 with the data protection principles; 
  • An assessment of the implementation of measures for upholding data subject rights; 
  • An assessment of the implementation of the technical and organisational security measures; 
  • An assessment of the risk for illegal access to data, unauthorised modification of data, loss of data and general compliance risks. 

The outcome of the analysis in section 4 is that both activities in scope of the DPIA comply with the requirement of the GDPR and that the level of residual risk present (i.e. the risk to data subject’s rights and interests, after taking into account the mitigating measures) is low and therefore can be accepted. 

Different versions of sections 3 and 4 were drafted as part of the different iterations and updates of the DPIA following the phases of the pilots and updates to the game, but had the same outcome. This report presents the final version containing the latest insights and most recent situation. 

Section 5 presents the conclusion of this report, namely that the RAYUELA consortium considers, and at every stage before the different phases of the pilots considered, to have effectively implemented appropriate safeguards to protect the data, rights and interests of the players of the game.